NIST Updates Industrial Control Systems Security Guide |

NIST Updates Industrial Control Systems Security Guide

June 9, 2015 - The National Institute of Standards and Technology (NIST) issued the second revision to its Guide to Industrial Control Systems (ICS) Security. It includes new guidance on how to tailor traditional IT security controls to accommodate unique ICS performance, reliability and safety requirements, as well as updates to sections on threats and vulnerabilities, risk management, recommended practices, security architectures and security capabilities and tools.

The guide also references ISA/IEC-62443, a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Control Systems (ICS). These documents were originally referred to as ANSI/ISA-99 or ISA99 standards, as they were created by the International Society for Automation (ISA) and publicly released as American National Standards Institute (ANSI) documents. In 2010, they were renumbered to be the ANSI/ISA-62443 series. This change was intended to align the ISA and ANSI document numbering with the corresponding International Electrotechnical Commission (IEC) standards.

Downloaded more than 3 million times since its initial release in 2006, the ICS security guide advises on how to reduce the vulnerability of computer-controlled industrial systems to malicious attacks, equipment failures, errors, inadequate malware protection and other threats.

ICS encompass the hardware and software that control equipment and the information technologies that gather and process data. They are commonly used in factories and by operators of electric utilities, pipelines and other major infrastructure systems.

Most ICS began as proprietary, stand-alone collections of hardware and software that were walled off from the rest of the world and isolated from most external threats. Today, widely available software applications, Internet-enabled devices and other nonproprietary IT offerings have been integrated into most such systems. This connectivity has delivered many benefits, but it also has increased the vulnerability of these systems. Cybersecurity threats to ICS can pose significant risks to human health and safety, the environment, and business and government operations.

Due to unique performance, reliability and safety requirements, securing ICS often requires adaptations and extensions to NIST-developed security standards and guidelines commonly used to secure traditional IT systems.

A significant addition in this revision is a new ICS overlay offering tailored guidance on how to adapt and apply security controls and control enhancements detailed in the 2013 comprehensive update of Security and Privacy Controls for Federal Information Systems and Organizations (NIST Special Publication 800-53, revision 4) to ICS. SP 800-53 contains a catalog of security controls that can be customized to meet specific needs stemming from an organization's mission, operational environment, or the particular technologies used. Using the ICS overlay, utilities, chemical companies, food manufacturers, automakers and other ICS users can adapt and refine these security controls to address their specialized security needs.

NIST SP 800-82, Revision 2, Guide to Industrial Control System (ICS) Security, can be downloaded from the NIST Computer Security Resource Center or