Trust but Verify Critical Infrastructure Cyber Security Solutions

摘要

Critical infrastructure cyber security solutions for industrial control systems are touted by the sellers as standards-based and comprehensive. Buyer beware, most of these claims are highly exaggerated. Only the International Society for Automation (ISA) is developing standards that are comprehensive in the sense that cyber security requirements control systems are defined as an extension of the security policies for the enterprise. Furthermore, these ISA standards include requirements that account for the dynamics induced by human behavior and the constraints imposed by external interfaces that are not directly controlled by the enterprise owner. This paper describes the seven foundational requirements codified in ISA-99.01-01 and the derived system requirements and metrics. The paper concludes with example security metrics recommended to verify the quality of cyber solutions offered.