The updated guide will offer insight on reducing risks to industrial control systems.
The updated guide will offer insight on reducing risks to industrial control systems.

The National Institute of Standards and Technology (NIST) is updating its security guide for industrial control systems (ICS)  to include tailored guidance for utilities, automakers, chemical firms and other companies that utilize such systems.

The current draft (PDF), which has already been revised in light of input from around 30 organizations, is under final public review, meaning comments can be submitted before March 10, 2015. On Tuesday, NIST announced that the ICS guide, first released in 2006, has been downloaded more than three million times.

The guide has provided insight on reducing risks to ICS, such as malware, equipment failure, errors and other threats, NIST said. Over time, internet-enabled devices have been integrated with industrial control systems which were once segregated, exposing them to far greater risk of external attacks.

Included in the final draft are updates on ICS vulnerabilities and risk management practices, along with information on security capabilities and tools for industrial control systems. Also added to the guide were methods for aligning guidance with other ICS security standards and guidelines.

“A significant addition to the draft is a new appendix offering tailored guidance on how to adapt and apply security controls and control enhancements detailed in the 2013 comprehensive update of Security and Privacy Controls for Federal Information Systems and Organizations (NIST SP 800-53, revision 4) to ICS,” a release from NIST said. “SP 800-53 [PDF] contains a catalog of security controls that can be tailored for specific needs according to an organization's mission, operational environment, and the technologies used."

Steps to publish an updated ICS guide come a year after NIST released its first version of the Cybersecurity Framework (CSF), a voluntary framework established to reduce cyber risks to critical infrastructure as President Obama directed under a February 2013 executive order.

On Wednesday, Intel shared its experience implementing the Framework in a new report (PDF).

Overall, the company said that, since the CSF supports risk management at organizations rather than compliance, it could significantly benefit users. Kent Landfield, the director of standards and technology policy at Intel Security, and Intel's Chief Security and Privacy Officer Malcolm Harkins, said in a Tuesday blog post that the Framework, quite simply “works,” and that Intel plans to implement the CSF at other business units (in the pilot program, CSF was implemented at Intel IT).

“One of the most valuable aspects of this pilot project is the discussions about security processes and terminology it has been generating,” Intel's execs said. “For example, a security policy might be written the same way across the corporation but implemented differently in groups such as manufacturing and human resources. Recognizing these differences is important, and discussing them becomes part of the security culture of an organization.”

Moving forward, Intel offered that the Framework should eventually be adopted on a global scale, and not just by organizations in the U.S.