NIST SP 800–82 Rev 3
This is my comment and review on the new NIST SP 800–82 draft (R3) and what I have seen has changed as compared to the revision 2 (R2) document. The first thing I noticed is that they changed their scope from ICS to OT. So they changed their name from “Guide to Industrial Control Systems (ICS) Security” to “Guide to Operational Technology (OT) Security“. The R3 document ( 318 pages ) is obviously larger than the R2 document ( 247 pages). The new draft is updated as follows:
They also renamed any chapter that has “ICS” title to “OT” title, for example they renamed this chapter from : “Applying Security Controls to ICS” to “Applying the Cybersecurity Framework to OT” . You can see in this new chapter that they were aligning OT controls with the Cybersecurity Framework.
What also caught my attention was the addition of new OT incidents. The old guide contains 8 events, while the new one contains 18 events. The following events were added:
- Marconi Wireless Hack
- Night Dragon
- Ukrainian Power Grid, BlackEnergy3
- New York Dam
- Dragonfly Campaign, Havex
- Ukrainian Power Grid, Industroyer
- Maersk, NotPetya
- Saudi Petrochem, TRITON
- Norsk Hydro, LockerGoga
- Honda, EKANS
- Oldsmar Water Treatment Facility
- Colonial Pipeline
- Ransomware Targeting Healthcare
I noticed that they removed 2 incidents that were available before in the old guide: Brute Force Attacks on Internet-Facing Control Systems and Zotob Worm. I’m not sure for what reason.
Other observations on my side was the addition of sector-specific resources , organizations , research , activities , introduction of OT technologies such as iIOT, building automation systems and safety systems and physical access control systems. The images throughout the guide were updated with new design. Happy learning.
