NIST 800-82: The Quiet Achiever
Several months ago, the third version of the Guide to Operational Technology (OT) Security, SP 800-82 Rev. 3 was released - a welcome change to the security guidance on OT published by NIST.
Share This Article:
The previous standard released in 2013 was very much seen as the penultimate guidance for OT Security for some time. Although the more structural standards such as IEC 62443 are useful for comprehensive approaches for a point in time or brownfields guidance, NIST 800-82 provided an excellent point of reference.
Over time, the standard has evolved to offer more prescriptive and detailed guidance, facilitating a nuanced understanding of the differences between IT and OT security requirements. This includes specific steps required to implement core controls such as segmentation, protocol restrictions and technical configurations across firewalls.
What has changed with 800-82 v3?
So, is the 800-82 v3 an improvement?
The change in terminology is an important start, replacing the term ‘Industrial Control Systems (ICS)’ with ‘Operational Technology (OT)’ in the title and throughout the document.
This is also the same for ‘ICS Operation and Components’, replaced by ‘OT Operation, Architectures and Components’ and covers the additional systems that have been orphaned for some time:
- Building Automation Systems
- Physical Access Control Systems
- Safety Systems
- Industrial Internet of Things
These new system types are areas that have grown and evolved in terms of threats and recorded cyber incidents over the years since the first standard was released.
Structurally the six foundational sections for Risk Management for OT systems and OT Cybersecurity Program Development have undergone reorganisation, with ‘Security’ from the second version now termed ‘Cybersecurity’.
For the main updates, sections cover Information Security actions including risk management and are aligned with the NIST Cybersecurity Framework which was overlooked in the initial document.
Importantly, recommendations are aligned with the NIST CSF: Identify, Protect, Detect, Respond, and Recover.
The improved layout of the new standards significantly improves readability, catering to individuals without an OT background. This enhancement is pivotal as the industry’s heightened focus on security necessitates a standard that is accessible to a broader audience.
Where to now?
In summary, NIST 800-82 introduces substantial uplifts, providing specific guidance across emerging areas of technology while refining and aligning with other NIST publications.
In terms of standards that bang the drum, 800-82 doesn’t get as much limelight as others such as IEC 62443 but this standard still quietly achieves a robust and well-thought-out structure to uplift OT security.
Looking ahead, for those seeking resources and expertise aligned with these technical standards, Anchoram stands ready to assist. Offering an integrated security approach to Risk and Technical Controls, our staff possess deep knowledge of Operational Technologies and Critical Infrastructure assets, ensuring a comprehensive and effective response to evolving security challenges.
Several months ago, the third version of the Guide to Operational Technology (OT) Security, SP 800-82 Rev. 3 was released - a welcome change to the security guidance on OT published by NIST.
Share This Article:
Categories
Subscribe
Subscribe to our newsletter and get the latest news and information from Anchoram.