NIST SPECIAL PUBLICATION 1800-10
Protecting Information and System Integrity in Industrial Control System Environments:
Protecting Information and System Integrity in Industrial Control System Environments:¶
Cybersecurity for the Manufacturing Sector
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)
Michael Powell
Joseph Brule
Michael Pease
Keith Stouffer
CheeYee Tang
Timothy Zimmerman
Chelsea Deane
John Hoyt
Mary Raguso
Aslam Sherule
Kangmin Zheng
Matthew Zopf
FINAL
This publication is available free of charge from https://doi.org/10.6028/NIST.SP.1800-10
The first draft of this publication is available free of charge from https://www.nccoe.nist.gov/publications/practice-guide/protecting-information-and-system-integrity-industrial-control-system-draft
NIST SPECIAL PUBLICATION 1800-10
Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)
Michael Powell
National Cybersecurity Center of Excellence
National Institute of Standards and Technology
Michael Pease
Keith Stouffer
CheeYee Tang
Timothy Zimmerman
Engineering Laboratory
National Institute of Standards and Technology
Joe Brule
Chelsea Deane
John Hoyt
Mary Raguso
Aslam Sherule
Kangmin Zheng
The MITRE Corporation
McLean, Virginia
Matthew Zopf
Strativia
Largo, Maryland
FINAL
March 2022
U.S. Department of Commerce
Gina M. Raimondo, Secretary
National Institute of Standards and Technology
James K. Olthoff, Performing the non-exclusive functions and duties of the Under Secretary of Commerce for Standards and Technology & Director, National Institute of Standards and Technology
- 1 Summary
- 2 How to Use This Guide
- 3 Approach
- 4 Architecture
- 5 Security Characteristic Analysis
- 5.1 Assumptions and Limitations
- 5.2 Example Solution Testing
- 5.2.1 Scenario 1: Protect Host from Malware Infection via USB
- 5.2.2 Scenario 2: Protect Host from Malware Infection via Network Vector
- 5.2.3 Scenario 3: Protect Host from Malware via Remote Access Connections
- 5.2.4 Scenario 4: Protect Host from Unauthorized Application Installation
- 5.2.5 Scenario 5: Protect from Unauthorized Addition of a Device
- 5.2.6 Scenario 6: Detect Unauthorized Device-to-Device Communications
- 5.2.7 Scenario 7: Protect from Unauthorized Deletion of Files
- 5.2.8 Scenario 8: Detect Unauthorized Modification of PLC Logic
- 5.2.9 Scenario 9: Protect from Modification of Historian Data
- 5.3 Scenarios and Findings
- 5.3.1 PR.AC-1: Identities and Credentials are Issued, Managed, Verified, Revoked, and Audited for Authorized Devices, Users, and Processes
- 5.3.2 PR.AC-3: Remote Access is Managed
- 5.3.3 PR.AC-4: Access Permissions and Authorizations are Managed, Incorporating the Principles of Least Privilege and Separation of Duties
- 5.3.4 PR.AC-7: Users, Devices, and Other Assets are Authenticated (e.g., single-factor, multi-factor) Commensurate with the Risk of the Transaction (e.g., Individual Security and Privacy Risks and Other Organizational Risks)
- 5.3.5 PR.DS-1: Data-at-Rest is Protected
- 5.3.6 PR.DS-6: Integrity Checking Mechanisms are Used to Verify Software, Firmware, and Information Integrity
- 5.3.7 PR.IP-4: Backups of Information are Conducted, Maintained, and Tested
- 5.3.8 PR.MA-1: Maintenance and Repair of Organizational Assets are Performed and Logged, with Approved and Controlled Tools
- 5.3.9 PR.MA-2: Remote Maintenance of Organizational Assets is Approved, Logged, and Performed in a Manner that Prevents Unauthorized Access
- 5.3.10 DE.AE-1: A Baseline of Network Operations and Expected Data Flows for Users and Systems is Established and Managed
- 5.3.11 DE.AE-2: Detected Events are Analyzed to Understand Attack Targets And Methods
- 5.3.12 DE.AE-3: Event Data are Collected and Correlated from Multiple Sources and Sensors
- 5.3.13 DE.CM-1: The Network is Monitored to Detect Potential Cybersecurity Events
- 5.3.14 DE.CM-3: Personnel Activity is Monitored to Detect Potential Cybersecurity Events
- 5.3.15 DE.CM-7: Monitoring for Unauthorized Personnel, Connections, Devices, and Software is Performed
- 6 Future Build Considerations
- Appendix A List of Acronyms
- Appendix B Glossary
- Appendix C References
- Appendix D Scenario Execution Results
- D.1 Executing Scenario 1: Protect Host from Malware via USB
- D.2 Executing Scenario 2: Protect Host from Malware via Network Vector
- D.3 Executing Scenario 3: Protect Host from Malware via Remote Access Connections
- D.4 Executing Scenario 4: Protect Host from Unauthorized Application Installation
- D.5 Executing Scenario 5: Protect from Unauthorized Addition of a Device
- D.6 Executing Scenario 6: Detect Unauthorized Device-to-Device Communications
- D.7 Executing Scenario 7: Protect from Unauthorized Deletion of Files
- D.8 Executing Scenario 8: Detect Unauthorized Modification of PLC Logic
- D.9 Executing Scenario 9: Protect from Modification of Historian Data
- D.10 Executing Scenario 10: Detect Sensor Data Manipulation
- D.11 Executing Scenario 11: Detect Unauthorized Firmware Modification
- Appendix E Benefits of IoT Cybersecurity Capabilities
- 1 Introduction
- 2 Product Installation Guides
- Appendix A List of Acronyms
- Appendix B Build Architecture Diagrams