Catalog of Control Systems Security: Recommendations for Standards Developers
Catalog of Control Systems Security: Recommendations for Standards Developers
Catalog of Control Systems Security: Recommendations for Standards Developers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
NRC RG 5.71 C.3.1.3, C.4.2, App. B.5.4, App. B.5.5, App. C.11.4<br />
2.6.4 Monitoring Configuration Changes<br />
2.6.4.1 Requirement<br />
The organization implements a process to monitor changes to the control system and conducts<br />
security impact analyses to determine the effects <strong>of</strong> the changes.<br />
2.6.4.2 Supplemental Guidance<br />
Prior to change implementation, and as part <strong>of</strong> the change approval process, the organization analyzes<br />
changes to the control system <strong>for</strong> potential security impacts. After the control system is changed, the<br />
organization should check the security features to ensure that the features are still functioning properly.<br />
<strong>Security</strong> impact analysis may also include an assessment <strong>of</strong> risk to understand the impact <strong>of</strong> the changes<br />
and to determine if additional safeguards and countermeasures are required. <strong>Security</strong> impact analysis is an<br />
important activity in the ongoing monitoring <strong>of</strong> security controls in the control system. The organization<br />
should audit activities associated with configuration changes to the control system. The organization<br />
considers control system safety and security interdependencies.<br />
2.6.4.3 Requirement Enhancements<br />
None<br />
2.6.4.4 References<br />
NIST SP 800-53r3 CM-4<br />
CAG CC-4<br />
API 1164r2 3.6, Annex A, Annex B.3.1.1.1<br />
NERC CIPS CIP 007-3. B.R1, B.R3<br />
NRC RG 5.71 C.4.3, App. C.3.4, B.5.4, App. C.11.7, App. C.11.8<br />
2.6.5 Access Restrictions <strong>for</strong> Configuration Change<br />
2.6.5.1 Requirement<br />
The organization:<br />
1. Defines, documents, and approves individual access privileges and en<strong>for</strong>ces physical and logical<br />
access restrictions associated with configuration changes to the control system<br />
2. Generates, retains, and reviews records reflecting all such changes.<br />
2.6.5.2 Supplemental Guidance<br />
Planned or unplanned changes to the hardware, s<strong>of</strong>tware, and/or firmware components <strong>of</strong> the control<br />
system can potentially have significant effects on the overall security <strong>of</strong> the system. Accordingly, only<br />
qualified and authorized individuals are allowed to obtain access to control system components <strong>for</strong><br />
purposes <strong>of</strong> initiating changes, including upgrades, and modifications. The organization establishes strict<br />
terms and conditions <strong>for</strong> installing any hardware or s<strong>of</strong>tware on control system devices (e.g., modems,<br />
wireless adapters, multi-function printers, games, word processing s<strong>of</strong>tware).<br />
In addition, maintaining records <strong>of</strong> access is essential <strong>for</strong> ensuring that configuration change control is<br />
being implemented as intended and <strong>for</strong> supporting after-the-fact actions should the organization become<br />
aware <strong>of</strong> an unauthorized change to the control system. Access restrictions <strong>for</strong> change also include<br />
s<strong>of</strong>tware libraries. Examples <strong>of</strong> access restrictions include physical and logical access controls, workflow<br />
automation, media libraries, abstract layers (e.g., changes are implemented into a third-party interface<br />
rather than directly into the control system component), and change windows (e.g., changes occur only<br />
36