NIST Releases Tips & Tactics for Control System Cybersecurity

The impact of cybersecurity breaches on infrastructure control system owners/operators is more visible than ever before. Whether you work for an infrastructure owner/operator or are a consumer of an infrastructure service, the events of the past few months have made it clear that cybersecurity is an important factor in ensuring the safe and reliable delivery of goods and services. For infrastructure control system owners/operators, it can be challenging to address the range of cybersecurity threats, vulnerabilities and risks that can negatively impact their operations, especially with limited resources.

NIST has developed an infographic, Tips and Tactics for Control Systems Cybersecurity, with quick steps control system owners/operators can take now to get started or refreshed on their cybersecurity journey and to help manage their control system cybersecurity risks. We also coordinated with the Cybersecurity & Infrastructure Security Agency (CISA) to find out what resources they may recommend and included them below for you as well.

In addition to the infographic, there are many control systems cybersecurity resources available from both NIST and CISA to help you, including:

• NIST:
  • Cybersecurity Framework (CSF): Voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.
  • Risk Management Framework (RMF): A comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risk for organizations and systems and links to a suite of NIST standards and guidelines to support implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).
  • CSF Manufacturing Profile: Provides CSF version 1.1 implementation details developed for the manufacturing environment. The “Manufacturing Profile” of the CSF can be used as a roadmap for reducing cybersecurity risk for manufacturers that is aligned with manufacturing sector goals and industry best practices.
  • CSF Manufacturing Profile Implementation Guide: Implementation guidance to help manufacturers to select and deploy cybersecurity tools and techniques that best fit their needs while minimizing operational impacts. The Guide provides general implementation guidance (Volume 1) and two complete example proof-of-concept solutions (Volume 2 and Volume 3) demonstrating how available open-source and commercial off-the-shelf products can be implemented in manufacturing environments to satisfy the Manufacturing Profile’s requirements.
  • Guide to Industrial Control Systems (ICS) Security: Guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements.
     
• CISA:
  • ICS Resources: Publicly available advisories and reports, and general announcements for the ICS community.
  • ICS Best Recommended Practices: Abstracts for existing recommended practices and links to the source documents.
  • CISA and DOE Cybersecurity Practices for ICS Infographic.
  • Free ICS Cybersecurity Training Available Through CISA.

In addition to the control systems-specific resources, NIST offers:

• Ransomware protection and response Guidance
• Cybersecurity resources for small businesses:  Small Business Cybersecurity Corner
• Preventing and recovering from cybersecurity incidents:  Responding to a Cyber Incident

In addition to the control systems-specific resources, CISA offers:

• Ransomware protection and response resources
• Cyber Essentials cybersecurity resources for leaders of small businesses    
• Cyber Incident Response and Cyber Services to help prevent and recover from cybersecurity incidents  

The collection of NIST resources for control system cybersecurity can be found at our new website. NIST continues to conduct the research and development of an update to NIST SP 800-82 to reflect the state of practice in cybersecurity risk management approaches for control systems.  We look forward to sharing a summary and analysis of the NIST SP 800-82 stakeholder pre-draft comments received later in June and sharing a draft of the next revision for public comment in late 2021.