Manufacturers Get Security Guidelines

Curtis Franklin Jr., Executive Editor | 7/7/2011 | 5 comments

Curtis Franklin Jr.
Here at Enterprise Efficiency, we've had plenty of blog posts, radio shows, and video blogs on the subject of security. It's a critical issue for enterprise IT, but our discussions have tended to stop at the real or virtual walls of the white-collar world. That's understandable but unfortunate, since there are very real security issues that can hit the control systems running our industrial processes.

Last year's attack on certain Siemens equipment (equipment that was, we're to believe by sheer coincidence, used in Iran's nuclear processing facility) shows that these systems are vulnerable. The question has been what's best to do about it. Now, a government standard has been introduced that may help companies provide an answer. Welcome to the Guide to Industrial Control Systems (ICS) Security.

The Guide is NIST's response to a requirement in the Federal Information Security Management Act (FISMA) that they develop standards and guidelines for federal information systems that aren't part of the military. While most enterprises don't fall within the scope of FISMA, the guidelines developed by NIST have frequently been used as starting points and justifications for companies developing their own security systems. Now, manufacturing companies have a rationalization for taking the security of their embedded control systems seriously, while also having a list of criteria and a logical framework to take to vendors when discussing security options.

According to the guidelines, there are five major objectives for an overall security plan for an industrial control system (ICS):

  • Restricting logical access to the ICS network and network activity
  • Restricting physical access to the ICS network and devices
  • Protecting individual ICS components from exploitation
  • Maintaining functionality during adverse conditions
  • Restoring systems after an incident.
The guidelines address each of these objectives after beginning with an overview of how ICS has evolved to be both more capable and more vulnerable, and the critical ways in which ICS and traditional IT systems differ. According to the guidelines:

To properly address security in an ICS, it is essential for a cross-functional cyber security team to share their varied domain knowledge and experience to evaluate and mitigate risk to the ICS. The cyber security team should consist of a member of the organization's IT staff, control engineer, control system operator, network and system security expert, a member of the management staff, and a member of the physical security department at a minimum.

There will still be serious questions that remain for those implementing security for manufacturing systems -- this is just a guide, after all. One of the more serious big-picture questions is the extent to which the security of manufacturing systems will be integrated into the larger enterprise security framework. There will, of course, be limits on just how extensively the systems can be integrated, given the differences in operating systems and other details -- but there are likely points at which unified reporting through a central security dashboard can make sense. That unified reporting could help dispel one of the more pernicious myths of control systems -- that security isn't an issue because the underlying operating system is inherently secure.

Let's be clear about this: If a system is open to communication from any system outside itself, it is not inherently secure. Some may be more easily compromised than others; some may be more commonly attacked than others. But give an expert a port into a system and that system can ultimately be successfully attacked. The fact that most manufacturing systems haven't yet been compromised says more about the desirability of the company that uses them than about the systems themselves, and that institutional desirability can change in an instant. In preparation for those changes, it pays to plan on securing the embedded systems.

The new NIST guidelines are an important step toward manufacturing system security. Depending on your industry, you might also want to look at NIST's Guidelines for Smart Grid Cyber Security, though if you really need to read that document, you're already aware of the fact. The greatest takeaway, though, is that it's time (past time, really) to start taking manufacturing systems security seriously. Read the NIST documents and open up discussions with your system vendor. The bad guys are out there, and the opportunities for them to get up to mischief are right there in your shop.

View Comments: Newest First | Oldest First | Threaded View
Anand   Manufacturers Get Security Guidelines   7/9/2011 5:00:56 AM
Re : Manufacturers Get Security Guidelines

The bad guys are out there, and the opportunities for them to get up to mischief are right there in your shop.

@Curtis,  I totally agree with you, bad guyz are waiting to spread havoc. We all know how lulzsec  caused "widespread mayhem" during the last three months. Its better to be prepared for such kind of attacks and I believe Guide to Industrial Control Systems (ICS) Security is the step in right direction. 


CurtisFranklin   Manufacturers Get Security Guidelines   7/8/2011 1:37:43 PM
Re: here's hopin'
@Gigi, the security equipment guidelines are generally addressed by FISMA. Once again, though, the only organizations that must pay attention are departments of the federal government. That doesn't mean that they aren't good ideas for a lot of companies...
CurtisFranklin   Manufacturers Get Security Guidelines   7/8/2011 1:35:51 PM
Re: here's hopin'
@Sara, you have a point: The only organizations that must pay attention to these guidelines are federal agencies that aren't part of the defense department. I think that NIST has done a good job, though, so I hope that more groups will take the recommendations to heart.

Much of the attitude about the safety of control systems comes from mistaking lack of hacker interest for inherent security. It's a variety of the attitude that leads people to say, "I don't have to worry about malware because I use a Mac/Linux/Andriod/Chrome." If the target has enough value, people will try to get it, and the liklihood is they'll succeed. That's when good security and planning come into play.
Gigi   Manufacturers Get Security Guidelines   7/8/2011 3:05:52 AM
Re: here's hopin'
Curtis, actually there should be some guideline for security equipments also. Many companies are in market with security equipments having different functionality and features.  But am really doubting, whether they are meeting the real security aspects in full because no where it’s defined about the guidelines or minimum specification to meet.  Equipment manufacturers are defining their own specifications based on usage and application and moreover it may vary from manufacturer to manufactures, even for the same application.

So I think this can help for standardization and maintaining uniformity among companies.

Sara Peters   Manufacturers Get Security Guidelines   7/7/2011 5:50:37 PM
here's hopin'
I'm delighted to hear that NIST has released these guidelines, but I fear that they'll be overlooked by some of the people who need them most. For reasons I STILL don't understand, a lot of security professionals see control systems security as a non-issue. I'm sure that attitude has shifted some over the course of this eventful year... but has it shifted enough?

The blogs and comments posted on do not reflect the views of TechWeb,, or its sponsors., TechWeb, and its sponsors do not assume responsibility for any comments, claims, or opinions made by authors and bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.

More Blogs from Curtis Franklin Jr.
Curtis Franklin Jr.   5/30/2014   10 comments
A good community can teach you a lot. And Enterprise Efficiency has been one of the best.
Curtis Franklin Jr.   5/26/2014   41 comments
Today is Memorial Day in the US, a day for remembering those who gave, in the words of Abraham Lincoln, "the last full measure of devotion" for their country and its citizens. It is a ...
Curtis Franklin Jr.   5/22/2014   35 comments
You're about to know precisely where your customers are and what they're doing. Are you ready for Big Data Advertising Everywhere?
Curtis Franklin Jr.   5/6/2014   19 comments
PHP is a great tool for building web pages that access databases. It's pretty nifty for pwning an enterprise site, too.
Curtis Franklin Jr.   4/30/2014   36 comments
BASIC turns 50 this year. Many IT pros wrote their first line of code in the venerable language, but is the ability to write code even important at the top of the IT ladder?
E2 IT Migration Zones
IT Migration Zone - UK
Why PowerShell Is Important
Reduce the Windows 8 Footprint for VDI
Rethinking Storage Management
IT Migration Zone - FR
SQL Server : 240 To de mémoire flash pour votre data warehouse
Quand Office vient booster les revenus Cloud et Android de Microsoft
Windows Phone : Nokia veut davantage d'applications (et les utilisateurs aussi)
IT Migration Zone - DE
Cloud Computing: Warum Unternehmen trotz NSA auf die „private“ Wolke setzen sollten
Cloud Computing bleibt Wachstumsmarkt – Windows Azure ist Vorreiter
Like Us on Facebook
Twitter Feed
Enterprise Efficiency Twitter Feed
Site Moderators Wanted
Enterprise Efficiency is looking for engaged readers to moderate the message boards on this site. Engage in high-IQ conversations with IT industry leaders; earn kudos and perks. Interested? E-mail:
A Video Case Study – Translational Genomics Research Institute
e2 OEM Video

On the Case
TGen IT: Where We're Going Next

7|11|12   |   08:12   |   10 comments

Now that TGen has broken new ground in genomic research by using Dell's storage, cloud, and high-performance computing solutions, the company discusses what will come next for it and for personalized medicine.
On the Case
Better Care Through Better Communications

6|6|12   |   02:24   |   11 comments

The achievements of the TGen/Dell project could improve how all people receive healthcare, because they are creating ways to improve end-to-end communication of medical data.
On the Case
TGen IT: Where We Are Now

5|15|12   |   06:58   |   6 comments

TGen is breaking new ground in genomic research by using Dell's storage, cloud, and high-performance computing solutions.
On the Case
TGen IT: Where We Were

4|27|12   |   06:45   |   10 comments

The Translational Genomics Research Institute wanted to save lives, but its efforts were hobbled by immense computing challenges related to collecting, processing, sharing, and storing enormous amounts of data.
On the Case
1,200% Faster

4|18|12   |   02:27   |   12 comments

Through their partnership, Dell and TGen have increased the speed of TGen’s medical research by 1,200 percent.
On the Case
IT May Improve Children's Chances of Survival

4|17|12   |   02:12   |   8 comments

IT is helping medical researchers reach breakthroughs in a way and pace never seen before.
On the Case
Medical Advances in the Cloud

4|10|12   |   1:25   |   5 comments

TGen and Dell are pushing the boundaries of computing, and harnessing the power of the cloud to improve healthcare.
On the Case
TGen: Living the Mission

4|9|12   |   2:25   |   3 comments

TGen's CIO puts the organizational mission at the heart of everything the IT staff does.
On the Case
TGen Speeding Up Biomedical Research to Save More Lives

4|5|12   |   1:59   |   6 comments

The Translational Genomics Research Institute is revamping its computing to improve speed, storage, and collaboration – and, most importantly, to save lives.
On the Case
Computing Power Helping to Save Children's Lives

3|28|12   |   2:13   |   3 comments

The Translational Genomics Institute’s partnership with Dell is enabling them to treat kids with neuroblastoma more quickly and save more lives.
Curtis Franklin Jr.
OEMs Change Roles

1|18|13   |   1:55   |   3 comments

OEMs can change markets – here's why IT should have a say in the decision.
Tom Nolle
The Enterprise Side of Amazon Fire

9|29|11   |   2:04   |   6 comments

Amazon Fire’s split-browser model hosts some of the GUI in the cloud, which could have a major impact on virtual desktop thinking.
Curtis Franklin Jr.
The OEM Relationship

9|13|11   |   02:02   |   1 comment

The growth of OEM relationships means that enterprise IT execs must pay closer attention to who's responsible for support and development.
Pablo Valerio
Can't Land on the Runway Behind You

8|15|11   |   1:36   |   1 comment

One lesson from aviation also applies to big IT projects: Give yourself plenty of leeway and have room to maneuver.
Ivan Schneider
Flecksequence Explained

7|28|11   |   2:46   |   3 comments

How to use the term in a sentence and, more importantly, how flecksequence can help manufacturers.
Sara Peters
E2 Has a New Look!

7|20|11   |   2:53   |   6 comments

E2's gotten a makeover. Take a tour through some of our new features.