FrameworksNIST 800-82 Rev.3
sector specificvRev. 3Published
NIST SP 800-82 Rev. 3 — ICS Security
NIST 800-82 Rev.3
NIST SP 800-82 provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations.
Issuing Body
National Institute of Standards and Technology (NIST)
Version
Rev. 3
Published
2023-09-28
Controls
13
Mapped Laws
—
| Control ID | Title | Domain | Maturity |
|---|---|---|---|
| OT-AC-1 | OT Access Control Policy Establish and document access control policies and procedures for OT/ICS environments. Policies shall address unique OT requirements including safety, reliability, and availability constraints. | — | defined |
| OT-AC-2 | OT Account Management Manage OT system accounts including establishing, activating, modifying, reviewing, disabling, and removing accounts. Shared accounts in OT environments shall be minimized and documented. | — | managed |
| OT-AC-17 | OT Remote Access Establish and document usage restrictions and implementation guidance for remote access to OT systems. Remote access shall use encrypted communications and multi-factor authentication where technically feasible. | — | managed |
| OT-CM-2 | OT Baseline Configuration Develop, document, and maintain baseline configurations for OT systems. Baseline configurations shall be reviewed and updated when significant changes occur. | — | managed |
| OT-CM-7 | OT Least Functionality Configure OT systems to provide only essential capabilities. Prohibit or restrict the use of functions, ports, protocols, and services not required. Disable unnecessary services on OT devices. | — | managed |
| OT-IA-3 | OT Device Identification and Authentication Uniquely identify and authenticate devices before establishing connections to OT systems. Device authentication shall be implemented where technically feasible without impacting safety or reliability. | — | managed |
| OT-IR-4 | OT Incident Handling Implement an incident handling capability for OT/ICS environments that considers safety implications. Incident response procedures shall address OT-specific scenarios including ransomware, supply chain attacks, and insider threats. | — | managed |
| OT-MA-2 | OT Controlled Maintenance Schedule, document, and review records of maintenance on OT system components. Maintenance activities shall be coordinated with operations to minimize impact on safety and availability. | — | managed |
| OT-PE-3 | OT Physical Access Control Enforce physical access controls for OT facilities and control rooms. Physical access to OT systems shall be restricted to authorized personnel with a demonstrated need. | — | managed |
| OT-RA-3 | OT Risk Assessment Conduct risk assessments specific to OT/ICS environments considering safety, reliability, and cybersecurity risks. Risk assessments shall account for the consequences of cyber incidents on physical processes. | — | managed |
| OT-SC-7 | OT Boundary Protection Monitor and control communications at the boundaries between OT networks and enterprise networks. Implement demilitarized zones (DMZ) between OT and IT networks. Unidirectional security gateways (data diodes) shall be considered for high-security OT environments. | — | managed |
| OT-SI-2 | OT Flaw Remediation Identify and remediate security vulnerabilities in OT systems considering operational constraints. Patching timelines shall be risk-based and coordinated with maintenance windows to minimize operational impact. | — | managed |
| OT-SI-3 | OT Malware Protection Implement malware protection for OT systems where technically feasible. Application whitelisting shall be preferred over traditional anti-malware for OT environments due to stability requirements. | — | managed |