Anybody come up against NIST SP 800-82 ?

Join Date
Jun 2007
Location
uk
Posts
1,538
Has anybody come up against this requirement, or set of guidelines should i say ?

NIST SP 800-82 Rev2 Guide to Industrial Control Systems (ICS) Security Document

We have a system which is monitoring only but has a few PLC's and remote I/O modules dotted around, they have security scanned the LAN and now we are being asked to do things like filter Modbus clients to authorised IP's, shutdown certain services, only use HTTPS etc., trouble is the remote I/O modules and other lower end devices such as power meters have no capabilities to do this sort of thing, the PLC does but they are applying this "guideline" to the letter for all devices.

Just interested if anybody has any experience of dealing with this.
 
Put a firewall between your Plant network and the office network.

Set up appropriate firewall rules between your plant network and the office network, for example:

No communications from any mac address except your PC.

If you don't have physically seperate networks, get IT to put VLANs in at least.
 
We have an internal policy based on that doc. None of our client owned sites meet all criteria. i think only a few sites of ours in Aus comply... supposedly.

However what I did in some places where i could, which is good practice Anway, was to split SCADA and Control devices into two separate networks. Power meters, remote I/O, drives etc all on the Control Network.

PLCs and HMI on SCADA network. No interconnection to controls network (other than a firewall which was set up to allow only the engineering work station through, and only for required services). Obviously the PLC was dual homed with one comms card for SCADA and one for IOscanner etc but you couldn't route across them using conventional network tools.

Since I had written up a local policy on how / why this was done our auditors were happy that we'd taken all practical steps. I even used Orange patch leads for the Control Network and Blue for SCADA to try get the idea across.

However if you have older gear that can't be set up to separate the network like that then a transparent firewall is a good way to tackle a lot of issues they raise. Moxa does a good one which can filter modbus etc.

But you still need to be able to split up devices so all control gear sits behind the firewall so that when they run their tests they can't see all the nasty stuff you have no control over.
 
Put a firewall between your Plant network and the office network.

Set up appropriate firewall rules between your plant network and the office network, for example:

No communications from any mac address except your PC.

If you don't have physically seperate networks, get IT to put VLANs in at least.

Yes good idea but all the devices are sitting on their integrated LAN so no firewalls other than theirs !

I have suggested that maybe they need to control access at the LAN level rather than at device level seeing as they insist on having a MAC address before they will issue an IP they know what should and shouldn't talk to each other and on what services, didn't go down well...
 
Yes good idea but all the devices are sitting on their integrated LAN so no firewalls other than theirs !

I have suggested that maybe they need to control access at the LAN level rather than at device level seeing as they insist on having a MAC address before they will issue an IP they know what should and shouldn't talk to each other and on what services, didn't go down well...

Brilliant, just send them a list of which ones you want to communicate to which, using which protocols and ask them to coordinate with yourself when they put the firewall rules in place.
 
Is this a Rogue IT department, or some other group of "Higher ups" with just enough knowledge to be dangerous?

If they so tightly control addressing etc to the LAN it sounds like they should be fully responsible for the fact that it has been set up in contradiction to the NIST document. See Section 5.1 (2013 Rev 2 version) discussing network segmentation and segregation.

As Australian says... a VLAN could be an acceptable solution if the network is physically intertwined and hard to split.
 
Brilliant, just send them a list of which ones you want to communicate to which, using which protocols and ask them to coordinate with yourself when they put the firewall rules in place.

Yep, they have that, still insisting that we have vulnerabilities that need remediation, this one for example is a peach:

"On Linux, you can disable IP forwarding by doing :
echo 0 > /proc/sys/net/ipv4/ip_forward
On Windows, set the key 'IPEnableRouter' to 0 under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
On Mac OS X, you can disable IP forwarding by executing the command :
sysctl -w net.inet.ip.forwarding=0
For other systems, check with your vendor."

Or this one:

"Return the X-Frame-Options or Content-Security-Policy (with the 'frame-ancestors' directive) HTTP header with
the page's response.
This prevents the page's content from being rendered by another site when using the frame or iframe HTML
tags."

Erm, yeah thanks for the advice, this is a Schneider power meter.....
 
Is this a Rogue IT department, or some other group of "Higher ups" with just enough knowledge to be dangerous?

If they so tightly control addressing etc to the LAN it sounds like they should be fully responsible for the fact that it has been set up in contradiction to the NIST document. See Section 5.1 (2013 Rev 2 version) discussing network segmentation and segregation.

As Australian says... a VLAN could be an acceptable solution if the network is physically intertwined and hard to split.

Security "specialists" employed by the building tenants to secure their integrated LAN, its is VLAN'd off as there is security, access control, BMS etc on the network

I agree, the responsibility should be theirs as its their network, thats the tack we are taking, i will read that section, thanks for the tip
 

Similar Topics

Hi All, At work we primarily use Rockwell products and they are pretty good to work with and rock solid for industrial environments. A little...
Replies
3
Views
1,034
11 months ago I ordered a 10" Redlion HMI. I was given an April delivery date. April came and went. I waited, and in June I asked our vendor...
Replies
7
Views
2,350
If I want to think about PLCs, I come here. For Home Automation there are various good forums. When Mum was alive, I had two or three...
Replies
11
Views
5,086
I have submitted this tread to a magazine and it got rejected by the editor that obviously has never done motion or used cam tables.
Replies
6
Views
2,089
Back
Top Bottom