Summary

Principles

1. Protect, Detect and Respond

2. Defence in Depth

3. Technical, procedural and managerial protection measures

4. ESTABLISH ONGOING GOVERNANCE

   1. Establish governance and supporting organisation
   2. Develop and implement the security strategy
   3. Monitor the risks and ensure compliance
   4. Maintain and improve security

5. MANAGE THE BUSINESS RISK

   1. Assess business risk
   2. Establish ongoing risk management

6. MANAGE INDUSTRIAL CONTROL SYSTEMS LIFECYCLE

   1. Ensure security requirement included in procurement
   2. Ensure ICS are secure by design
   3. Manage security through ICS construction
   4. Manage operational security
   5. Manage security risks during decommissioning & disposal

7. IMPROVE AWARENESS AND SKILLS

   1. Increase ongoing awareness
   2. Establish training frameworks
   3. Develop working relationship

8. SELECT AND IMPLEMENT SECURITY IMPROVEMENTS

   1. Review risks and assess existing controls
   2. Define target state
   3. Develop a risk reduction plan
   4. Implement security improvements

9. MANAGE VULNERABILITIES

   1. Monitor vulnerabilities and threat activity
   2. Analyse impacts and review response options
   3. Test and implement selected response

10. MANAGE THIRD PARTY RISKS

    1. Identify third parties
    2. Manage risk from vendors
    3. Manage risk from support organisations
    4. Manage risks in the value chain

11. ESTABLISH RESPONSE CAPABILITIES

    1. Form an ICS Security Response Team
    2. Integrate security response with other business response plans
    3. Test and rehearse response capabilities
    4. Monitor and respond to security alerts and incidents

Overview

Governance and Strategy

Key Activities

Supplementary