CISA & DOE Guidance regarding control systems best practices

Submitted by: Daryl Haegley, Director, Mission Assurance & Cyber Deterrence at Dod


https://www.cisa.gov/publication/cybersecurity-best-practices-for-industrial-control-systems

From POLITICO today:

KEEPING THE LIGHTS ON —CISA and the Energy Department joined with the U.K. National Cyber Security Centre on Friday to issue security guidance for industrial control system operators. The best-practices document offers high-level advice and appears designed for executives rather than IT administrators or chief information security officers; in addition to the actual security advice, it lists the potential impacts of a cyber incident, from short-term problems such as shutdowns to long-term troubles such as lawsuits. One section lists the most common IT and operational technology flaws that CISA saw in fiscal 2019, including porous boundary protections that allowed undetected incursions; authentication failures that made it difficult to trace breaches back to specific compromised accounts; and lack of fidelity to the “principle of least functionality,” magnifying the scope of damage that hackers could do.

Accompanying the document’s “Defend ICS Processes Today” checklist, which lists cybersecurity basics such as “Disable unnecessary services, ports, and protocols,” is a forward-looking “Proactively Protect Tomorrow” section with advice about network architecture, security monitoring, supply chain security and risk management. Absent from the document, however, is advice for ICS component manufacturers and purchasers.

CPS, ICS, IoT…which term applies to you? 

Cyber-Physical Systems and Control Systems (CPS/CS) include those systems referred to as industrial control systems (ICS), internet of things (IoT), operational technology (OT), platform information technology (PIT), and supervisory control and data acquisition (SCADA). Examples include but are not limited to: building automation systems; energy/utility monitoring and control systems; lighting; fire and life safety; physical security; fuel handling; logistics; medical; manufacturing; and weapons systems. Damage to or compromise of any CPS/CS may compromise a mission  or cause cascading failures if the CPS/CS is used as a gateway into an organization’s broader information networks.  Source: Report to the President on Strengthening the Nation’s Cybersecurity Workforce for Cyber-Physical Systems and Control Systems (CPS/CS) in accordance with Executive Order 13870, “America’s Cybersecurity Workforce.”