Industrial Internet Security Framework v 1.0 | Page 133

Security Framework

Annex A: Industrial Security Standards

‘Cloud Controls Matrix Version 3.0,’1 which is an auditable standard that is mapped to a large set
of other standards including COBIT, ISO/IEC 27001:2005, NIST SP 800-53, FedRAMP, PCI DSS,
HIPAA/HITECH, NERC CIP 2. The Cloud Controls Matrix provides fundamental security principles
to guide cloud vendors and to assist prospective customers in assessing the overall security risk
of a cloud provider. A cloud provider offers transparency into how its security controls are
designed and managed by completing an assessment against the Cloud Controls Matrix.

A.9

STANDARD REPOSITORIES

The Smart Grid Interoperability Panel (SGIP) has created a compendium of standards and
practices pertaining to the development and deployment of the Smart Grid. A table of the
documents contained in the SGIP Catalog of Standards on the SGIP website. 3
Specific guidance for securing industrial control systems using the TCG standards is included in
these documents: ‘TCG Architect’s Guide for ICS Security’, ‘TCG Architect’s Guide for IoT Security,’
and ‘TCG Guidance for Securing IoT.’ 4 These documents present approaches to industrial control
systems security, addressing communications security, system integrity, firmware updates and
detection and recovery from sophisticated attacks.
SAE standards target safety, quality and effectiveness of products and services across the mobility
engineering industry. The more than 10,000 standards in the SAE database now include historical
standards and can be accessed at the SAE website. 5

A.10 SUPPLY CHAIN INTEGRITY RESOURCES
Manufacturers should apply best practices of supply chain risk assessment and risk management.
The NIST ‘Supply Chain Risk Management: Practices for Federal Information Systems and
Organizations’ 6 provides guidance to US federal agencies on identifying, assessing and mitigating
supply chain risks at all levels of their organizations. It also integrates ICT supply chain risk
management (SCRM) into federal agency risk management activities by applying a multi-tiered,
SCRM-specific approach, including guidance on assessing supply chain risk and applying
mitigation activities.
Manufacturers should also follow best practices for supply chain security. One example is ISO
‘Information Security for Supplier Relationships’ 7. Another is the NEMA ‘Supply Chain Best
Practices’ 8. This document identifies a recommended set of supply chain best practices and

See [CSA-CCM]
See [ISACA-COBIT], [ISO-27001], [NIST-800-53], [FedRAMP], [PCI-DSS], [HHS-HIPAA], [HHS-HITECH] and
[NERC-CIP]
3
See [SGIP-CoS]
4
See [TCG-AG-ICS], [TCG-AG-IoT] and [TCG-GS-IoT]
5
See [SAE]
6
See [NIST-800-161]
7
See [ISO-27036-1]
8
See [NEMA-CPSP]
1
2

IIC:PUB:G4:V1.0:PB:20160926

- 133 -