Information infrastructures across many public and private domains share several common attributes regarding IT deployments and data communications. This is particularly true in the control systems domain. Many organizations use robust architectures to enhance business and reduce costs by increasing the integration of external, business, and control system networks. Data security is often deployed using specialized technologies and is supported by the creation of a cyber security ??culture?? that is based on policy, guidance, and operational requirements. By using methods of operational security (OPSEC), the security culture empowers management and users to maintain and enhance cyber security by instilling procedures and guidelines into the day-to-day operations.

However, the cyber security strategies required to protect the business domains and the associated security culture that is created to support the security programs may not be easily translated to the control system space. Factors such as operational isolation, legacy networking, and inflexible roles in job activities may not be conducive to creating environments that are rich with cyber security capability, functionality, or interest. As such, guidance is required to help organizations leverage operational security and establish effective, self-sustaining security cultures that will help protect information assets in the control systems architectures.

This document reviews several key operational cyber security elements that are important for control systems and industrial networks and how those elements can drive the creation of a cyber security-sensitive culture. In doing so, it provides guidance and direction for developing operational security strategies including:

  • Creating cyber OPSEC plans for control systems
  • Embedding cyber security into the operations life cycle
  • Creating technical and non-technical security mitigation strategies.