1. Home
  2. Industrial Control Systems
  3. SI-6

SI-6: SECURITY FUNCTION VERIFICATION

TAILORED FOR INDUSTRIAL CONTROL SYSTEMS

  • ISC Control Baseline:
  • High

The information system:

    • a. Verifies the correct operation of [Assignment: organization-defined security functions];
    • b. Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];
    • c. Notifies [Assignment: organization-defined personnel or roles] of failed security verification tests; and
    • d. [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s)]] when anomalies are discovered.

SUPPLEMENTAL GUIDANCE

Transitional states for information systems include, for example, system startup, restart, shutdown, and abort. Notifications provided by information systems include, for example, electronic alerts to system administrators, messages to local computer consoles, and/or hardware indications such as lights.

ICS Supplemental Guidance:

The shutting down and restarting of the ICS may not always be feasible upon the identification of an anomaly; these actions should be scheduled according to ICS operational requirements.

CONTROL ENHANCEMENTS

SI-6 (1) SECURITY FUNCTION VERIFICATION | NOTIFICATION OF FAILED SECURITY TESTS

[Withdrawn: Incorporated into SI-6]. (See above.)

SI-6 (2) SECURITY FUNCTION VERIFICATION | AUTOMATION SUPPORT FOR DISTRIBUTED TESTING

NOT SELECTED FOR THE NIST ISC CONTROL SET

The information system implements automated mechanisms to support the management of distributed security testing.

Supplemental Guidance: NONE

RELATED CONTROLS: SI-6 (2)

SI-6 (3) SECURITY FUNCTION VERIFICATION | REPORT VERIFICATION RESULTS

NOT SELECTED FOR THE NIST ISC CONTROL SET

The organization reports the results of security function verification to [Assignment: organization-defined personnel or roles].

Supplemental Guidance:

Organizational personnel with potential interest in security function verification results include, for example, senior information security officers, information system security managers, and information systems security officers.

RELATED CONTROLS: SI-6 (3)

REFERENCES:

  • NIST Special Publication 800-82 | GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY