NIST has released the first draft of Special Publication 800-82r3 (Revision 3) in April 2021, with a second draft being released in 2022. The third revision of the OT security guide has been finalized.
The document provides guidance on improving the security of OT systems while addressing their unique safety, reliability and performance requirements.
It provides an overview of OT and typical system topologies, identifies typical threats to organizational mission and business functions supported by OT, describes typical vulnerabilities in OT, and provides recommended security safeguards and countermeasures to manage the associated risks
The guidance focuses on OT cybersecurity program development, risk management, cybersecurity architecture, and applying the NIST Cybersecurity Framework to OT.
The latest revision’s updates include expansion in scope from industrial control systems to OT in general, as well as updates to OT threats, vulnerabilities, risk management, recommended practices, current security activities, and tools and capabilities.
The document also aligns with other OT security guides and standards, and provides tailored security control baselines for low-, moderate- and high-impact OT systems.
This is a new dynamic for OT, which has been shielded by self-contained, air-gapped networks that largely protected the logic executing on field devices. The possibility of remote tampering with this type of programming may impact physical safety or interrupt the delivery of critical services.
SP 800-82 Revision 3 is available for download in PDF format for free from NIST’s website
The NIST framework is considered the standard for risk management across industries and can be used to manage risk across sectors and technologies ranging from information technology, industrial control systems, cyber-physical systems, and the Extended Internet of Things. It is, however, not a one-size-fits-all approach to managing cybersecurity risk because each space has unique threats, vulnerabilities, and risk tolerances.