Once you have a good understanding of the control system security risks facing your business you can then begin to document policies and procedures so that employees, suppliers and contractors understand your company’s position on Industrial Control System( ICS) security. Many companies have existing IT security policies and standards. These documents can provide a good foundation for industrial control system-specific documents. However, IT security policies are often not applicable or optimized for the plant floor.
For this reason, we highly recommend organizations develop ICS-specific documents describing company policy, standards and procedures around control system security. These documents can, and should, refer back to the corporate IT security documents. In our experience we have found that separate ICS security documents are very beneficial in aiding those that are responsible for ICS security. It helps them to clearly understand the expectations and responsibilities they have, and how they differ from those of the people responsible for the general office environment.
You should also become familiar with applicable security regulations and standards for your industry. These provide a solid basis for development of company specific policies, standards and procedures. A good place to start is the ANSI/ISA-99 series of standards, which address the subject of cyber security for industrial automation and control systems. The standards describe the basic concepts and models related to cyber security, as well as the elements contained in a cyber security management system for use in the industrial automation and control systems environment. They also provide guidance on how to meet the
requirements described for each element.
The ANSI/ISA-99 standards provide the base documents for the ISO/IEC standards in industrial control security, known as IEC-62443. Over the next few years, these standards are expected to become the core standards for industrial control security worldwide.
Depending on the industry you’re in, you should also become familiar with industry-specific guidance which is available from organizations such as the American Petroleum Institute (API), the American Chemistry Council (ACC), and the North American Electric Reliability Corporation (NERC). You should also familiarize yourself with relevant regulatory requirements that may apply to your industry such as the Chemical Facility Anti-terrorism Standards (CFATS) from the U.S. Department of Homeland Security.
While every organization will prepare policy documents differently, there are basic principles and core content that should always be included. This includes a clear definition of scope, and identification of the portions of the organization and the types of systems covered by the policy. There should be a clear indication of senior management support for the policy. Finally, it should be clear to the reader:
Some specific topics that need to be addressed in an ICS security policy are: