Transcription
Industrial Control Systems (ICS) Inventory Methodology
ContentsExecutive Summary. 3Why is an ICS inventory necessary. 5Who should perform this inventory activity . 5When is an inventory necessary . 5ICS Component types that will be inventoried . 6Inventory Results – Storage and Protection . 6ICS Component Inventory Methodology Levels . 6Conducting an ICS Inventory . 8Logical Inventory . 9Physical inventory . 10Tools required to conduct an ICS inventory activity . 10Appendix 1- HQDA EXECUTE ORDER 002-13 . 11Appendix 2 - ICS Components Subject to Inventory . 152
Executive SummaryThe development and implementation of this Industrial Control Systems (ICS) Inventory Methodology isin support of the Headquarters, Department of the Army (HQDA) Execute Order (EXORD) 002-13; ArmyWide Inventory of Industrial Control Systems and Supervisory Control and Data Acquisition Systems andthe implementation of the Cybersecurity Risk Management Framework. Traditionally, “Industrial ControlSystems” are fixed installation networked control systems comprised of robust hardware andcomponents to ensure a high level of reliability and redundancy. Within the Department of Defense, ICSis used to refer to a broader range of automated control systems, including those that traditionally havenot been considered "industrial" such as building automation, electronic security systems, and meteringsystems. The DoD definition of ICS includes "real property control systems" and "industrial process(manufacturing)" control systems but excludes weapon systems. The standardized inventory methodshall be applicable to a wide range of unrelated ICS including, but not limited to: security; fire; heating,ventilation and air conditioning; medical technologies; and manufacturing. The purpose of thisdocument is to provide amplifying guidance that helps to define the following statements whenperforming an ICS inventory: Reasoning behind conducting an ICS inventoryIdentify the appropriate personnel to perform the inventoryIdentify when the inventory is necessaryIdentify the components to be included in the inventoryIdentify the sources of information that can be used to conduct the inventoryIdentify tools that may be used to assist the inventoryIdentify the steps required to perform the inventoryDiscuss the constraints and barriers of conducting the inventoryMaintaining current and accurate inventory informationThere are several reasons why an ICS inventory needs to be conducted. At the most basic level, it allowscommanders to identify what Army-owned or operated ICS are used to conduct business and executemissions. This information can be used to ensure that systems are not susceptible to specificvulnerabilities which can be used to weaken the ICS mission. It also allows the ICS owner to define thecriticality of the ICS as it relates to their specific mission or business processes allowing them to ensurethat the ICS is capable of reliably meeting current and future requirements. In short, the informationderived can be used to satisfy many different types of data calls.In order to accurately perform an inventory, personnel must have a basic understanding of what an ICSis. While the inventory personnel may not be cognizant of the specific mission of a particular ICS, theycan work with local Subject Mater Experts (SMEs) to identify the components that need to be includedin the inventory. This allows for a streamlined and cost effective asset count.There are two parts to determining the necessity of conducting an ICS inventory. First, a baselineinventory of all relevant components must be conducted using the guidance contained within thisdocument. Once the baseline inventory is conducted, it will need to be maintained as part of the overall3
sustainment function of the ICS lifecycle. This includes making the appropriate updates wheninventoried hardware or software components are modified.Identification of the components to be included in the inventory is essential to the overall value of theinventory itself. In order to meet the cyber vulnerability assessments, all Ethernet or Ethernet capabledevices that comprise an ICS must be part of the ICS inventory. Then, using the tiered ICS architecture aswell as the amplifying information contained in this document, the remaining types of components andtheir rationale for inclusion into the inventory will be shown.In addition to physically conducting a hardware and software inventory, other sources of informationshould also be utilized. ICS design documentation, purchase orders, system manuals, control systemdatabases, and drawings should be consulted to aid in the identification and location of ICS components.These artifacts also serve as the basis of which to begin the inventory itself. Utilizing existingdocumentation will help streamline the inventory process and also help to ensure that all componentsof the ICS are understood.To conduct a successful inventory, there are multiple steps involved. Coordinating with the site points ofcontact and ICS SMEs is paramount to component identification and location. Next, a logical inventory ofthe Ethernet based devices is performed to create a logical device map of components and ascertainsystem interfaces. A review of existing documentation and inventories is then performed and finally aphysical inventory of the components will be performed.There are multiple potential roadblocks when conducting an ICS inventory. Most ICS are comprised ofhundreds, if not thousands of components that may be part of the inventory. Many of thesecomponents are installed where physical access is not easily gained. This roadblock alone is a significantburden to the personnel conducting the inventory and their assigned support personnel. Other barriersto conducting a complete inventory are the scheduling and possible interruption of business processes(especially manufacturing or fabrication) systems resulting in an impact to mission support.4
Why is an ICS inventory necessaryThe term Industrial Control System has become such a generalized term, it is important tounderstand what exactly comprises an ICS. To determine what has been fielded at a facility, anaccurate and complete inventory of certain components is required. Having a complete inventorywill: Enable facilities to respond with a high degree of accuracy to Command or DoD datacalls.Ensure that funding is allocated for the proper sustainment and lifecyclemanagement of the ICS.Allow facility and cybersecurity managers to understand what their vulnerabilityexposure footprint is for a given ICS.Allow the ICS owner to define the criticality of the ICS as it relates to their specificmission or business processes allowing them to ensure that the ICS is capable ofreliably meeting current and future requirements.The accurate and complete inventory also becomes an artifact/information source for theDepartment of Defense Information Assurance Certification and Accreditation Program (DIACAP) orthe Risk Management Framework (RMF).Who should perform this inventory activity In order to accurately perform an ICS inventory, inventory personnel must have abasic understanding of what an ICS is. While they do not have to be familiar with theparticular ICS being inventoried, it is expected that they have experience with thevarious components outlined in Appendix 2 of this document.In addition to the inventory personnel, the ICS SME or someone familiar with the ICSbeing inventoried is required for support. They are the people most familiar withhow the ICS is deployed and utilized within the environment, not necessarily theinventory personnel. Their support in this effort ensures that all relevant aspects ofthe system are included in the inventory process.Every team performing an ICS inventory should include someone capable of readinga network diagram.When is an inventory necessary Initial inventory – An initial inventory using the guidance provided in this Method isrequired to obtain a baseline.Inventory sustainment – Once the inventory baseline has been performed, theinventory must remain accurate in order to provide value. Whenever changes(hardware or software application version) to the inventoried equipment are made,the inventory should be updated.5
ICS Component types that will be inventoriedAny Ethernet or TCP/IP device, regardless if it is currently using this capability should be included onthe inventory. An accurate inventory of this equipment is important for the ICS owner for awarenessof what the configuration and capabilities of the ICS are as presently deployed and what impacts tofuture configuration changes will be prior to the implementation of change. Personnel performing the inventory must start from the ICS front end, or centralizedICS control point, and work their way down to the components contained in thefield control system.Physical verification, as deemed necessary, of the devices in the field to validate thatthe system inventories and topologies match deployed configuration.Verification of appropriate device physical security, depending on the device.o Is the device behind a locked dooro Is the device in an enclosure boxo Are there sufficient physical access controls associated with the deviceSome ICS component examples are depicted in Appendix 2.Inventory Results – Storage and ProtectionThe following questions must be answered prior to initiation of the inventory activity. What are the protection requirements (sensitivity) of the aggregated inventorydata? In most cases, ICS inventory data is For Official Use Only (FOUO). However,there may be specific instances where ICS inventory data is Secret or Top Secret.There is also the possibility the aggregation of ICS inventory data will require a moresensitive classification than FOUO. This must be decided and agreed upon prior tothe inventory activity.Where will this information reside and who will have access to it? Again, this must be decided priorto the inventory activity. There are numerous potential uses for this data, and each purpose wouldlogically dictate a different custodian. It is common for Facilities Management to serve as theprimary custodian.ICS Component Inventory Methodology LevelsThe ICS Architecture is described in five Tiers (and multiple sub-tiers), where each tier represents acollection of components that can be logically grouped together by function and IA approach. This tieredapproach provides foundation to understand the overall architecture and representation of the ICS.However, from an inventory perspective, it does not provide an effective approach to perform aninventory. The ICS tiers are grouped into three inventory levels (see table):6
Inventory LevelLevel 1Level 2Level 3ICS Tier and Name5- "External" Connection and Platform Information Technology (PIT) Management4- UMCS Front End and IP Network3- Facility Points of Connection (FPOCs)2- IP Portion of the Field Control System1-Non-IP Portion of the Field Control System0-Sensors and ActuatorsEach level contains a subset of the ICS architecture tiers and builds upon each other. From an inventoryperspective, one should start at the top inventory level (level 1) of the ICS and work down to the lowestinventory level (level 3) that is required to inventory. Prior to the commencement of the inventory, therequestor will identify the inventory levels to be included in the inventory.The following are the five ICS Architecture tiers: Tier 5: The point of external connection and Platform IT (PIT) management. This tierrepresents the highest level (and typically least documented and understood component byICS personnel) of a site’s ICS. Each successive tier will drill deeper and provide more detail.There are also many more devices at each successive tier. Examples of Tier 5 ICS are EnergyMonitoring and Control System (EMCS) and Utility Monitoring and Control System (UMCS).This tier also includes firewalls, routers, and any other physical or logical device designed toprovide a boundary around the Tier 5 ICS. Every site-specific ICS Inventory activity willinclude the devices at this tier.Tier 4: The subnet(s) associated with a specific ICS and the ICS front end and/or operationscenter. This tier typically resides at the top of a dedicated VLAN, and contains the highestlevel device(s) associated with an ICS. SCADA systems typically sit at this tier. Unlessspecifically excluded from an ICS Inventory activity, every Tier 4 device will be included in anICS Inventory.Tier 3: Field Point(s) of Connection (FPOC). This tier is the interface between the operationscenter and the Field Control System(s). This is the switch, proxy device, or firewall throughwhich ICS front ends and Field Control Systems communicate. Typically, these devices areincluded in an ICS Inventory, primarily because these devices communicate directly with theoperations center or front end.Tier 2: IP-enabled Field Control Systems. This tier can include programmable logiccontrollers (PLCs), other IP-based controllers, workstations, and switches. The devices in thistier can send/receive data and instructions to/from Tiers 4, 3, 1, and 0. These devicestypically serve as a translator between Tier 1 and higher tier devices. Tier 1 (Stage 4): Non-IPField Control Systems. This tier includes devices that communicate via non-IP protocols.These are non-IP PLCs. By definition, these devices will not show up on an IP network scan.They will, however, show up on an “All Ports, All Protocols” scan. Use the aggregated datafrom procurement, IT, DPW, and IA to derive an estimate for these devices.7
Tier 0: Sensors and Actuators. These are irrelevant to an ICS Inventory activity. Associatingthe ICS tiers with Inventory stages provides flexibility when planning and executing an ICSInventory activity. A site may ask for a Stage 1 Inventory for the site with a Stage 3 Inventoryon a particular system. Initial inventories may be limited to identify facility or installation ICSby system name, mission, operating systems, interfaces to other system boundaries, andsustainment roles and responsibilities to facilitate the initial inventory execution order,HQDA Execute Order 002-13; Army-wide Inventory of Industrial Control Systems andSupervisory Control and Data Acquisition Systems, found in Appendix 1. This will provide abaseline from which inventories of devices, software, and firmware can be developed in asystematic way.Conducting an ICS InventoryConducting an ICS inventory requires planning and coordination with the site being inventoried. Thefollowing activities should be performed as early as possible: Identify primary and secondary POCs/SMEs for the ICS.o Facilities/Operations management.o Department of Public Works (DPW).o IAM/IAO.o System Owner/Program Sponsor.o Technical staff.8
o Control System OperatorsDefine the scope of the inventory activity.o Inventory activity is limited to specific set of ICS components.o Inventory activity to account for components on Tiers 2 – 5.Request documentation.o Procurement, installation, and configuration documentation.o Bill of materials.o As-built drawings.o System manuals.o Accreditation package, if applicable.Schedule the inventory activity.o Request access to facilities.o Request access to relevant personnel.The inventory activity is potentially comprised of two parts – a logical inventory and a physicalinventory. There will always be a logical inventory activity. For some critical systems, a physicalinventory sampling may be required. If a physical inventory is required, the logical and physicalinventories should match. If there is a mismatch, it should be noted and brought to theattention of the primary POC.CAUTION: It should be noted that when using network discovery or vulnerability testing tools toaide in ICS component identification, using aggressive scan techniques can potentiallydisable/stop devices and even port scanning should be done in a manner that allows for quickrecovery. Plan such events around outages or complete port scans in a methodical manner toensure minimum impact.Logical Inventory Determine if the ICS management station or front-end have the capability to showan inventory of all connected devices. If possible, obtain an export of that inventoryto aide in the completion of the data collection.Perform Network Discovery scan on the stated IP ranges for the ICS. This willrequire coordination with a system or network administrator, and may have to berun from multiple front end servers. Work with the system or networkadministrator to ensure adequate permissions are granted to the scanning tool.Identify IP-enabled & networked ICS components. The discovery scan will generatevarying levels of information, depending on the configuration of the network hosts.Verify and validate the scan results with existing hardware/software lists. Also,determine if some networked components are not always on.Identify IP-enabled & non-networked ICS components. These components will notshow up on discovery scans. The hardware/software list should be comprehensiveenough to enumerate these components.9
Identify isolated and/or private subnets. Within IP ranges, there can be isolated orprivate subnets. Work directly with a network administrator to determine if anysuch subnets exist, and perform a discovery scan for each subnet.Enumerate all hosts (fill in the spreadsheet) to the extent possible from theDiscovery Scan. Given that discovery scans do not provide detailed information,hardware/software lists and other system documentation will be necessary toobtain the requisite information.Physical inventory Identify all buildings/locations of equipment. Facilities/Operations Managementshould have a comprehensive list of locations for ICS devices.Coordinate the logistics of access (badges, ladders, flashlights, personal protectiveequipment (PPE), special training for access). Make sure to inquire about escortavailability and find out who has keys to locked spaces.Identify and schedule required assistance from the site (SME, Technician) to assist, ifneeded.Review existing inventory lists, wiring diagrams, and any other pertinentdocumentation to ensure all defined ICS components are included.In most cases, Tier 0 sensors and actuators will not be physically counted. Thesedevices are not connected to IP networks. Similarly, Tier 1 non-IP Field Controllersare not connected to IP networks. Thus, they do not meet the criteria stated – “fixedinstallation networked control systems.”Conduct the agreed-upon physical observation of components.All of the logically and physically collected information will be recorded in the ICSInventory Template. Instructions on how to use the inventory template can be foundunder the ‘Read Me First’ tab in the inventory template document.Tools required to conduct an ICS inventory activity Current documentation.o Existing inventory list.o Procurement, installation, and configuration documentation.Network scanning software.Flashlight.Ladder.Multi-purpose tool with different screwdriver heads and hex keys.ICS Inventory Template.10
Appendix 1- HQDA EXECUTE ORDER 002-13HQDA EXECUTE ORDER 002-13; ARMY-WIDE INVENTORY OF INDUSTRIAL CONTROLSYSTEMS AND SUPERVISORY CONTROL AND DATA ACQUISITION SYSTEMSALARACT 279/2012DTG: P 041909Z OCT 12THIS MESSAGE HAS BEEN SENT BY THE PENTAGON TELECOMMUNICATIONS CENTERON BEHALF OF DA WASHINGTON DC//DCS/G-3/5/7//SUBJECT: HQDA EXORD 002-13; ARMY-WIDE INVENTORY OF INDUSTRIAL CONTROLSYSTEMS AND SUPERVISORY CONTROL AND DATA ACQUISITION SYSTEMS(U) REFERENCES:REF A. FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002, 44 U.S.C.SECTION 3541 ET SEQ. (2011).REF B. CLINGER-COHEN ACT OF 1996, 40 U.S.C. 1401 ET SEQ. (2011).REF C. DOD INSTRUCTION 8500.2, INFORMATION ASSURANCE IMPLEMENTATION,06 FEBRUARY 2003.REF D. DOD INSTRUCTION, 8510.01, DOD INFORMATION ASSURANCECERTIFICATION AND ACCREDITATION PROCESS, 28 NOVEMBER 2007.REF E. DOD MANUAL, 8570.01-M, DOD INFORMATION ASSURANCE WORKFORCEIMPROVEMENT PROGRAM, 19 DECEMBER 2005.REF F. ARMY REGULATION 25-2, INFORMATION ASSURANCE, 24 OCTOBER2001/RAR 23 MARCH 2007.REF G. HQDA, GENERAL ORDER 2010-26, ESTABLISHMENT OF THE UNITED STATESARMY CYBER COMMAND, 1 OCTOBER 2010REF H. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY SPECIALPUBLICATION 800-82, GUIDE TO INDUSTRIAL CONTROL SYSTEMS SECURITY, JUNE2011.1. (U) SITUATION.1.A. (U) PURPOSE. EMERGING CYBERSPACE THREAT CAPABILITIES REQUIRE THEARMY TO QUICKLY AND ACCURATELY IDENTIFY ARMY-OWNED INDUSTRIAL CONTROLSYSTEMS AND SUPERVISORY CONTROL AND DATA ACQUISITION SYSTEMS(ICS/SCADA) IN ORDER TO ASSESS THEIR SECURITY AND IMPLEMENT MEASURESTO LIMIT SYSTEM DEGRADATION OR DISRUPTION. THIS ORDER IS CONSISTENTWITH DEPARTMENT OF DEFENSE (DOD) REGULATIONS AND FEDERAL LAWPERTAINING TO ALL UNITED STATES ARMY NETWORKS AND SYSTEMS.1.B. (U) BACKGROUND. MUCH OF THE ARMY'S ABILITY TO EXERCISE MISSIONCOMMAND, OPERATE CIVIL WORKS PROGRAMS, AND ASSIST IN THE PROTECTION OFNATIONAL CRITICAL INFRASTRUCTURE RELIES UPON THE OPERATION OFICS/SCADA SYSTEMS. GIVEN THE UNIQUE CONFIGURATION AND PURPOSE OF THESEICS/SCADA SYSTEMS, CURRENT VISIBILITY OF THESE SYSTEMS IS INCOMPLETEAND MANY ARMY-OWNED SYSTEMS ARE NOT IN COMPLIANCE WITH CURRENTCERTIFICATION AND ACCREDITATION STANDARDS. THIS SITUATION, COMBINEDWITH INCREASING NETWORK CONNECTIVITY AND REMOTE ACCESS OF ICS/SCADASYSTEMS, EXPOSES POTENTIAL VULNERABILITIES TO INCREASINGLYSOPHISTICATED CYBER ADVERSARIES.1.B.1. (U) FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002(FISMA), REF A, REQUIRES FORMAL CERTIFICATION AND ACCREDITATION FORALL COMPUTER SYSTEMS AND DATA NETWORKS INCLUDING ICS AND SCADA SYSTEMS11
TO INCLUDE STAND-ALONE (NOT NETWORKED) SYSTEMS.2. (U) MISSION. NOT LATER THAN (NLT) 15 JAN 2013 ARMY COMMANDS (ACOM),ARMY SERVICE COMPONENT COMMANDS (ASCC), AND DIRECT REPORTING UNITS(DRU) IDENTIFY AND INVENTORY ALL ARMY-OWNED ICS/SCADA SYSTEMS WITHINTHEIR ORGANIZATIONS AND REPORT THE RESULTS TO ARMY CYBER COMMAND VIATHEIR RESPECTIVE THEATER SIGNAL COMMANDS IN ORDER TO ESTABLISH SYSTEMVISIBILITY, IDENTIFY RISKS, AND IMPLEMENT STEPS THAT REDUCEVULNERABILITIES FROM CYBER THREATS.3. (U) EXECUTION.3.A. (U) INTENT. IDENTIFY AND INVENTORY ALL ARMY ICS/SCADA SYSTEMS ANDREDUCE CYBER VULNERABILITIES TO ICS/SCADA SYSTEMS IN THE ARMY. ALSO,INCREASE AWARENESS OF NON ARMY-OWNED ICS/SCADA SYSTEMS UPON WHICH THEARMY DEPENDS. AT ENDSTATE, THIS ORDER ESTABLISHES THE NECESSARY SYSTEMVISIBILITY TO ENABLE ICS/SCADA-DEPENDENT MISSION OWNERS, WITH THEASSISTANCE OF ARMY CYBER COMMAND, TO ENHANCE THE CYBERSPACE DEFENSIVEPOSTURE OF THEIR ICS/SCADA SYSTEMS, AND IDENTIFY POTENTIALCOORDINATION REQUIREMENTS FOR NON ARMY-OWNED SYSTEMS UPON WHICH THEARMY DEPENDS.3.B. (U) CONCEPT OF THE OPERATION. ALL ACOM, ASCC, AND DRUS WILLIDENTIFY AND INVENTORY ALL ICS/SCADA SYSTEMS THAT THEY OWN OR OPERATEWITHIN THEIR ORGANIZATIONS, ENSURING ALL SYSTEMS ARE FULLY DOCUMENTEDAND SYSTEM OWNERS IDENTIFIED. ONCE THE INVENTORY IS COLLECTED, ARMYCYBER COMMAND WILL CONSOLIDATE THE ICS/SCADA INVENTORY TO ESTABLISHIMPROVED SITUATIONAL AWARENESS AND ASSIST ASSET OWNERS WITH IMPROVINGCYBERSPACE DEFENSE OF THESE SYSTEMS. ORGANIZATIONS WILL ALSO IDENTIFYMISSIONS AND FUNCTIONS THAT ARE SUPPORTED BY NON ARMY-OWNED ICS/SCADASYSTEMS THAT SIGNIFICANTLY AFFECT ACOM, ASCC, AND DRUS. THESE SYSTEMSINCLUDE THOSE OWNED AND CONTROLLED BY COMMERCIAL OR PUBLIC PROVIDERS.3.B.1. (U) THE IDENTIFICATION AND INVENTORY OF ALL ARMY-OWNEDICS/SCADA SYSTEMS INCLUDES ALL TYPES OF CONTROL SYSTEMS USED FOR DATACOLLECTION AND MONITORING, AS WELL AS MANAGEMENT CONTROL SYSTEMS.WHILE MANY OF THESE SYSTEMS USE ROUTABLE PROTOCOLS FOR COMMUNICATIONS,INCLUDING TRANSMISSION CONTROL PROTOCOL/INTERNET PROTOCOL (TCP/IP),TELEPHONE AND SERIAL CONNECTIONS, OTHER SYSTEMS MAY ONLY HAVE USB, CD,OR KEYBOARD ACCESS. THE FUNCTIONS, LOCATIONS, HARDWARE, SOFTWARE, ANDAPPLICATIONS MUST BE INCLUDED IN THE INVENTORY. ALSO, ALL NETWORKCONNECTIONS MUST BE DESCRIBED. ORGANIZATIONS WILL PROVIDE THE REQUIREDINFORMATION VIA THE SYSTEM IDENTIFICATION PROFILE IN ANNEX A. DUE TOCURRENT CYBER THREATS, THIS SENSITIVE LISTING, WHILE STILLUNCLASSIFIED, WILL BE SENT VIA SECRET INTERNET PROTOCOL ROUTER NETWORK(SIPRNET).3.B.2. (U) FOR ICS/SCADA SYSTEMS THAT AN ACOM, ASCC OR DRU DEPEND UPONTHAT ARE NOT ARMY-OWNED, THE ORGANIZATION WILL COLLECT AND REPORT DATAON THE MISSIONS AND FUNCTIONS THAT THE SYSTEM SUPPORTS, THE PUBLIC ORCOMMERCIAL OWNER OF THE SYSTEM, AND ANY EXISTING MEMORANDUMS OFUNDERSTANDING (MOU) OR MEMORANDUMS OF AGREEMENT (MOA) BETWEEN THE ARMYAND THE OWNER. ORGANIZATIONS WILL PROVIDE THE REQUESTED INFORMATIONCONTAINED IN THE MISSION INFORMATION SPREADSHEET IN ANNEX C. WHILETHIS INFORMATION IS UNCLASSIFIED, IT IS SENSITIVE DUE TO CURRENT CYBERTHREATS. THE INFORMATION IN ANNEX C WILL BE SENT VIA SECRET INTERNETPROTOCOL ROUTER NETWORK (SIPRNET) TO THE ARMY CYBER COMMAND POCSLISTED IN COMMAND AND SIGNAL. ORGANIZATIONS WILL NOT ATTEMPT TO12
COMPLETE SYSTEM IDENTIFICATION PROFILES (ANNEX A) FOR ICS/SCADASYSTEMS THEY DO NOT OWN OR OPERATE.3.B.3. (U) ORGANIZATIONS WILL COMPLETE AND SUBMIT THE ICS/SCADAINVENTORY REQUIREMENTS IN ANNEX A AND C WITHIN 90 DAYS OF RECEIPT OFTHE EXORD. ORGANIZATIONS MUST SEND THE INFORMATION VIA SIPRNET TO THEARMY CYBER COMMAND POCS (ARMY CYBER COMMAND ACOIC COMMAND DUTY OFFICER(ACOIC.CDO@MI.ARMY.SMIL.MIL) AND THE ICS/SCADA ACTION OFFICER(ERIC.BJORKLUND.MIL@MI.ARMY.SMIL.MIL)) IAW THE FORMATS IN ANNEX AAND/OR C.3.C. (U) TASKS TO SUBORDINATE UNITS.3.C.1. (U) ALL ACOM, ASCC AND DRU.3.C.1.A. (U) SUBMIT A SYSTEM IDENTIFICATION PROFILE FOR EACH ARMYOWNEDICS/SCADA SYSTEM WITHIN 90 DAYS OF THE DATE OF THIS EXORD.ORGANIZATIONS WILL SUBMIT SYSTEM PROFILES TO THE ARMY CYBER COMMANDPOC IAW PARAGRAPH 3.B.3.3.C.1.B. (U) SUBMIT MISSION INFORMATION REGARDING NON ARMY-OWNEDICS/SCADA SYSTEMS UPON WHICH THE COMMAND DEPENDS IAW ANNEX C WITHIN 90DAYS OF THE DATE OF THIS EXORD. ORGANIZATIONS WILL SUBMIT THISINFORMATION TO THE ARMY CYBER COMMAND POCS AS LISTED IN PARAGRAPH3.B.3.3.C.1.C. (U) REPORT ANY NEW OR MODIFIED ICS/SCADA SYSTEMS WITHINTHIRTY (30) DAYS OF ACQUISITION OR MODIFICATION TO THE ARMY CYBERCOMMAND POCS LISTED IN COMMAND & SIGNAL AND PARAGRAPH 3.B.3.3.C.1.D. (U) REPORT UPDATED OR NEW INFORMATION REGARDING NON ARMYOWNEDICS/SCADA SYSTEMS UPON WHICH THE ORGANIZATION DEPENDS WITHINTHIRTY (30) DAYS TO THE ARMY CYBER COMMAND POCS LISTED IN COMMAND &SIGNAL AND PARAGRAPH 3.B.3.3.C.1.E. (U) APPOINT A POC FOR COMPLIANCE WITH THIS EXORD. PROVIDE POCINFORMATION TO THE ARMY CYBER COMMAND ICS/SCADA ACTION OFFICER ANDCOMMAND DUTY OFFICER REFERENCED IN COMMAND AND SIGNAL NLT 45 DAYSAFTER PUBLICATION OF THIS EXORD.3.C.2. (U) ARMY CYBER COMMAND/2ND U.S. ARMY.3.C.2.A. (U) CONSOLIDATE THE INVENTORY OF ALL ARMY-OWNED ICS/SCADASYSTEMS AND THE INFORMATION REQUESTED FOR ORGANIZATIONS AFFECTED BYNON ARMY-OWNED ICS/SCADA SYSTEMS.3.C.3 (U) INSTALLATION MANAGEMENT COMMAND (IMCOM).3.C.3.A (U) ASSIST INSTALLATION TENANTS/SYSTEM OWNERS IN IDENTIFYINGICS/SCADA SYSTEMS SUPPORTING POST/CAMP/STATION SYSTEMS.3.D. (U) COORDINATING INSTRUCTIONS.3.D.1. (U) DEFINITIONS (REF H, NIST 800-82).3.D.1.A. (U) CONTROL SYSTEM: A SYSTEM IN WHICH DELIBERATE GUIDANCE ORMANIPULATION IS USED TO ACHIEVE A PRESCRIBED VALUE FOR A VARIABLE.CONTROL SYSTEMS INCLUDE SCADA, DCS, PLCS AND OTHER TYPES OF INDUSTRIALMEASUREMENT AND CONTROL SYSTEMS.3.D.1.B. (U) SCADA: A GENERIC NAME FOR A COMPUTERIZED SYSTEM THAT ISCAPABLE OF GATHERING AND PROCESSING DATA AND APPLYING OPERATIONALCONTROLS OVER LONG DISTANCES. TYPICAL USES INCLUDE POWER TRANSMISSIONAND DISTRIBUTION AND PIPELINE SYSTEMS.3.D.2. (U) SEND COMPLETED INVENTORY INFORMATION IAW ANNEX A AND C NLT15 JAN 2013 (90 DAYS AFTER PUBLICATION OF EXORD.3.D.3. (U) ASSISTANCE FROM PERSONNEL WITH INFORMATION ASSURANCE (IA)TRAINING IS RECOMMENDED FOR COMPLETING THE INVENTORY, CERTIFICATION,13
AND ACCREDITATION IN ANNEX A. DIRECT ASSISTANCE WITHIN THE ACOM, ASCC,OR DRU IS THE BEST METHOD FOR ACCURATELY COMPLETING THE INVENTORY.REFER TO THE FOLLOWING SOURCES FOR NECESSARY SUPPORT:3.D.3.A. (U) LINKS TO IA POCS WITHIN EACH ACOM, ASCC, DRUS AND SIPCOMPLETION INSTRUCTIONS ARE LOCATED AT(HTTPS://WWW.MILSUITE.MIL/WIKI/PORTAL:ARMY INFORMATION ASSURANCE)UNDER THE COLLABORATION TAB.3.D.3.B. (U) REF D, DODI 8510.01, ENCLOSURE 3, ATTACHMENT 1 CONTAINSDETAILED INSTRUCTIONS FOR THE SYSTEM IDENTIFICATION PROFILE AND THEEXAMPLE PROFILE IN ANNEX B.3.D.3.C. (U) DIRECT UNRESOLVED QUESTIONS OR CONCERNS TO THE ARMY CYBERCOMMAND POCS LISTED IN COMMAND AND SIGNAL.4. (U) SUSTAINMENT.4.A. (U) ORGANIZATIONS THAT ACQUIRE NEW OR UPDATED ICS/SC
Wide Inventory of Industrial Control Systems and Supervisory Control and Data Acquisition Systems and the implementation of the Cybersecurity Risk Management Framework. Traditionally, "Industrial Control Systems" are fixed installation networked control systems comprised of robust hardware and
