I was reviewing the Committee on National Security Systems Instruction 1253, which provides guidance for applying security controls to National Security Systems. I was specifically looking through the document for references to industrial control systems.
National Security Systems are essentially any system used for military or intelligence activities (including weapons systems), that are not used for payroll, finance, logistics, and personnel management applications (See 44 U.S.C. 3542(b)(2)).
CNSSI 1253 was updated in March 2014. The previous version (March 2012) said:
INDUSTRIAL CONTROL SYSTEMS
SECURITY CONTROLS, ENHANCEMENTS, AND SUPPLEMENTAL GUIDANCE
Adoption of National Institute of Standards and Technology Special Publication 800-53, Revision 3, Appendix I, is not mandatory and is solely at the discretion of national security community departments and agencies, at this time, pending further applicability by the national security community.
To me, this meant that there was a “free pass” for NSS ICS. I found that quite concerning.
Potentially worse, however, looking at the updated 1253 (March 2014) instruction, I find no reference whatsoever to industrial control systems. My guess for the reason why is that NIST is now addressing ICS security entirely outside of 800-53 (i.e. 800-53 revision 4, released in April 2013, has no appendix dealing with industrial control systems). The industrial control systems guidance is now found in 800-82. Because 800-82 is not part of the core “transformational documents” (e.g. SP800-30, 37, 39, 53, 53A) coordinated between NIST and CNSS, it appears to have been left out of CNSSI 1253.
This leaves me wondering what guidance is being used for categorization and control selection for industrial control systems that are national security systems.
Maybe the guidance is classified. Maybe it exists at the agency level. Maybe there is some reference to 800-82 that I didn’t find. But, in an age where we have our country’s highest defense officials talking about “cyber 9/11” and “digital pearl harbor”, the inability to easily identify a common baseline for securing military industrial control systems appears deeply concerning.