Home

Join the PCSRF

What's New

Upcoming Meetings

Meeting Minutes and Reports

Documents

Participants

Mailing List Information

Resources and Links

Testbed

This site is a resource for users, vendors, and third parties in the process control industry who are concerned about information security in an increasingly networked world.

Through the NIST initiative on Critical Infrastructure Protection (CIP), we are supporting the development and dissemination of standards for process control and SCADA security. We have established the Process Control Security Requirements Forum (PCSRF), a working group of over 700 members including vendors, system integrators, and end users of industrial control systems. Additional information on the PCSRF can be found here.

The PCSRF is applying the ISO 15408 Common Criteria methodology to develop security requirements for industrial process control systems. The first DRAFT of the System Protection Profile for Industrial Control Systems (SPP-ICS), which is designed to present a cohesive, cross-industry, baseline set of security requirements for new industrial control systems, is available for download and review. The SPP-ICS is designed to be an industry voice to the industrial control system vendors and system integrators, defining the security capabilities that are desired in new products and systems. It is a consensus-based specification, not a NIST specification. There is no intent to suggest or imply that the Government will enforce the adaptation of these requirements. These security requirements could be specified in procurement RFPs for new industrial control systems. A SCADA and Control Systems Procurement Project, a joint effort among public and private sectors, is currently underway to develop a common procurement language that can be used by all sectors.

The initial public draft of NIST SP 800-82, Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security is also available for review. SP 800-82 provides guidance for establishing secure industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other smaller control system configurations such as skid-mounted Programmable Logic Controllers (PLC). ICSs are typically used in industries such as electric, water, oil and gas, transportation, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (automotive, aerospace, and durable goods). The document provides an overview of ICSs and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. NIST SP 800-82 is available at http://csrc.nist.gov/publications/drafts/800-82/Draft-SP800-82.pdf. Comments on SP 800-82 are requested by December 22, 2006.

Note: All information on this site other than the SPP-ICS document is password protected. Please visit the Join the PCSRF link to request a password.

Keith Stouffer
National Institute of Standards and Technology
100 Bureau Drive, Stop 8230
Gaithersburg, MD 20899-8230

E-mail: keith.stouffer@nist.gov
Voice: 301-975-3877
FAX: 301-990-9688

* No approval or endorsement of any commercial product by the National Institute of Standards and Technology is intended or implied. Certain commercial equipment, instruments, or materials are identified in this report in order to facilitate understanding. Such identification does not imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that the materials or equipment identified are necessarily the best available for the purpose.

The National Institute of Standards and Technology is an agency of the U.S. Department of Commerce, located 25 miles north of Washington, D.C. in suburban Gaithersburg, Maryland. A map to NIST is available on-line.