TLP:WHITE

Remote Business Peers Documentation

Select a link on the left to see the document abstract. Use the "Download" button to get the full document (PDF).

Abstract


Using Operational Security (OPSEC) to Support a Cyber Security Culture in Control Systems Environments (draft)

Information infrastructures across many public and private domains share several common attributes regarding IT deployments and data communications. This is particularly true in the control systems domain. Many organizations use robust architectures to enhance business and reduce costs by increasing the integration of external, business, and control system networks. Data security is often deployed using specialized technologies and is supported by the creation of a cyber security ??culture?? that is based on policy, guidance, and operational requirements. By using methods of operational security (OPSEC), the security culture empowers management and users to maintain and enhance cyber security by instilling procedures and guidelines into the day-to-day operations.

However, the cyber security strategies required to protect the business domains and the associated security culture that is created to support the security programs may not be easily translated to the control system space. Factors such as operational isolation, legacy networking, and inflexible roles in job activities may not be conducive to creating environments that are rich with cyber security capability, functionality, or interest. As such, guidance is required to help organizations leverage operational security and establish effective, self-sustaining security cultures that will help protect information assets in the control systems architectures.

This document reviews several key operational cyber security elements that are important for control systems and industrial networks and how those elements can drive the creation of a cyber security-sensitive culture. In doing so, it provides guidance and direction for developing operational security strategies including:

  • Creating cyber OPSEC plans for control systems
  • Embedding cyber security into the operations life cycle
  • Creating technical and non-technical security mitigation strategies.

Select a document below:

 

Recommended Practices

Supporting Documents

  • No Supporting Documents