Richard Dahl, cmplid://’s CEO will be speaking at the ICS JWG Fall Conference September 13-15 in Ft. Lauderdale, FL.

A Simplified Approach to Implementing the NIST CSF within Operational Technologies

The NIST Framework for Improving Critical Infrastructure provides guidance for many industries for securing Information Technology (IT) and Operational Technology (OT) systems supporting critical functions and processes.  Use of the framework provides system owners with a view of deployed security postures and technical outcomes desired that can be used to manage cyber security risks.  One drawback of the Framework is the control library it supports (derived from NIST SP 800-53) is composed largely of Information Technology controls designed to protect multi-user, multi-processing technologies.  Applying those security controls to OT environments (distributed control systems, SCADA, industrial controls, etc…) presents certain challenges.  OT systems differ from IT in many ways, but the most significant differences, relative to this discussion, are the general lack of users on OT systems and the primacy of availability and integrity over confidentiality.

This presentation will review a simple and effective method of determining applicability of the Framework prescribed controls to OT environments.  Adding the documented analysis of the security control’s objectives and consequences (of failure or absence) provides an extremely efficient method of determining which of the security controls are necessary to address OT specific risks.  This method is used at a number of Nuclear Licensees as the basis of the Threat Vector analysis required to disposition their 10CFR 73.54 based cyber security plans, which utilize a security control library based on NIST SP 800-53 as well.