If the advice from DHS sounds familiar to our own "Seven best practices for securing your PI Server" (KB00833) you'd be right!

Enabling application whitelisting and updating your software are highly effective techniques.

 

Where prior studies from Australian Signals Directorate ranked effectiveness in protecting information systems (excerpt attached), we now have similar results based on data for protecting industrial control systems.

 

 

One of the main differences is DHS advice favoring one way data flow strategy with enforcement by a data diode.  Currently, we observe business with a general lack resources to manage systems isolated by data diodes so there are practical limitations to utility of this advice. As such we offer excellent partnerships with 3rd party solution providers to serve those who are poised to adopt this strategy.

 

 

You can expect OSIsoft to continue with a sharp focus on providing software based 'read-only' approaches as an effective defensive layer for industrial control systems.

 

Kudos to ICS-CERT on their analysis and releasing the "Seven Steps to Effectively Defend Industrial Control Systems".  You can find it here:

Seven Steps to Effectively Defend Industrial Control Systems | ICS-CERT