This document provides guidance for establishing secure industrial control systems (ICS). These ICS, which include supervisory control and data acquisition (SCADA) systems, distributed control systems (DFRCS), and other control system configurations such as skid-mounted Programmable Logic Controllers (PLC) are often found in the industrial control sectors. This document provides an overview of these ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.
DoD was an active contributor to the NIST Special Publication (SP) 800-82 Revision 2 Industrial Control Systems Security Guide published in May 2015. Appendix G contains the “ICS Overlay”, which provides the tailoring and supplemental guidance for cybersecuring control systems. Although NIST SP 800-82 Rev. 2 defines ICS as “Supervisory Control and Data Acquisition Systems, Distributed Control Systems, and other control system configurations such as Programmable Logic Controllers,” the security controls it contains can also be used as a starting point for securing non-industrial control systems (generally there is no other guidance available). For example, there are many building, transportation, medical, security, and logistics systems which – though similar in many respects to traditional ICS – use different protocols, ports and services, and are configured to operate in different modes than SCADA or DCS systems.
Examples of Other Types of EI&E FRCS:
The security controls provided in Appendix G are general and flexible enough to be used to evaluate other types of PIT; subject matter experts should review the controls and tailor them as appropriate. There is no “one size fits all,” and risks are not the same, even within a particular group. To illustrate, a building control system has various sub-systems such as HVAC, fire alarms, physical access control systems (PACS), digital signage, CCTV, etc. Critical life safety systems such as the fire alarm and PACS may have an impact level of “high” while other systems are designated as “low”. Rather than connect these systems together and require the aggregated system to be evaluated as “high” impact, it might make more sense to keep the systems separate and evaluate them against their potentially lower individual impact levels.