1. Risk analysis
1.1. Business rationale
1.1.1. Develop a business rationale
1.2. Risk identification, classification and assessment
1.2.1. Select a risk assessment methodology
1.2.2. Provide risk assessment background information
1.2.3. Identify the industrial automation and control systems
1.2.4. Conduct a high-level risk assessment
1.2.5. Develop simple network diagrams
1.2.6. Prioritize systems
1.2.7. Perform a detailed vulnerability assessment
1.2.8. Identify a detailed risk assessment methodology
1.2.9. Conduct a detailed risk assessment
1.2.10. Identify the reassessment frequency and triggering criteria
1.2.11. Integrate physical, HSE and cyber security risk assessment results
1.2.12. Conduct risk assessments throughout the lifecycle of the IACS
1.2.13. Document the risk assessment
1.2.14. Maintain vulnerability assessment records
2. Addressing Risk with the CSMS
2.1. Security policy, organization and awareness
2.1.1. CSMS scope
2.1.1.1. Define the scope of the CSMS
2.1.1.2. Define the scope content
2.1.1.3. Obtain senior management support
2.1.1.4. Establish the security organization(s)
2.1.1.5. Define the organizational responsibilities
2.1.1.6. Define the stakeholder team makeup
2.1.2. Organize for security
2.1.2.1. Obtain senior management support
2.1.2.2. Establish the security organization(s)
2.1.2.3. Define the organizational responsibilities
2.1.2.4. Define the stakeholder team makeup
2.1.3. Staff training and security awareness
2.1.3.1. Develop a training program
2.1.3.2. Provide procedure and facility training
2.1.3.3. Provide training for support personnel
2.1.3.4. Validate the training program
2.1.3.5. Revise the training program over time
2.1.3.6. Maintain employee training records
2.1.4. Business continuity plan
2.1.4.1. Specify recovery objectives
2.1.4.2. Determine the impact and consequences to each system
2.1.4.3. Develop and implement business continuity plans
2.1.4.4. Form a business continuity team
2.1.4.5. Define and communicate specific roles and responsibilities
2.1.4.6. Create backup procedures that support business continuity plan
2.1.4.7. Test and update the business continuity plan
2.1.5. Security policies and procedures
2.1.5.1. Develop security policies
2.1.5.2. Develop security procedures
2.1.5.3. Maintain consistency between risk management systems
2.1.5.4. Define cyber security policy and procedure compliance requirements
2.1.5.5. Determine the organization’s tolerance for risk
2.1.5.6. Communicate the policies and procedures to the organization
2.1.5.7. Review and update the cyber security policies and procedures
2.1.5.8. Demonstrate senior leadership support for cyber security
2.2. Selected security countermeasures
2.2.1. Personnel security
2.2.1.1. Establish a personnel security policy
2.2.1.2. Screen personnel initially
2.2.1.3. Screen personnel on an ongoing basis
2.2.1.4. Address security responsibilities
2.2.1.5. Document and communicate security expectations and responsibilities
2.2.1.6. State cyber security terms and conditions of employment clearly
2.2.1.7. Segregate duties to maintain appropriate checks and balances
2.2.2. Physical and environmental security
2.2.2.1. Establish complementary physical and cyber security policies
2.2.2.2. Establish physical security perimeter(s)
2.2.2.3. Provide entry controls
2.2.2.4. Protect assets against environmental damage
2.2.2.5. Require employees to follow security procedures
2.2.2.6. Protect connections
2.2.2.7. Maintain equipment assets
2.2.2.8. Establish procedures for monitoring and alarming
2.2.2.9. Establish procedures for the addition, removal, and disposal of assets
2.2.2.10. Establish procedures for the interim protection of critical assets
2.2.3. Network segmentation
2.2.3.1. Develop the network segmentation architecture
2.2.3.2. Employ isolation or segmentation on high-risk IACS
2.2.3.3. Block non-essential communications with barrier devices
2.2.4. Access control: Account administration
2.2.4.1. Access accounts implement authorization security policy
2.2.4.2. Identify individuals
2.2.4.3. Authorize account access
2.2.4.4. Record access accounts
2.2.4.5. Suspend or remove unneeded accounts
2.2.4.6. Review account permissions
2.2.4.7. Change default passwords
2.2.4.8. Audit account administration
2.2.5. Access control: Authentication
2.2.5.1. Develop an authentication strategy
2.2.5.2. Authenticate all users before system use
2.2.5.3. Require strong authentication methods for system administration and application configuration
2.2.5.4. Log and review all access attempts to critical systems
2.2.5.5. Authenticate all remote users at the appropriate level
2.2.5.6. Develop a policy for remote login and connections
2.2.5.7. Disable access account after failed remote login attempts
2.2.5.8. Require re-authentication after remote system inactivity
2.2.5.9. Employ authentication for task-totask communication
2.2.6. Access control: Authorization
2.2.6.1. Define an authorization security policy
2.2.6.2. Establish appropriate logical and physical permission methods to access IACS devices
2.2.6.3. Control access to information or systems via role-based access accounts
2.2.6.4. Employ multiple authorization methods for critical IACS
2.3. Implementation
2.3.1. Risk management and implementation
2.3.1.1. Manage IACS risk on an ongoing basis
2.3.1.2. Employ a common set of countermeasures
2.3.2. System development and maintenance
2.3.2.1. Define and test security functions and capabilities
2.3.2.2. Develop and implement a change management system
2.3.2.3. Assess all the risks of changing the IACS
2.3.2.4. Require security policies for system development or maintenance changes
2.3.2.5. Integrate cyber security and process safety management (PSM) change management procedures
2.3.2.6. Review and maintain policies and procedures
2.3.2.7. Establish and document a patch management procedure
2.3.2.8. Establish and document antivirus/malware management procedure
2.3.2.9. Establish backup and restoration procedure
2.3.3. Information and document management
2.3.3.1. Develop lifecycle management processes for IACS information
2.3.3.2. Define information classification levels
2.3.3.3. Classify all CSMS information assets
2.3.3.4. Ensure appropriate records control
2.3.3.5. Ensure long-term records retrieval
2.3.3.6. Maintain information classifications
2.3.3.7. Audit the information and document management process
2.3.4. Incident planning and response
2.3.4.1. Implement an incident response plan
2.3.4.2. Communicate the incident response plan
2.3.4.3. Establish a reporting procedure for unusual activities and events
2.3.4.4. Educate employees on reporting cyber security incidents
2.3.4.5. Report cyber security incidents in a timely manner
2.3.4.6. Identify and respond to incidents
2.3.4.7. Identify failed and successful cyber security breaches
2.3.4.8. Document the details of incidents
2.3.4.9. Communicate the incident details
2.3.4.10. Address and correct issues discovered
2.3.4.11. Conduct drills
3. Monitoring and Improving the CSMS
3.1. Conformance
3.1.1. Specify the methodology of the audit process
3.1.2. Conduct periodic IACS audits
3.1.3. Establish conformance metrics
3.1.4. Establish a document audit trail
3.1.5. Define punitive measures for nonconformance
3.1.6. Ensure auditors’ competence
3.2. Review, improve and maintain the CSMS
3.2.1. Assign an organization to manage and implement changes to the CSMS
3.2.2. Evaluate the CSMS periodically
3.2.3. Establish triggers to evaluate CSMS
3.2.4. Identify and implement corrective and preventive actions
3.2.5. Review risk tolerance
3.2.6. Monitor and evaluate industry CSMS strategies
3.2.7. Monitor and evaluate applicable legislation relevant to cyber security
3.2.8. Request and report employee feedback on security suggestions