Date Published: April 23, 2021
Comments Due: May 28, 2021 (public comment period is CLOSED)
Email Questions to: sp800-82rev3@nist.gov

Announcement

Since NIST Special Publication (SP) 800-82 Rev. 2, Guide to Industrial Control Systems (ICS) Security, was published in 2015, many of the tools, technologies, standards, and recommended practices encompassing control system cybersecurity have changed.

NIST has initiated an update of SP 800-82 to incorporate lessons learned over the past several years, to provide alignment to relevant NIST guidance (e.g., NIST SP 800-37 Rev. 2, NIST SP 800-53 Rev. 5, NIST SP 800-53B, and the Cybersecurity Framework v1.1), to provide alignment to other relevant control system cybersecurity standards and recommended practices, and to address changes in the threat landscape.

NIST seeks input from SP 800-82 stakeholders to ensure that the future update will continue to deliver the guidance necessary to help organizations manage the cybersecurity risks associated with their control systems.

Specifically, NIST requests input on the following:

1. Expansion in scope of SP 800-82 from industrial control systems to control systems in general                                                                               

Over the years, SP 800-82 has been used in areas outside the scope of traditional industrial control systems, from building automation systems to the National Airspace System. The proposed update would expand the scope to control systems in general and would enable SP 800-82 to provide cybersecurity guidance for control systems beyond traditional industrial control systems. What are the benefits and/or impacts of this expansion in scope?

2. Application of new cybersecurity capabilities in control system environments

The proposed update would provide guidance on the use of new technologies and cybersecurity capabilities (e.g., behavioral anomaly detection, digital twins, Internet of Things, artificial intelligence, machine learning, zero trust, cloud, edge computing) in control system environments. What new technologies and cybersecurity capabilities should be highlighted in the updated guidance?

3. Development of guidance specific to small and medium-sized control system owners and operators

Stakeholder feedback has indicated that there is a need for more cybersecurity guidance to enable small and medium-sized control system owners and operators to select and deploy cybersecurity tools and techniques that best fit their needs. What guidance and resources would be most beneficial to this community of interest?

4. Updates to control system threats, vulnerabilities, standards, and recommended practices

The proposed update would revise guidance throughout the document to align with current control system cybersecurity standards and recommended practices. Updates would also be made to the control system threat landscape, vulnerabilities, incidents that have occurred, current activities in control system cybersecurity, and the cybersecurity capabilities, tools, and mitigations sections. How can NIST best both capture theses updates and provide an ongoing reference to other resources?

5. Updates to the control system Overlay

The proposed update would revise the control system Overlay to align with SP 800-53, Rev. 5 and SP 800-53B, and address the change in scope to control systems in general.

6. Removal of material from the current document

The proposed update would consider removing material that is outdated, unneeded, or no longer applicable. Is there material that is no longer useful in the document?

When providing comments, please be specific and include the rationale for any proposed additions or deletions of material.

Submitted comments, including attachments and other supporting materials, will become part of the public record and are subject to public disclosure. Personally identifiable information and confidential business information should not be included (e.g., account numbers, Social Security numbers, names of other individuals). Comments that contain profanity, vulgarity, threats, or other inappropriate language will not be posted or considered.

An Initial Public Draft of the update, which will be published as SP 800-82 Rev. 3, is scheduled for a late 2021/early 2022 release.

Control Families

None selected