Until 9 March 2015 there is a period during which the draft of the second revision of the Guide to Industrial Control System (ICS) Security published by the American National Institute of Standards and Technology (NIST) is open for the submission of comments by the public. This guide is intended to increase the security of ICS, including their supervisory control and data acquisition (SCADA) systems, their distributed control systems and other systems carrying out control functions. It provides an overview of the topologies and architectures typical of such systems, identifies known threats and offers security countermeasures against the threats that characteristically affect them.
Thus, the guide is organized as follows:
- General Overview of ICS: This offers a good picture of industrial control systems, describing their processes and giving examples of how they operate. This section also looks at the design considerations that make industrial control systems so different from normal information technology (IT) systems. These include the need to work in real time, hierarchy, or the requirement for constant availability of the system.It also describes SCADA systems, distributed control systems (DCS) and topologies based on PLC. It ends with a comparison between IT systems and ICS systems to set the scene for those computer professionals coming from an IT environment and now responsible for ICS.
- Assessing and Managing Risk in ICS: This is a fundamental aspect when speaking of cyber-security. This chapter addresses the special features to be considered when evaluating risk in an ICS. This is because in such systems incidents may well go beyond the limits of the strictly digital, so that these effects have to be taken into account when undertaking a security assessment.
- Developing and Deploying Security Programmes in ICS: Security programmes in ICS must be consistent and integrated with current IT security experience, incorporating best practice and the most effective tools. According to the guide, the first step is to set up a case study so as to raise the awareness of an organization’s management and gain their support.
- Security Architecture in ICS: It is well known that one of the long-standing recommendations for such systems is segmentation of networks. This chapter shows the typical topologies for achieving this segmentation, illustrating them with examples. It also offers security recommendations with an eye to ensuring defence in depth. This defensive strategy consists of putting in place several successive lines of defence rather than a single very strong line. The chapter makes special mention of general policies on firewalls that can be applied to firewalls segmenting networks, along with specific recommendations for filtering a range of services like domain name systems (DNS), dynamic host configuration protocol DHCP or simple mail transfer protocol (SMTP).
- Application of Security Controls to ICS: The final and longest chapter concentrates on applying security controls to systems. While it centres on the paradigm used by the American Federal Information Security Management Act (FISMA), the chapter can serve as a guide for anybody wishing to improve the cyber-security of an ICS system.
- Appendices: The guide ends with a set of appendices that contain information that did not fit into other sections. Among them there is one that deals with the origins of threats, vulnerabilities and security incidents in ICS.