1. Home
  2. Industrial Control Systems
  3. SC-4

SC-4: INFORMATION IN SHARED RESOURCES

TAILORED FOR INDUSTRIAL CONTROL SYSTEMS

  • ICS Control Baselines:
  • Moderate
  • High

The information system prevents unauthorized and unintended information transfer via shared system resources.

SUPPLEMENTAL GUIDANCE

This control prevents information, including encrypted representations of information, produced by the actions of prior users/roles (or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources have been released back to information systems. The control of information in shared resources is also commonly referred to as object reuse and residual information protection. This control does not address: (i) information remanence which refers to residual representation of data that has been nominally erased or removed; (ii) covert channels (including storage and/or timing channels) where shared resources are manipulated to violate information flow restrictions; or (iii) components within information systems for which there are only single users/roles.

ICS SUPPLEMENTAL GUIDANCE

Example compensating controls include architecting the use of the ICS to prevent sharing system resources.

CONTROL ENHANCEMENTS

SC-4 (1) INFORMATION IN SHARED RESOURCES | SECURITY LEVELS

[Withdrawn: Incorporated into >a href="#control">SC-4].

SC-4 (2) INFORMATION IN SHARED RESOURCES | PERIODS PROCESSING

NOT SELECTED FOR THE NIST ISC CONTROL SET

The information system prevents unauthorized information transfer via shared resources in accordance with [Assignment: organization-defined procedures] when system processing explicitly switches between different information classification levels or security categories.

Supplemental Guidance:

This control enhancement applies when there are explicit changes in information processing levels during information system operations, for example, during multilevel processing and periods processing with information at different classification levels or security categories. Organization-defined procedures may include, for example, approved sanitization processes for electronically stored information.

REFERENCES:

  • NIST Special Publication 800-82 | GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY