The objective of this guide is:
To ensure all projects and operations that either directly or indirectly impact ICS assets follow a security engineering process throughout the ICS lifecycle, and incorporate appropriate security measures in their design, specification, and operation.
ICS are usually installed with an expectation of a long service life. However, major renewals, modifications, and business integration needs mean that both during development and operation there are often a number of ICS related projects, any of which could have security implications. Consequently it is necessary to manage security through the entire ICS lifecycle, which consists of four key phases - design, build, operation and decommissioning.
Following risk assessment, any projects or operations that may affect ICS security should adopt an approach that builds-in and maintains security from an early stage. The assurance of these requirements should be assessed regularly throughout the ICS lifecycle. Any new system on a ‘green field’ site should build security requirements into the procurement, design, and build process from the outset. Subsequent operation of the ICS should maintain the effectiveness of this built-in security during the remaining service life of the system.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program