Rejected ISO/IEC 27002 control for SCADA

The ISO27k standards are written and maintained by a sizable committee of international experts, working through their national standards bodies and following formal processes, with most of the business conducted at just two face-to-face meetings per year.  As such, the committee sometimes struggles to accept changes and reflect emerging information security issues, particularly in the case of ISO/IEC 27002.

Back in 2011, I suggested the text below as a new control for SCADA/ICS in 27002 but was unable to persuade the project team of its merits, perhaps because they were hoping that ISO/IEC TR 27019:2013 would cover it.

---------------------------------

Security requirements for specialist IT systems

Control objective 

To identify and satisfy the particular information security control requirements of specialist IT systems such as industrial control systems.

Implementation guidance

The particular information security risks associated with specialist IT systems such as Industrial Control Systems (ICS), Supervisory Control And Data Acquisition (SCADA), embedded systems, safety-critical systems, building management systems, physical access control systems etc. should be assessed as part of the implementation and maintenance activities, and the appropriate information security controls should be in place. Specialist advice is recommended to assess the information security risks and specify, implement, use and maintain suitable information security controls. Competent information security analysts familiar with the information security risks and controls commonly applied to such systems (including the vendors of commercial systems) should be consulted or involved in the process. Applicable standards should be applied, and all relevant legal and regulatory compliance obligations satisfied.

Other information

Industrial control systems and related specialist systems are commonly managed outside of the IT department. Many are delivered as “turnkey” installations, with limited or no access for maintenance and management by the organization’s employees. For various reasons such as differing risks, priorities and objectives, the information security controls associated with such specialist systems often differ substantially from the general IT infrastructure and ordinary commercial and office IT systems. At the same time, such systems may have to address serious information security risks through unique information security control requirements, for example arising from their rôle in ensuring the health and safety of plant operators.

PS  I also proposed new or changed security controls for:

• The computer suite (mostly physical controls)
• SDLC (software development life cycle)
• BCM (business continuity management) and
• Cloud computing