North America

North America ICS Standards

Booz Allen Hamilton
Ukraine Report: When the Lights Went Out

Published: November 2016

 “For ultimate protection, consider unidirectional technologies for one-way data transfer from sensitive environments to authorized systems”. Read more.

Published: September 2016

Implementing unidirectional technology for the most critical control systems for vessels is a recommended way to ensure this safety and security. Read more.

Published: September 2016

 When it comes to the distinction between protecting OT systems vs. protecting IT systems – these guys get it. They understand industrial systems and the need for a different approach with OT security versus IT security and the potential for grave consequences if IT protections are employed. Read more.

Department of Homeland Security (DHS ICS-CERT)
Improving ICS Cybersecurity with Defense-in-Depth Strategies

Published: September 2016

A nice collection of advice for ICS security programs, including: risk management, security controls and technologies, as well as physical security and training/awareness recommendations. The document is helpful in that it describes attack scenarios and essential limitations of security technologies, as justification for specific recommendations. Read more.

Industrial Internet Consortium (IIC)
Industrial Internet of Things, Volume G4: Security Framework

Published: September 2016

 The framework discusses host-based, cryptographic, and network flow control protections, including a variety of unidirectional gateway technologies, in detail. The document is unique in the way it describes the need to balance the host-based and cryptographic protections central to IoT technologies with the network-flow-control control concepts described as essential to industrial control systems. Read more.

Published: April 2016

 The requirement of real time data monitoring makes connecting ICS and business networks unavoidable. Oil companies will need to consider a new host of vulnerabilities and risks associated with connecting drilling rig industrial control systems to outside data centers in real time. This scenario makes unidirectional gateways all the more relevant when meeting data requirements of the Well Control Rule. Read more.

Canadian Standards Association (CSA Group)
Cyber security for nuclear power plants and small reactor facilities

Published: April 2016

 Generally speaking, nuclear sites face unique risks. However, when it comes to protecting control networks and critical infrastructure from cyber attacks, nuclear is no different from other industrial networks – nuclear is just leading the charge. Read more.

National Institute of Standards and Technology (NIST)
NIST Special Publication 800-82 Revision 2 Guide to Industrial Control Systems (ICS) Security

Published: May 2015

The standard outlines major security objectives for ICS and recommends firstly unidirectional gateways to restrict logical access to the ICS network. It also outlines the typical defense in depth strategy for ICS which will ideally have unidirectional gateways to provide logical separation between the corporate and ICS networks. Read more.

National Institute of Standards and Technology (NIST)
Framework for Improving  Critical Infrastructure Cybersecurity

Published: February 2014

They have taken a cyber risk framework directly from an IT context and applied it to ICS. Not emphasizing prevention as a core function in the realm of protecting critical infrastructure is a weakness in the framework. Under the core function of “protect”, there is not specific guidance on protecting the perimeter or boundary of the ICS network. Read more.

Published: August 2013

 The standard clearly states that the security goals and requirements for industrial control systems differ from those of IT networks. With the increased connectivity of business networks to control networks, new vulnerabilities present themselves. Read more.

North American Electric Reliability Corporation (NERC)
CIP Cyber Security Standards Version 5

Published: October 2012

 The NERC CIP standards in particular are seen as a model of cyber security for other industries and critical infrastructures. The NERC CIP V5 standards are designed specifically to enhance the reliability of the Bulk Electric System through strong security. Read more.