CPNI - GPG - Guide 2 - Implement Secure Architecture

More documents

Recommendations

Info

Good Practice Guide – Process Control and SCADA Security • Communications and awareness – throughout the implementation process it is important to provide appropriate communications. This ensures that all appropriate stakeholders are aware of the latest status and developments in the implementation project. The job of process control security is not finished when all the risk reduction measures have been implemented to form the complete security architecture. This is only a milestone in the control system’s security lifecycle. There is an ongoing task to ensure that the control systems remain appropriately secured into the future. This involves: • Keeping policy, standards and processes up to date with current threats • Ongoing assurance that the control systems are in compliance with the security policy and standards • Ensuring all engineers, users and administrators are security aware and implement the processes and procedures in a secure manner • Ensuring there is appropriate response capability to react to changes in security threats • Ensuring that third party risk is managed. Regular audits should be undertaken to ensure that the risk is being actively managed and that the process and procedures that have been put in place are being followed. Further guidance on managing risk can be found within the ‘Understand the business risk’ element of this framework. These tasks are detailed in the remainder of this good practice guidance framework. Page 14
Guide 2. Implement Secure Architecture APPENDIX A: DOCUMENT AND WEBSITE REFERENCES USED IN THIS GUIDE Section 3.4.2 Guide to Industrial Control (ICS) Systems http://csrc.nist.gov/publications/PubsDrafts.html Section 3.4.5 Best Practice Guide on Firewall Deployment for SCADA and Process Control Networks, www.cpni.gov.uk/Docs/re-20050223-00157.pdf Good Practice Guide Outsourcing: Security Governance Framework for IT Managed Service Provision, www.cpni.gov.uk/Docs/re-20060802-00524.pdf Good Practice Guide Patch Management, www.cpni.gov.uk/Docs/re-20061024-00719.pdf Best Practice Guide Commercially Available Penetration Testing, www.cpni.gov.uk/Docs/re-20060508-00338.pdf A Good Practice Guide on Pre-Employment Screening, www.cpni.gov.uk/Products/bestpractice/3351.aspx CPNI Personnel Security measures, www.cpni.gov.uk/ProtectingYourAssets/personnelSecurity.aspx Recommended Practices Guide for Securing ZigBee Wireless Networks in Process Control System Environments, www.us-cert.gov/control_systems/pdf/Zigbee%20Rec%20Pract%20-%20draft-posted%207-10- 07.pdf Securing WLANs using 802,11i – http://csrp.inl.gov/ Using Operational Security (OPSEC) to support a Cyber Security Culture in Control Systems Environments http://csrp.inl.gov/Documents/OpSec%20Rec%20Practice.pdf Cyber Security Procurement Language for Control Systems www.msisac.org/scada/documents/12July07_SCADA_procurement.pdf NERC Critical Infrastructure Protection (CIP) www.nerc.com/~filez/standards/Cyber-Security-Permanent.html DHS Catalog of Control System Security Requirements www.us-cert.gov/control_systems/pdf/Catalog_of_Control_Systems_Security_Recommendations.pdf Page 15
Page 1 and 2: GOOD PRACTICE GUIDE PROCESS CONTROL
Page 3 and 4: Guide 2. Implement Secure Architect
Page 15: Guide 2. Implement Secure Architect

CPNI - GPG - Guide 2 - Implement Secure Architecture

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?