In a June 2024 presentation, NIST Networked Control Systems Group Leader, Keith Stouffer, presented at the Control System Cyber Security Association International Symposium on Navigating the Labyrinth: Your Guide to ICS/OT Cybersecurity Standards and Regulations. Over 400 attendees participated in the Symposium. Control System Cyber Security Association International, with over 35,000 members worldwide, is a not-for-profit workforce development organization supporting professionals of all levels charged with securing control systems.
Mr. Stouffer summarized key NIST Industrial Control Systems (ICS)/Operational Technology (OT) cybersecurity publications, as described below.
NIST SP 800-82 Guide to Operational Technology (OT) Security Revision 3: This NIST Special Publication provides guidance on how to improve the security of OT systems while addressing their unique performance, reliability, and safety requirements. Its previous version has had over three million downloads and 2,200 citations. NIST’s new version includes updates on:
- Threats and vulnerabilities
- OT risk management
- OT security
- Security capabilities for OT
- Alignment with OT security standards, guidelines, and NIST’s Cybersecurity Framework Version 1.1
- Security control baselines for low-, moderate-, and high-impact OT systems
Cybersecurity Framework Version 1.1 Manufacturing Profile: NISTIR 8183 Revision 1: This profile adapts the NIST Cybersecurity Framework to manufacturing. It offers cybersecurity practices which best fit manufacturers’ needs, while minimizing negative impacts to system performance. NIST’s cybersecurity for OT testbed evaluated the profile, measuring the impacts of cybersecurity practices, including those for 42 technical capabilities. The profile can be implemented using the following guides:
- Manufacturing in General: Provided in NIST IR 8183A Cybersecurity Framework Manufacturing Profile Low Impact Level Example Implementations Guide: Volume 1 – General Implementation Guidance.
- Process-Based Manufacturing: Involves a use case for a fictional company. producing chemicals in NIST IR 8183A Cybersecurity Framework Manufacturing Profile Low Impact Level Example Implementations Guide: Volume 2 – Process-based Manufacturing System Use Case.
- Discrete Manufacturing: Involves a use case for a fictional company, producing finished goods in NIST IR 8183A Cybersecurity Framework Manufacturing Profile Low Impact Level Example Implementations Guide: Volume 3 – Discrete-based Manufacturing System Use Case.
Mr. Stouffer also discussed future updates including revising both NIST SP 800-82 and the Cybersecurity Framework Manufacturing Profile to align with the recently released NIST Cybersecurity Framework 2.0 published in February 2024.