What’s in the Standard
A nice collection of advice for ICS security programs, including: risk management, security controls and technologies, as well as physical security and training/awareness recommendations. The document is helpful in that it describes attack scenarios and essential limitations of security technologies, as justification for specific recommendations.
This is a big improvement from the 2009 document, but has flaws as well. While the document sometimes describes limitations of specific security technologies, it does not do so consistently. For example, the section on VLANs starts with mention of specific concerns, and then lists a long set of recommendations to reduce risks. At the end of the list though, there is no description of which of the original set of concerns and risks the recommendations have addressed, and what remains as residual risk. Compounding this omission is regular use of the word “secure” as an adjective, implying that if all recommendations are implemented, the resulting configuration is “secure.” Of course nothing can ever be completely secure, and so this terminology is particularly unfortunate in light of the omission of discussion of residual risks.
That said, this is, again, a big improvement over the original, and includes discussion of modern attacks, modern risks, and modern defensive technologies, including unidirectional security gateways.