Industrial control systems (ICS) are an integral part of critical infrastructures, helping to facilitate operations in vital industries such as electricity, oil and gas, water, transportation, manufacturing, and chemical manufacturing. The growing issue of cybersecurity and its impact on ICS highlights fundamental risks to the Nation’s critical infrastructure. Efficiently addressing ICS cybersecurity issues requires a clear understanding of the current security challenges and specific defensive countermeasures. A holistic approach—one that uses specific countermeasures implemented in layers to create an aggregated, risk-based security posture—helps to defend against cybersecurity threats and vulnerabilities that could affect these systems. This approach, often referred to as Defense-in-Depth, provides a flexible and useable framework for improving cybersecurity protection when applied to control systems.

This recommended practice document from the National Cybersecurity and Communications Integration Center (NCCIC) provides guidance for developing mitigation strategies for specific cyber threats and direction on how to create a Defense-in-Depth security program for control system environments. The document presents this information in four parts: 1) “Background and Overview” outlines the current state of ICS cybersecurity and provides an overview of what defense in depth means in a control system context; 2) “ICS Defense-in-Depth Strategies” provides strategies for securing control system environments; 3) “Security Attacks” outlines how threat actors could carry out attacks against critical infrastructures and the potential impact to ICSs and networks; and 4)“Recommendations for Securing ICS” provides resources for securing ICSs based on the current state-of-the-art methods and lessons learned from ICS-CERT activities, national and sector-specific standards for ICS security, and tools and services available through ICS-CERT and others that can be used to improve the security posture of ICS environments.

This version modernizes and improves the flagship document issued in 2009, reflecting the evolution of control systems management, security practices, and change management within the ICS community, as well as addressing emerging threats to critical infrastructure. It is a living document that provides an aggregated compendium of the current state of ICS security practices.