Beruflich Dokumente
Kultur Dokumente
Jeffrey Ryan
depended on by over one million residential and business customers every day. A structured,
industry proven Risk Management Framework is essential for identifying, mitigating, and
continuously monitoring risks to our Industrial Control Systems, especially those considered to
leaders/executives providing the strategic vision and top-level goals and objectives for the
the front lines operating the information systems supporting the organization’s
when needed. Availability and integrity are the primary objectives of ICS security controls.
The Risk Management Framework (RMF), developed by NIST with input from private industry,
has already been adopted by the federal government and can be used effectively by our quasi-
change configuration management but we need to be familiar with all of the steps in the
The scope of this RMF is limited to systems deemed to be part of an Industrial Control System
(ICS). An example ICS is located at our largest power generation facility, which in turn is
comprised of several smaller information systems – sets of information resources for the
collection, processing, use, and dissemination of ICS information (NIST, 2011). The six steps of
example security categorization (SC) for the security objectives of process control information
The reasoning behind information type ratings are determined by analyzing how the loss of
each security objective might affect organizational operations, assets, or individuals (NIST,
2004).
Each of the rated information types within an information system are then aggregated and
used to determine the security categorization of the information system overall. The highest
value of any information type, also known as the high-water mark, is then used as the value for
the information system. Since we only have one information type in this example, the
controls necessary to protect the ICS information system consistent with SRP’s risk tolerance.
All selected controls are documented with functional descriptions and planned
recommendations of suitability based on the information system rating (low, moderate, high)
The list of security controls is very large so only a couple are provided here as examples,
highlighting the availability and integrity security objectives. Controls from the Physical and
Environmental Protection family, emphasizing availability, are selected to address risks ranging
from unauthorized individuals physically damaging equipment to fire or other natural disasters.
Controls from the Access Control family, emphasizing integrity, are selected to address risks
limiting the use of administrative privileges, separation of duties, and logical boundary
defenses.
work with each other. An important requirement during implementation is that all controls
implementation strategy should focus on those controls that most effectively mitigate risks
that documents all aspects of the system including hardware, software, and firmware
configurations (NIST, 2017a). A thorough baseline is required during the continuous monitoring
Following a completed assessment, a Security Assessment Report (SAR) is provided that details
discovered security control weaknesses and/or deficiencies requiring remediation. The findings
and recommendations are then used to create initial and long-term remediation action plans.
The most recent security assessment found one noncompliant control of significant importance
from a regulatory compliance perspective. The SAR noted that a contractor who transferred to
a different facility still had unrestricted physical access to protected areas at the original facility
more than 24 hours after transfer, a violation of North American Electric Reliability Critical
recommendations that can be used in the creation of a Plan of Action and Milestones (POA&M)
document. The POA&M serves as a way to identify and prioritize corrective actions needed to
mitigate the risks of noncompliant security controls found during the assessment. The progress
milestones.
A security authorization package, made up of the POA&M document, updated security plans
and/or security assessments, if needed, and any other requested documentation is then
submitted to the authorizing official (AO). The AO will then determine risk to the organization, a
preferred course of action to mitigate the determined risk from the list of plans in the POA&M,
(NIST, 2017a).
traditional IT system brethren. However, changes do still occur, more often in the external
threat landscape but occasionally within the system boundaries due to equipment failure,
these inevitable system changes, it is important to have a continuous monitoring system and
information system security posture and its relationship to SRP’s risk management decisions. If
compliance requirement, or some other reason, the MoC process is there to thoroughly
document the change. Both monitoring and the MoC process work together to observe changes
An MoC form has been created for use by the change requestor, reviewer, approver, and
implementer for tracking changes from beginning to end. The form is used to document the
implementation status, verification status, a backout strategy if available, and the location of all
control discovered in the previous security control assessment. A change is deemed necessary
by reviewing existing security plans and the configuration baseline to verify employee and
A change request is submitted to create an automated integration of the protected area access
controls system with the corporate human resources system so ICS access controls are always
in sync with the corporate access controls. Due to the criticality of these ICS controls, two
approvers, both with sufficient knowledge of the affected systems and assets, must accept the
steps are performed like gathering system backups and creating a backout strategy if
Implementation commences, all the while keeping track of progress against the milestones set
forth in the POA&M document from the authorization step. After all milestones have been
reached and the system is verified to function as designed, security plans and the configuration
baseline are updated to reflect the change(s). Depending on the complexity of the change and
It is important to note that security control assessments are not only performed immediately
assessments are performed on an annual basis with their results reported to the AO for
information, a disposal process has been created that describes appropriate tasks for
sanitization of assets. Removal of an asset for disposal constitutes a change in the system, so
Conclusion
The RMF created for SRP’s ICS environments ensures we have identified and mitigated risks to
some of our most critical company operations needed to meet organizational goals and
objectives. Strict adherence to the six steps of the security life cycle including ongoing
continuous monitoring to detect changes to the system or operating environment will provide
continued power and water delivery to our most important asset, our customers.
References
National Institute of Standards and Technology, Information Technology Laboratory, Computer
Security Division. (2011) Managing Information Security Risk: Organization, Mission, and
Information System View (NIST SP 800-39).
Zenith Technologies. (n.d.) The CIA Triad and Life Science Manufacturing. Retrieved from
https://www.zenithtechnologies.com/zen-blog/the-cia-triad-and-life-science-
manufacturing/
National Institute of Standards and Technology. (2017b) Security and Privacy Controls for
Information Systems and Organizations (Draft NIST SP 800-53 Rev 5).
National Institute of Standards and Technology. (2015) Guide to Industrial Control Systems (ICS)
Security (NIST SP 800-82 Rev 2). Retrieved from
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf