In a previous blog post, I reviewed areas of industrial control systems that have to be protected and the kinds of threats experienced in the automation industry. Measures that can be implemented to safeguard industrial control systems have been categorized in the National Institute of Science and Technology (NIST SP 800-82). They include management, operational and technical controls. The controls were listed with a request to match each with one of the three categories. Here are the answers:
- Access control (Technical)
- Audit and accountability (Technical)
- Awareness and training (Operational)
- Identification and authentication (Technical)
- Maintenance (Operational)
- Personnel security (Operational)
- Physical and environmental protection (Operational)
- Planning (Management)
- Risk assessment (Management)
- Security assessments (Management)
Management controls incorporate the topics of risk assessment, planning, system and services acquisition, certification, accreditation and security assessments.
Risk assessment is defined in the NIST Special Publication 800-82 Guide to Industrial Control Systems Security as “the process of identifying risks to operations, assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact.”
Planning refers to the generation of a plan to determine and implement security controls, performing assessments, conducting incident response, and assigning security levels.
Security assessments have the goals of ensuring that the specified controls are properly implemented and functioning as desired.
Operational controls are those controls that are performed by personnel as opposed to computer systems.
Personnel security includes policies and procedures for personnel position categorization, screening, transfer, penalty and termination. It also addresses third-party personnel security. Physical and environmental protection refers to policies and procedures addressing physical, transmission and display access control as well as environmental controls for conditioning (e.g., temperature, humidity) and emergency provisions (e.g., shutdown, power, lighting, fire protection).
Maintenance policies and procedures are applied to manage all maintenance aspects of an information system.
Awareness and training policies and procedures are used to ensure that all information system users are given appropriate security training relative to their usage of the system and that accurate training records are maintained.
Click this link to download a free excerpt from the ISA book Industrial Automation and Control System Security Principles.
Technical controls are characterized by implementation through software, hardware or firmware elements.
Identification and authentication is the process of verifying the identity of a user, process or device through the use of specific credentials (e.g., passwords, tokens, biometrics) as a prerequisite for granting access to resources in an IT system.
Access control is the process of granting or denying specific requests for obtaining and using information and related information processing services for physical access to areas within the information system environment.
Audit and accountability refers to the independent review and examination of records and activities to assess the adequacy of system controls to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies or procedures.
The application of these management, operational, and technical controls will serve to reduce the risks to industrial automation and control systems and will mitigate vulnerabilities. Threats to these systems have the potential to endanger life, affect regulatory compliance, incur liability, erode public confidence, damage equipment, and result in loss of product. It is important to understand the relationship and tradeoffs between security and safety and risk analysis can provide the required knowledge to make the proper and effective decisions. Thus, the process of managing risk considers effectiveness, efficiency, and constraints due to laws, directives, policies, or regulations.
Click this link to read Part 1 of this blog post series.