Draft ICS Augmentation of SP 800-53
Draft Appendix I, May 15, 2007
Draft Appendix F Augmented for ICS (Clean version), June 22, 2007
Draft Appendix F Augmented for ICS (Markup version), June 22, 2007
NIST announces the release, for public comment, of proposed augmentations to NIST Special Publication 800-53, Revision 1 for industrial control systems (ICS); specifically to Appendix I: Industrial Control Systems and to Appendix F, Security Control Catalogue. The draft Appendix F (hereafter referred to as Appendix F ICS) was created by augmenting Appendix F in the December 2006 version of SP 800-53, Revision 1 (hereafter referred to as SP 800-53) to better address ICS. When developing the augmentation, the original text in Appendix F of SP 800-53 was not changed. Appendix I in SP 800-53 was changed to be consistent with the draft Appendix F ICS. Comments will be accepted through August 31, 2007. Comments should be forwarded to the Computer Security Division, Information Technology Laboratory at NIST or submitted via email to email@example.com .
Additional background and information:
Through NIST's assigned responsibility to develop and promulgate security standards for federal information systems, NIST's Information Technology Laboratory (ITL) Computer Security Division (CSD), and NIST's Manufacturing Engineering Laboratory (MEL) Intelligent Systems Division (ISD) partnered to establish an Industrial Control System Security Project to improve the information security of public and private sector ICS.
A key goal of this project is the development of information security requirements and baseline security controls for federally owned/operated ICS (including industrial/process controls systems that are operated by contractors on behalf of the federal government) that will significantly improve the information security of these types of systems. An additional desired goal is the voluntary adoption of the same or similar security requirements and baseline security controls by the private-sector ICS community. Adoption of common government and industry requirements and baseline security controls greatly reduce the vulnerability of critical infrastructure systems that are supported by ICS and they raise the security bar on all such systems.
In support of these goals, the NIST ICS Security Project is augmenting SP 800-53 to address ICS. SP 800-53, which was developed for traditional information systems, contains a security control catalogue (Appendix F) and mandatory information security requirements for all non-national security information and information systems that are owned, operated, or controlled by federal agencies (Appendices D and E). While most controls in SP 800-53 Appendix F are applicable to ICS as written, several controls do require ICS-specific augmentation by adding one or more of the following:
(i) ICS Supplemental Guidance
(ii) ICS Enhancements (one or more)
(iii) ICS Enhancement Supplemental Guidance.
When augmenting Appendix F of SP 800-53 to develop Appendix F ICS, the original set of controls, enhancements, and supplemental guidance contained in Appendix F were not changed. ICS Supplemental Guidance provides additional guidance on how to apply a SP 800-53 control in ICS environments. ICS Enhancements are enhancement augmentations to the controls that are required for some ICS. ICS Enhancement Supplemental Guidance provides guidance on how to apply an enhancement in ICS environments.
At this time, only Appendices F and I are being released for public comment. Modifications to Appendices D and E, the mandatory information security requirements for ICS, are still in under development. They will be released for public comment when a mature draft is completed.