National Security Systems and ICS

I was reviewing the Committee on National Security Systems Instruction 1253, which provides guidance for applying security controls to National Security Systems. I was specifically looking through the document for references to industrial control systems.


National Security Systems are essentially any system used for military or intelligence activities (including weapons systems), that are not used for payroll, finance, logistics, and personnel management applications (See 44 U.S.C. 3542(b)(2)).

CNSSI 1253 was updated in March 2014. The previous version (March 2012) said:



Adoption of National Institute of Standards and Technology Special Publication 800-53, Revision 3, Appendix I, is not mandatory and is solely at the discretion of national security community departments and agencies, at this time, pending further applicability by the national security community.

To me, this meant that there was a “free pass” for NSS ICS. I found that quite concerning.

Potentially worse, however, looking at the updated 1253 (March 2014) instruction, I find no reference whatsoever to industrial control systems. My guess for the reason why is that NIST is now addressing ICS security entirely outside of 800-53 (i.e. 800-53 revision 4, released in April 2013, has no appendix dealing with industrial control systems). The industrial control systems guidance is now found in 800-82. Because 800-82 is not part of the core “transformational documents” (e.g. SP800-30, 37, 39, 53, 53A) coordinated between NIST and CNSS, it appears to have been left out of CNSSI 1253.

This leaves me wondering what guidance is being used for categorization and control selection for industrial control systems that are national security systems.

Maybe the guidance is classified. Maybe it exists at the agency level. Maybe there is some reference to 800-82 that I didn’t find. But, in an age where we have our country’s highest defense officials talking about “cyber 9/11” and “digital pearl harbor”, the inability to easily identify a common baseline for securing military industrial control systems appears deeply concerning.

Zetter and Stuxnet: Why ICS integrators and asset owners should care

It is exciting to see Kim Zetter tell a compelling story of Stuxnet for the masses: Countdown to Zero Day.

I had the opportunity to speak with her at the RSA conference this past Spring. I had just presented some interesting (free and open source!) research on Stuxnet. You can read about my RSA presentation here. While I have yet to read Zetter’s book, she has definitely gone beyond my work in many ways.

Sanctions announcement from U.S. Embassy in Iran

To correspond with her book’s release, I’m posting some interesting, but lesser known points on Stuxnet:

  • A 2004 strategy paper from a senior fellow at The Washington Institute proposed the following U.S. strategy for countering Iran’s nuclear ambitions (his other suggestions are also shockingly accurate):

introduction of destructive viruses into Iranian computer systems controlling the production of components or the operation of facilities;


  • Symantec said there were five target companies. Zetter names four (NEDA, Behpajooh, Foolad Technic, Control Gostar Jahed). Symantec must have known their names, but has never divulged them publicly.
  • The U.S. government had been tracking one particular Iranian ICS integrator, NEDA, for literally years as NEDA allegedly obtained embargoed goods through a global procurement network
  • NEDA was public about its Stuxnet infection problem
  • The State Department sanctioned NEDA for its involvement at Natanz after Stuxnet was “over” (sanctions announced in Dec. 2012) — which to me essentially confirmed that NEDA could have been the vector for perhaps both understanding Natanz ICS, and delivering Stuxnet — and its cousin code — to their objectives.

Conclusion: Based on these revelations of how Stuxnet “got in”, if I were a control systems integrator (especially one that supported military installations or capabilities) operating in the West, I would be very concerned about my own internal systems, and the control systems I was building for my customers.