CONTROL SYSTEM CYBERSECURITY GUIDES AND CHECKLISTS
These Control System Risk Management Framework guides and checklists were developed for the DoD ESTCP 2017 R&D projects, but can be used by any organization with minor tailoring.
Facility-Related Control Systems Information Assurance Guide 12-2016 - this guide expands on the UFC and establishes the requirement for Subject Matter Experts, a Test and Development Environment with a list of free tools, a Design and Construction Sequence Table for new and modernization projects with FAT and SAT submittals, and contract language for RMF ATO package submittals (SSP, ITCP, SAR, POAM, EICP, IRP, SAP).
Control Systems Master List 12-2016- this Master List breaksdown the top-level control system name, sub-system name, preliminary recommended C-I-A impact value, and the information/data types for each CS.
Control Systems FAT and SAT Checklist 12-2016 - this checklist is based on the DHS ICS-CERT Control Systems Procurement guide for Factory Acceptance Testing (FAT) and Site Acceptance Testing (SAT) and is used in conjunction with the IA Guide Design and Construction Sequence Table.
Control Systems Penetration Testing Guide 12-2016 - this checklist is based on the EPRI Smart Grid Penetration Guide and SANS Penetration Testing Scope and Rules of Engagement and is used in conjunction with the IA Guide Design and Construction Sequence Table.