NIST Briefing:

ICS Cybersecurity Guidance –

NIST SP 800-82, Guide to ICS
Security

Keith Stouffer
Mechanical Engineer
Engineering Laboratory

August 28, 2013

 Industrial Control Systems (ICS) Overview

• Industrial Control Systems (ICS) is a general term that

encompasses several types of control systems including:
– Supervisory Control and Data Acquisition (SCADA) systems
– Distributed Control Systems (DCS)
– Other control system configurations such as Programmable
Logic Controllers (PLC)
• ICS are specialized Information Systems that physically
interact with the environment
• Many ICS are components of the Critical Infrastructure
SCADA Examples

SCADA systems are used in the

electricity sector, oil and gas
pipelines, water utilities,
transportation networks and
other applications requiring
remote monitoring and control.
DCS Examples

Manufacturing

Electric Power Generation

Refineries
 Comparing Information Systems
and Industrial Control Systems
Different Performance Requirements

Information Systems Industrial Control

Non-Realtime Realtime
Response must be reliable Response is time critical
High throughput demanded Modest throughput acceptable

High delay and jitter accepted High delay and/or jitter is a

serious concern
 Comparing Information Systems
and Industrial Control Systems
Different Reliability Requirements

Information Systems Industrial Control

Scheduled operation Continuous operation

Occasional failures tolerated Outages intolerable
Beta testing in the field acceptable Thorough testing expected
 Comparing Information Systems
and Industrial Control Systems
Different Risk Management Requirements:
Delivery vs. Safety

Information Systems Industrial Control

Data integrity paramount Human safety paramount
Risk impact is loss of data, loss of Risk Impact is loss of life,
business operations equipment or product,
environmental damage
Recover by reboot Fault tolerance essential

These differences can create large differences

in acceptable security practice
 Why Secure ICS?
The recent Executive Order No. 13636,
National Infrastructure Protection Plan
(NIPP) and other documents including
GAO-04-354 cite industrial control systems
as critical points of vulnerability in
America's utilities and industrial
infrastructure... “…Successful attacks on
control systems could have devastating
consequences, such as endangering public
health and safety.”

Electric power — Water — Oil & Gas

Chemicals — Pharmaceuticals
Mining, Minerals & Metals
Pulp & Paper — Food & Beverage
Consumer Products
Discrete Manufacturing
(automotive, aerospace,
durable goods)
 ICS Security Challenges

• Real time constraints - IT security technology can impact

timing, inhibit performance (response times are on the
order of ms to s)
• Balancing of performance, reliability, flexibility, safety,
security requirements
• Difficulty of specifying requirements and testing
capabilities of complex systems in operational
environments
• Security expertise and domain expertise required, but
are often separated
 ICS Security Standards
and Guidelines Strategy
• Add control systems domain expertise to:
– Already available Information Security Risk Management
Framework
– Provide workable, practical solutions for control systems –
without causing more harm than the incidents we are working to
prevent
• This expertise takes the form of specific cautions,
recommendations & requirements for application to
control systems - throughout both technologies and
programs
– NIST SP 800-82 Guide to Industrial Control System (ICS)
Security
– ICS Overlay for NIST SP 800-53, Rev 4 security controls
 NIST SP 800-82
• Guide to Industrial Control Systems Security
– Provide guidance for establishing secure ICS, including
implementation guidance for SP 800-53 controls
• Content
– Overview of ICS
– ICS Characteristics, Threats and Vulnerabilities
– ICS Security Program Development and Deployment
– Network Architecture
– ICS Security Controls
– Appendixes
• Current Activities in Industrial Control Systems Security
• Emerging Security Capabilities
• ICS in the FISMA Paradigm
• Downloaded over 2,500,000 times since initial release and is heavily
referenced by the public and private industrial control community
 Major ICS Security Objectives

• Restricting logical access to the ICS network and network

activity
– This includes using a demilitarized zone (DMZ) network
architecture with firewalls to prevent network traffic from passing
directly between the corporate and ICS networks, and having
separate authentication mechanisms and credentials for users of
the corporate and ICS networks. The ICS should also use a
network topology that has multiple layers, with the most critical
communications occurring in the most secure and reliable layer.
• Restricting physical access to the ICS network and devices
– Unauthorized physical access to components could cause
serious disruption of the ICS’s functionality. A combination of
physical access controls should be used, such as locks, card
readers, and/or guards.
 Major ICS Security Objectives
• Protecting individual ICS components from exploitation
– This includes deploying security patches in as expeditious a
manner as possible, after testing them under field conditions;
disabling all unused ports and services; restricting ICS user
privileges to only those that are required for each person’s role;
tracking and monitoring audit trails; and using security controls
such as antivirus software and file integrity checking software
where technically feasible to prevent, deter, detect, and mitigate
malware.
• Maintaining functionality during adverse conditions
– This involves designing the ICS so that each critical component
has a redundant counterpart. Additionally, if a component fails, it
should fail in a manner that does not generate unnecessary
traffic on the ICS or other networks, or does not cause another
problem elsewhere, such as a cascading event.
 NIST SP 800-82, Rev 2
• NIST SP 800-82, Rev 2 is a major update
– Updates to ICS threats and vulnerabilities
– Updates to ICS risk management, recommended practices and
architectures
– Updates to current activities in ICS security
– Updates to security capabilities and technologies for ICS
– Additional alignment with other ICS security standards and
guidelines
• New tailoring guidance for NIST SP 800-53, Rev 4
security controls including introduction of overlays
• ICS overlay for NIST SP 800-53, Rev 4 security controls
that will provide tailored security control baselines for
Low, Moderate, and High impact ICS
 ICS Tailoring Guidance for NIST
SP 800-53 Controls - History
• NIST SP 800-53, Revision 2 Appendix I – Industrial
Control Systems Security Controls, Enhancements, and
Supplemental Guidance, 2007
• NIST SP 800-82, Rev 1 Appendix G – Industrial Control
Systems Security Controls, Enhancements, and
Supplemental Guidance, May 2013
• NIST SP 800-82, Rev 2 Appendix G - ICS overlay for
NIST SP 800-53, Rev 4 security controls that will provide
tailored security control baselines for Low, Moderate,
and High impact ICS
 NIST SP 800-53 Security Baselines

• LOW Baseline - Selection of a subset of security controls

from the master catalog consisting of basic level controls
• MOD Baseline - Builds on LOW baseline. Selection of a
subset of controls from the master catalog—basic level
controls, additional controls, and control enhancements
• HIGH Baseline - Builds on MOD baseline. Selection of a
subset of controls from the master catalog—basic level
controls, additional controls, and control enhancements
• Categorization based on the potential level of impact if
the Availability, Integrity or Confidentiality of the
system or information on the system is compromised.
Low Impact System
 ICS Impact Level Definitions

• Low Impact ICS

– Product Examples: Non hazardous materials or
products, Non-ingested consumer products
– Industry Examples: Plastic Injection Molding,
Warehouse Applications
– Security Concerns: Protecting people, Capital
investment, Ensuring uptime
Moderate Impact Systems

19
 ICS Impact Level Definitions

• Moderate Impact ICS

– Product Examples: Some hazardous products and/or
steps during production, High amount of proprietary
information
– Industry Examples: Automotive Metal Industries, Pulp
& Paper, Semi-conductors
– Security Concerns: Protecting people, Trade secrets,
Capital investment, Ensuring uptime
High Impact System
High Impact System !!!
 ICS Impact Level Definitions

• High Impact ICS

– Product Examples: Critical Infrastructure, Hazardous
Materials, Ingested Products
– Industry Examples: Utilities, PetroChemical, Food &
Beverage, Pharmaceutical
– Security Concerns: Protecting human life, Ensuring
basic social services, Protecting environment
World Record High Impact System 

24
 NIST SP 800-82, Rev 2 Schedule

• NIST will collaborate with the public and private

sectors over the next year to produce SP 800-
82, Rev 2
• Two drafts for public comment are expected
– First public draft expected early 2014
– Final public draft expected summer 2014
– NIST SP 800-82, Rev 2 is expected to be finalized
late 2014
 ISA-99 Standards Committee
• ISA-99 Committee on Industrial Automation
and Control Systems Security developing a
series of standards
• NIST has played key roles
– Members: ISA-99 Leadership Committee
– Co-Chair and General Editor: ISA-99 Committee
– Lead Editor: Working Group 2 – Integrating Security into
the Industrial Automation & Control Systems Environment
– Lead Editor: Joint Working Group 7 – Safety & Security
– Technical Input: Working Group 4 – Technical
Requirements for Industrial Automation and Control Systems
– Member: ISA Standards and Practices Board
– NIST SP 800-82 and SP800-53 provided as references to
consider in the development of the standards
• ISA-99 standards also co-branded as IEC 62443 standards
• ISASecure – Certification of ICS devices and systems
Contact
Info
Keith Stouffer

301 975 3877

[email protected]

Engineering Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Mail Stop 8230
Gaithersburg, MD 20899-8230