Protected environment assumptions
-
Cybersecurity governance – available and up-to-date guidance on governing the use of information and technology assets in your company.
-
Perimeter security – installed devices, and devices that are not in service, are in an access-controlled or monitored location.
-
Emergency power – the control system provides the capability to switch to and from an emergency power supply without affecting the existing security state or a documented degraded mode.
-
Firmware upgrades – meter upgrades are implemented consistently to the current version of firmware.
-
Controls against malware – detection, prevention and recovery controls to help protect against malware are implemented and combined with appropriate user awareness.
-
Physical network segmentation – the control system provides the capability to:
-
Physically segment control system networks from non-control system networks.
-
Physically segment critical control system networks from non-critical control system networks.
-
-
Logical isolation of critical networks – the control system provides the capability to logically and physically isolate critical control system networks from non-critical control system networks. For example, using VLANs.
-
Independence from non-control system networks – the control system provides network services to control system networks, critical or non-critical, without a connection to non-control system networks.
-
Encrypt protocol transmissions over all external connections using an encrypted tunnel, TLS wrapper or a similar solution.
-
Zone boundary protection – the control system provides the capability to:
-
Manage connections through managed interfaces consisting of appropriate boundary protection devices, such as: proxies, gateways, routers, firewalls and encrypted tunnels.
-
Use an effective architecture, for example, firewalls protecting application gateways residing in a DMZ.
-
Control system boundary protections at any designated alternate processing sites should provide the same levels of protection as that of the primary site, for example, data centers.
-
-
No public internet connectivity – access from the control system to the internet is not recommended. If a remote site connection is needed, for example, encrypt protocol transmissions.
-
Resource availability and redundancy – ability to break the connections between different network segments or use duplicate devices in response to an incident.
-
Manage communication loads – the control system provides the capability to manage communication loads to mitigate the effects of information flooding types of DoS (Denial of Service) events.
-
Control system backup – available and up-to-date backups for recovery from a control system failure.