October 2004
National Institute of Standards and Technology (NIST)
NIST-led forum helps industrial networks protect against cyber attacksA 500-member forum of industry, government and academic technical experts, led by the National Institute of Standards and Technology (NIST), has released a new draft set of cyber security requirements for industrial control systems.* These security requirements, developed by the Process Control Security Requirements Forum (PCSRF), are intended to be used in procurement documents for new industrial control systems or components. The implementation of these requirements will help protect the nation's critical industrial infrastructure from cyber attacks.
The new requirements also should protect against other criminal efforts to remotely access and control production and distribution processes. The proposed requirements should be of special interest to computer security and process control personnel in the electric power, oil, gas, water, chemicals, pharmaceuticals, metals and mining, pulp and paper, and durable goods manufacturing industries.
Currently, network connectivity is virtually a prerequisite for an efficient industrial enterprise. Many of today's systems were designed years ago to maximize performance, reliability and safety. Security was not a significant consideration since systems usually were confined to in-house use and were based on proprietary hardware and protocols. Today, however, process control systems often incorporate off-the-shelf products, use open protocols and connect to business networks--any of which could allow security to be compromised.
The forum's draft report addresses security requirements needed throughout an industrial control system's lifecycle including design, implementation, configuration, maintenance and decommissioning. The draft deals with industrial control systems such as Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and Programmable Logic Controllers (PLCs). Requirements for components of the control system such as industrial controller authentication and sensor authentication also are outlined.
*The PCSRF System Protection Profile for Industrial Control Systems (SPP-ICS) is available for download and review at http://www.isd.mel.nist.gov/projects/processcontrol/SPP-ICSv1.0.doc.
| |
|