Catalog of Control Systems Security: Recommendations for Standards Developers
Catalog of Control Systems Security: Recommendations for Standards Developers
Catalog of Control Systems Security: Recommendations for Standards Developers
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
2.5.6.4 References<br />
NIST SP 800-53r3 SA-6<br />
CAG CC-2<br />
API 1164r2 3.8<br />
NRC RG 5.71 App. B.1.1, App. B.1.16, App. B.1.17, App. B.1.19, App. B.3.14, App. C.11.6<br />
2.5.7 User-Installed S<strong>of</strong>tware<br />
2.5.7.1 Requirement<br />
The organization implements policies and procedures to en<strong>for</strong>ce explicit rules and management<br />
expectations governing user installation <strong>of</strong> s<strong>of</strong>tware.<br />
2.5.7.2 Supplemental Guidance<br />
If provided the necessary privileges, users have the ability to install s<strong>of</strong>tware. The organization’s<br />
security program identifies the types <strong>of</strong> s<strong>of</strong>tware permitted to be downloaded and installed (e.g., updates<br />
and security patches to existing s<strong>of</strong>tware) and types <strong>of</strong> s<strong>of</strong>tware prohibited (e.g., s<strong>of</strong>tware that is free only<br />
<strong>for</strong> personal, not government or corporate use, and s<strong>of</strong>tware whose pedigree with regard to being<br />
potentially malicious is unknown or suspect).<br />
2.5.7.3 Requirement Enhancements<br />
None<br />
2.5.7.4 References<br />
NIST SP 800-53r3 SA-7<br />
CAG CC-2<br />
API 1164r2 3.8, Annex A<br />
NRC RG 5.71 App. C.3.7, App. C.13.1<br />
2.5.8 <strong>Security</strong> Engineering Principles<br />
2.5.8.1 Requirement<br />
The organization applies control system security engineering principles in the specification, design,<br />
development, and implementation <strong>of</strong> the system.<br />
2.5.8.2 Supplemental Guidance<br />
The application <strong>of</strong> security engineering principles is primarily targeted at new development control<br />
systems or control systems undergoing major upgrades and is integrated into the system development<br />
life cycle. For legacy control systems, the organization applies security engineering principles to system<br />
upgrades and modifications, to the extent feasible, given the current state <strong>of</strong> the hardware, s<strong>of</strong>tware, and<br />
firmware components within the system.<br />
2.5.8.3 Requirement Enhancements<br />
1. The organization adopts s<strong>of</strong>tware development standards and practices <strong>for</strong> trustworthy s<strong>of</strong>tware<br />
throughout the development life cycle.<br />
2. Trustworthy s<strong>of</strong>tware reduces common design and coding errors that affect security, such as:<br />
a. Unsafe buffer and string management<br />
b. Languages that have unsafe buffer operations.<br />
28