While goals are CURRENTLY voluntary, CISA issued guidelines for what it expects from pipelines and other critical infrastructure in light of the Colonial Pipeline attack. While it appears that the hackers were not able to take over the control systems in that attack, they did take over the control systems in the Florida and Kansas water system attacks.
And, while this legally only applies to critical infrastructure, if it makes sense, you might want to do it also.
Here are some highlights.
CISA already has a raft of documents, so they reviewed and harmonized them and came up with a single list. See the link at the end for more information. Here are some of the highlights. Each goal comes with a rationale and objectives.
RISK MANAGEMENT AND CYBERSECURITY GOVERNANCE
GOAL: Identify and document cybersecurity risks to control systems using established recommended practices (e.g., NIST Cybersecurity Framework, NIST Risk Management Framework, International Society of Automation/International Electrotechnical Commission (ISA/IEC) 62443, NIST Special Publication (SP) 800-53, NIST SP 800-30, NIST SP 800-82) and provide dedicated resources to address cybersecurity risk and resiliency through planning, policies, funding, and trained personnel.
ARCHITECTURE AND DESIGN
GOAL: Integrate cybersecurity and resilience into system architecture and design in accordance with established recommended practices for segmentation, zoning, and isolating critical systems (e.g., Industrial Control Systems-Computer Emergency Response Team Defense in Depth guide, Purdue Diagram) and review and update annually to include, as appropriate, any lessons learned from operating experience consistent with industry and federal recommendations.
CONFIGURATION AND CHANGE MANAGEMENT
GOAL: Document and control hardware and software inventory, system settings, configurations, and network traffic flows throughout control system hardware and software lifecycles.
GOAL: Physical access to systems, facilities, equipment, and other infrastructure assets, including new or replacement resources in transit, is limited to authorized users and are secured against risks associated with the physical environment.
SYSTEM AND DATA INTEGRITY, AVAILABILITY AND CONFIDENTIALITY
GOAL: Protect the control system and its data against corruption, compromise, or loss.
CONTINUOUS MONITORING AND VULNERABILITY MANAGEMENT
GOAL: Implement and perform continuous monitoring of control systems cybersecurity threats and vulnerabilities.
TRAINING AND AWARENESS
GOAL: Train personnel to have the fundamental knowledge and skills necessary to recognize control system cybersecurity risks and understand their roles and responsibilities within established cybersecurity policies, procedures, and practices.
INCIDENT RESPONSE AND RECOVERY
GOAL: Implement and test control system response and recovery plans with clearly defined roles and responsibilities.
SUPPLY CHAIN RISK MANAGEMENT
GOAL: Risks associated with control system hardware, software, and managed services are identified and policies and procedures are in place to prevent the exploitation of systems through effective supply chain risk management consistent with best practices (e.g. NIST SP 800-161).
For more details go to this CISA web site here.