Updated link to NIST Guide to Industrial Control SystemsMost of us have heard the alarms about cyber threats and the vulnerabilities of US factories, electric utilities, the petroleum industry and other vital parts of our infrastructure. If you’re concerned or working on this issue, you may want to look at an update to the Guide to Industrial Control Systems [ICS] Security issued this afternoon by the Commerce Department’s National Institute of Standards and Technology.
The report makes an important distinction about cybersecurity when it comes to ICS. The biggest difference is what can happen. While our focus always must be on IT security, industrial control systems pose unique issues not faced in most IT environments. If responses to an ICS attack fail to address it in real-time and almost immediately, people can be injured or killed and the environment can suffer extreme harm.
Most cybersecurity damage comes in the forms of loss of privacy or cash. We usually face complex tasks of analyzing what happened, what agencies and third parties must be notified, what protections to implement, and how to defend litigation. They are serious enough, but what can happen when ICS is attacked is another order of magnitude.
Industrial control systems last far longer than most IT. ICS often involves legacy systems lacking password protection, error logs, and can’t be encrypted. They frequently are proprietary systems understood only by skilled specialists who work on particular industry control systems and nothing else.
One of the major additions in this update is a new ICS overlay for utilities, chemical companies, food manufacturers, and automakers. An executive overview introduces the full 247 report titled NIST Special Publication 800-82 Revision 2. Public comment periods are set and feedback is requested.
Living in an era of constant threats, it makes sense to have someone invest time in this update at most organizations with substantial industrial control systems. As soon as the report was released I sent it to my son who is a chemical engineer and has worked on control systems at refineries around the world. He knows how fast and how bad things can get. If you read this far, you probably do too.