You are a cybersecurity professional focused on Industrial Control Systems (ICS) security. Look at your bookshelf...
and tell me what you see. Besides the cybersecurity classics by Shon Harris, Krutz and Vines, and Peter Gregory, you probably have accumulated some ICS security books with worn and tabbed pages. One set of books you've probably collected are the National Institute of Standards and Technology (NIST) Special Publications under the title of SP800-82, Guide to Industrial Controls Systems (ICS) Security. With SP800-82 comes the first issue from 2006, Revision 1, and now Revision 2 is out in DRAFT.
What about the history of the SP800-82 series? Revision 2 is already out, but where did 800-82 come from? Whose vision started this series of well-used references? What is driving NIST's focus on ICS security?
In this tip, we'll introduce Keith Stouffer of NIST, whose work is a big influence on the ICS security guides. We took some time to interview Stouffer about the history of the SP800-82 publications, and ask him why these top sellers from NIST are relevant.
The beginning of ICS security focus at NIST
Around 2000, Keith Stouffer and a few other individuals began to raise concerns about the security of critical infrastructure. Specifically, Stouffer was working in the Mechanical Engineering Lab at NIST and actually had particular interest in "process control systems" -- as they were called at the time. So, in the spring of 2001, a small group of concerned professionals gathered as the Process Control Security Requirements Forum (PCSRF).
The objective of the PCSRF was to specify security requirements for process control systems -- which soon came to be known as industrial control systems. The primary focus of the group was to improve the IT security of the computer control systems used in process industries, including electric utilities, petroleum (oil and gas), water, waste, chemicals, pharmaceuticals, pulp and paper, metals and mining, with an emphasis on industries considered to be part of the nation's critical infrastructure. At the time, the PCSRF was looking very hard at the format of The Common Criteria for Information Technology Security Evaluation, also known as ISO/IEC 15408, to document the results of this effort in the form of Common Criteria Protection Profile security specifications.
In October 2004, one of the primary documents produced by PCSRF under Stouffer's leadership was the System Protection Profile -- Industrial Control Systems. This document was designed to present a cohesive, cross-industry set of baseline security requirements for the procurement of new process control systems. It also acted as a starting point for more specific system protection profiles for Supervisory Control and Data Acquisition (SCADA) or Distributed Control Systems (DCS). The PCSRF was more focused on new industrial control systems coming on market, not on the legacy systems.
About Keith Stouffer
The world of industrial control systems (ICS) security has substantially evolved after the global awareness of the Stuxnet cyberattack on the Iranian nuclear fuel processing facility in July 2010. However, focus on ICS security had not been slumbering until Stuxnet hit the headlines. Keith Stouffer of the U.S. National Institute of Standards and Technology has been a key leader in the ICS security space since early 2000.
Keith has been with the Engineering Lab at NIST for almost 25 years, focusing on ICS security since 2000. Keith is currently the Project Manager of the Cybersecurity for Smart Manufacturing Systems Project. He is the lead author of SP800-82, and is the visionary for its contents and evolution.
Keith's biography on the NIST website also highlights that he has been active in the private sector standards community, providing input to the International Society of Automation (ISA) 99 standards for ICS security and the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) security standards. During his career, Keith has also received gold and bronze Medals from the Department of Commerce, the Gov30 Security Award, and he holds a Master of Science in Computer Science from Johns Hopkins University and Bachelor of Science in Mechanical Engineering from the University of Maryland.
The PCSRF -- along with Stouffer and his colleagues at NIST -- began to fill a void for security knowledge and guidance relative to ICS and planted seeds for the future NIST SP800-82 documents. By 2006, the PCSRF had grown from less than 20 individuals to over 1,000. In addition to building out the PCSRF, the activities of this group also wove into some of the parallel work at the International Society of Automation (ISA) (formerly called the Instrumentation, Systems and Automation Society), which had formed the Manufacturing and Control Systems Security Committee in fall of 2002 and eventually evolved into the ISA-99 Committee.
The birth of NIST SP800-82
Around 2005, Stouffer and his colleagues started writing NIST SP800-82. A couple of interesting stories evolved from the first issue of this special publication. First, there's a story with the title of the document, and secondly there were substantial pressures from the Federal Power Agencies over the content of the guide.
The title for the first issue of SP 800-82 was Guide to SCADA and ICS Security. There is a distinction between SCADA and ICS and that weaving them into the same sentence cloud lead to conflict by the more expert ICS security professionals. Stouffer related that when the SP800-82 document was first developed, there were many points of pressure from Capitol Hill that SCADA needed to be protected, and thus, the term "SCADA" was put into the title for the first DRAFT SP 800-82. However, later copies of the SP800-82 series no longer include "SCADA" in the primary title.
A second story about the first SP 800-82 focused on the pressure from the inspector generals to focus on using NIST SP800-53, Security and Privacy Controls for Federal Information Systems and Organizations, as the base security standard for federally owned and operated ICS. However, as many ICS security professionals will attest -- and consistent with Keith Stouffer's opinion -- NIST SP800-53 is focused on information technology (IT) systems and not on ICS -- also known as operations technology (OT). This led to many conversations with the inspector generals and the federal agencies that own and operate ICS and lead to an interesting solution.
Stouffer and his colleagues saw merit in looking at SP800-53 and the particular requirements that could apply to ICS. As a result, in December of 2007, Appendix I of 800-53, Revision 2, was prepared as an addendum to the 800-53 requirements, but specific to ICS. They were updated in August 2009 with the release of NIST SP800-53, Rev. 3. Appendix I of SP800-53 was used as the basis for the new ICS Overlay (Appendix G of NIST SP800-82, Revision 2).
NIST SP800-82 was born as an Initial DRAFT in 2006. The official version -- Revision 0 -- was published in 2011 and was finally withdrawn in April 2014 after Revision 1 (Final) had been published in 2013.
Since its first publication, more than 3 million copies of the NIST SP800-82 documents have been downloaded.
A visual history of NIST and ICS
A visual history of NIST and ICS security has been developed and included below:
NIST SP800-82, Revision 2 (DRAFT)
On May 14, 2014, NIST produced Revision 2 to the SP800-82 series of guides. Again, Keith Stouffer was the leader of this effort. The SP800-82 documents have expanded in depth and breadth of information, as shown in page count alone:
|NIST SP800-82, Revision 0||155 pages|
|NIST SP 800-82, Revision 1||170 pages (+9.6%)|
|NIST SP 800-82, Revision 2 (DRAFT)||255 pages (+50.0%)|
In summary, Revision 2 includes the following:
- Updates to ICS threats and vulnerabilities.
- Updates to ICS risk management, recommended practices and architectures.
- Updates to current activities in ICS security.
- Updates to security capabilities and tools for ICS.
- Additional alignment with other ICS security standards and guidelines, specifically U.K. National Centre for the Protection of National Infrastructure (CPNI) and ISA-62443.
- New tailoring guidance for NIST SP800-53, Revision 4 security controls, including introduction of overlays.
- An ICS overlay for NIST SP800-53, Revision 4 security controls that provides tailored security control baselines for low, moderate and high impact ICS
The ICS overlay is a partial tailoring of the controls and control baselines in SP800-53, Revision 4, which adds supplemental guidance specific to ICS. The ICS overlay is intended to be applicable to all ICS systems in all industrial sectors; it can be used to provide a structured approach to help organizations tailor security-control baselines and develop specialized security plans that can be applied to specific missions/business functions, environments of operation and/or technologies. This specialization approach is important as the number of threat-driven controls and control enhancements in the catalog increases and organizations develop risk management strategies to address their specific protection needs within defined risk tolerances.
Unfortunately, the opportunity to offer comments on Revision 2 (initial public draft) closed on July 18, 2014. However, a final public draft will be released in the fall of 2014 for a 30-day comment period, and the document is scheduled to be finalized in early 2015. The document, as it stands, is an excellent desk reference for immediate use when learning about ICS security, developing ICS security plans, programs, policies, procedures and guidelines.
Also, Appendix F, References, in the Revision 2 (DRAFT) is an excellent list of resources for ICS security that can be of immediate assistance to the ICS cybersecurity professional, as well as student.
What is next for NIST?
The team at NIST is looking at the next steps for ICS security. First, they still have concerns for ICS security implementation at small to midsize companies. Secondly, NIST is expanding some test beds to better understand cybersecurity threats and solutions. The test beds include:
- Robotics/robotic manufacturing
- Additive manufacturing
- Chemical processes
- Smart transportation
Stouffer's team will also be looking at implementing NIST 800-82 and ISA-62443 standard requirements on these and other ICS systems to measure and better understand the performance impacts of implementing security requirements on these time-critical systems.
Future studies may include working on designs for resilient control systems and even weaving in Security Content Automation Protocols (SCAP) into ICS security.
Lastly, Stouffer indicated NIST and his team will also be kicking off future workshops on Cyber-Physical System (CPS) security sometime in fall 2014.
About the Author:
Ernie is a highly experienced and seasoned technical consultant, author, speaker, strategist and thought-leader with extensive experience in the power utility industry, critical infrastructure protection/information security domain, industrial controls security, cybercrime and cyber warfare areas. His primary emphasis is on project and business development involving cyber and physical security of industrial controls, smart grid, energy supply, and oil/gas/electric systems and facilities with special expertise on industrial controls and NERC Critical Infrastructure Protection (NERC CIP) standards. Hayden holds certifications as a Global Industrial Cyber Security Professional (GICSP), Certified Information Systems Security Professional (CISSP), and Certified Ethical Hacker (CEH). Hayden is an Executive Consultant at Securicon, LLC has held roles as Global Managing Principal – Critical Infrastructure/Industrial Controls Security at Verizon, held information security officer/manager positions at the Port of Seattle, Group Health Cooperative (Seattle), ALSTOM ESCA and Seattle City Light. In 2012 Ernie was named a "Smart Grid Pioneer" by Smart Grid Today and published an article on Microgrid security in Jesse Berst's Smart Grid News Ernie is a frequent author of blogs, opinion pieces and white papers. He has been cited in the Financial Times, Boston Globe, Energy Biz Magazine, and Puget Sound Business Journal. Many of his articles have been posted to such forums as Energy Central, Public Utility Fortnightly "SPARK," and his own blog on Infrastructure Security.
Ernie Hayden assesses the strengths and weaknesses of the NIST cybersecurity framework.