The IT Law Wiki


National Institute of Standards and Technology, (DRAFT) Guide to Industrial Control Systems (ICS) Security (NIST Special Publication 800-82, Rev. 2) (Feb. 9, 2015) (full-text).


The most successful method for securing an ICS is to gather industry recommended practices and engage in a proactive, collaborative effort between management, the controls engineer and operator, the IT organization, and a trusted automation advisor.[1]

This document provides guidance for establishing secure industrial control systems (ICS). These ICS, which include supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as programmable logic controllers (PLC), are often found in the industrial control sectors. ICS are typically used in industries such as electric, water and wastewater, oil and natural gas, transportation, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods.)

These control systems are vital to the operation of the U.S. critical infrastructures that are often highly interconnected and mutually dependent systems. Approximately 90% of the U.S. critical infrastructures are privately owned and operated. Federal agencies also operate many of the ICS mentioned above; other examples include air traffic control and materials handling (e.g., U.S. Postal Service mail handling.)

This document provides an overview of these ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.

Possible incidents an ICS may face include the following:


  1. Id. at 5.