Catalog of Control Systems Security: Recommendations for Standards Developers

EXECUTIVE SUMMARY
This catalog presents a compilation of practices that various industry bodies
have recommended to increase the security of control systems from both physical
and cyber attacks. The recommendations in this catalog are grouped into 19
families, or categories, that have similar emphasis. The recommendations within
each family are displayed with a summary statement of the recommendation,
supplemental guidance or clarification, and a requirement enhancements
statement providing augmentation for the recommendation under special
situations.
This catalog is not limited for use by a specific industry sector. All sectors
can use it to develop a framework needed to produce a sound cybersecurity
program. The number of new and updated published Cyber Security Standards
and guidelines has increased significantly this past year. An attempt has been
made to reference and include the best practices introduced by these new and
updated documents to interested users for consideration as input into individual
industrial cybersecurity plans under development and review. This catalog should
be viewed as a collection of guidelines and recommendations to be considered
and judiciously employed, as appropriate, when reviewing and developing
cybersecurity standards for control systems. The recommendations in this catalog
are intended to be broad enough to provide any industry using control systems
the flexibility needed to develop sound cybersecurity standards specific to their
individual security needs. These recommendations are subservient to existing
legal rules and regulations pertaining to specific industry sectors, and the user is
urged to consult and follow those applicable regulations.
v