Industrial Internet Security Framework v 1.0 | Page 127

Security Framework

Annex A: Industrial Security Standards

‘Security Program Requirements for IACS Service Providers’1 standardizes security capabilities for
integration and maintenance activities, allowing asset owners to select those most appropriate
for their sites. In addition, parts 62443-2-4, 62443-3-1 and 62443-3-3 2 define a distinction of
security levels based on an attackers’ strength, which is valuable for system design. This standard
is in the process of accreditation under the IEC System of Conformity Assessment Schemes for
Electro-technical Equipment and Components (IECEE). 3 In time, it may be adopted as a security
certification for use in securing operators’ supply chains.
The National Institute of Standards and Technology (NIST) has published NIST SP 800-82 ‘revision
2’. 4 It provides guidance on improving security in Industrial Control Systems (ICS), including
Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS),
and other control system configurations such as Programmable Logic Controllers (PLC).
Performance, reliability and safety requirements are also considered. Comprehensive security
controls, presented in this document, map to additional NIST recommendations such as those
listed in SP 800-53, ‘Recommended Security Controls for Federal Information Systems and
Organizations.’ 5 A framework for considering networks of things is described in NIST SP 800-183 6.
NISTIR 7628, ‘Guidelines for Smart Grid Cyber Security, Volume 1’ 7, is a recommendation for
addressing security concerns across the electric smart grid. NIST created this document with
Smart Grid Interoperability Panel Cyber Security Committee. It is a three-volume compendium
that contains sections that describe risk assessment and vulnerability analysis, and analyzes
secure information exchange for electric grid systems.
NERC CIP Standards8, published by the North American Electric Reliability Corporation (NERC),
aim at improving the security and reliability of the electric industry by defining auditable
requirements for critical infrastructure protection (CIP). Security guidance provided by NERC CIP
primarily targets the automation systems used in generation and transmission facilities. NERC CIP
is applicable to utilities in US, Canada and parts of Mexico.
The IEEE 1686 ‘Standard for Intelligent Electronic Devices Cyber Security Capabilities’9 defines
functions and features to be provided in Intelligent Electronic Devices (IEDs). The document
addresses access, operation, configuration, firmware revision and data retrieval of an IED.

See [IEC-624 43-24]
See [IEC-62443-24], [IEC-62443-31] and [IEC-62443-33]
3
See [IECEE]
4
See [NIST-800-82]
5
See [NIST-800-53]
6
See [NIST-800-183]
7
See [NISTIR-7628]
8
See [NERC-CIP]
9
See [IEEE-1686]
1
2

IIC:PUB:G4:V1.0:PB:20160926

- 127 -