Standards & References
This page provides an extensive bibliography of references and standards associated with control system cyber topics. The list is categorized as follows with web links provided where applicable:
- Cyber Security Policy Planning and Preparation
- Establishing Network Segmentation, Firewalls, and DMZs
- Patch, Password, and Configuration Management
- Control System Cyber Security Training for Engineers, Technicians, Administrators, and Operators
- Establishing and Conducting Asset, Vulnerability, and Risk Assessments
- Control System Security Procurement Requirements Specification
- Placement and Use of IDSs and IPDSs
- Authentication, Authorization, and Access Control For Direct and Remote Connectivity
- Securing Wireless Connections
- Use of VPNs and Encryption in Securing Communications
- Establishing a Secure Topology and Architecture
- Applying and Complying with Security Standards
- Ensuring Security when Modernizing and Upgrading
Cyber Security Policy Planning and Preparation
- TR99.00.02: Integrating Electronic Security into the Manufacturing and Control Systems Environment, ISA, 2004.
- NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security, Second Public Draft
September 28, 2007.
- NIST SP 800-53 Rev 2, Recommended Security Controls for Federal
Information Systems, December 2007.
Additional Information
- "21 Steps to Improve Cyber Security of SCADA Networks," Office of Energy Assurance, Office of Independent Oversight And Performance Assurance, U.S. Department of Energy.
- Kilman, D. and Stamp, J. "Framework for SCADA Security Policy," Sandia
Corporation. 2005.
- Catalog of Control Systems Security: Recommendations for Standards Developers, January 2008, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
Top
Establishing Network Segmentation, Firewalls, and DMZs
- Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks, Centre for the Protection of National Infrastructure (CPNI), London, 2005.
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
- NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security, Second Public Draft
September 28, 2007.
Additional Information
- "Security Unconscious?", September 12, 2005.
- Catalog of Control Systems Security: Recommendations for Standards Developers, January 2008, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
- Control Systems Cyber Security: Defense in Depth Strategies, May 2006, Â U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
- Mitigations for Security Vulnerabilities Found in Control System Networks, June 2006, Â U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
Top
Patch, Password, and Configuration Management
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- NIST SP: 800-40, Creating a Patch and Vulnerability Management Program, 2005.
- Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
- Dzung, D., Naedele, M., Von Hoff, T., and Crevatin, M. "Security for Industrial Communication Systems," Proceedings of the IEEE. Institute of Electrical and Electronics Engineers Inc. 2005.
- NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security, Second Public Draft
September 28, 2007.
- NIST SP 800-53 Rev 2, Recommended Security Controls for Federal
Information Systems, December 2007.
Additional Information
- Ashier, J. and Weiss, J. "Securing your Control System,"2004.
- Wooldridge, S. "SCADA/Business Network Separation: Securing an Integrated System," 2005.
- "21 Steps to Improve Cyber Security of SCADA Networks," Office of Energy Assurance, Office of Independent Oversight And Performance Assurance, U.S. Department of Energy.
- Good Practice Guide on Patch Management, Centre for the Protection of National Infrastructure (CPNI), London, October 24, 2006.
- Catalog of Control Systems Security: Recommendations for Standards Developers, January 2008, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
Top
Control System Cyber Security Training for Engineers, Technicians, Administrators, and Operators
- Wilson, Mark, Hash, Joan, NIST SP: 800-50, Building an Information Technology Security Awareness and Training Program, 2003.
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
- NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security, Second Public Draft
September 28, 2007.
- NIST SP 800-53 Rev 2, Recommended Security Controls for Federal
Information Systems, December 2007.
Additional Information
- Boyes, W. "Security is More than Hating Microsoft," May 31, 2005.
- Catalog of Control Systems Security: Recommendations for Standards Developers, January 2008, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program,
- Using Operational Security (OPSEC) to Support a Cyber Security Culture in Control Systems Environments (draft), February 2007, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
- Mitigations for Security Vulnerabilities Found in Control System Networks, June 2006, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
Top
Establishing and Conducting Asset, Vulnerability, and Risk Assessments
- Rinaldi, et al, Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies, IEEE Control Systems Magazine, 2001.
- GAO-04-354, Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems, U.S. GAO, 2004.
- Stamp, Jason, et al., Common Vulnerabilities in Critical Infrastructure Control Systems, Sandia National Laboratories, 2003.
- Duggan, David, et al, Penetration Testing of Industrial Control Systems, Sandia National Laboratories, Report No SAND2005-2846P, 2005.
- NIST SP: 800-40, Creating a Patch and Vulnerability Management Program, 2005.
- NIST SP: 800-42, Guideline on Network Security Testing, 2003
.
- NIST SP: 800-34, Contingency Planning Guide for Information Technology Systems, 2002.
- NIST SP: 800-61 Rev. 1, Computer Security Incident Handling
Guide, March 2008.
- Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
- NIST SP 800-53 Rev 2, Recommended Security Controls for Federal
Information Systems, December 2007.
- NIST SP 800-53A, Guide for Assessing the Security Controls in Federal
Information Systems, July 2008
Additional Information
- Hart, D. "An Approach to Vulnerability Assessment for Navy Supervisory Control and Data Acquisition (SCADA) Systems," Naval Postgraduate School, Monterey, California, September 2004.
- "SCADA: govt. voices e-crime fears," Reed Business Information, Jun 2005.
- Digital Bond: Securing the Critical Infrastructure.
- "Supervisory Control and Data Acquisition (SCADA)," Data Comm. for Business, Inc., Oct 1999.
- Catalog of Control Systems Security: Recommendations for Standards Developers, January 2008, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
- Byres, E., and Creery, A. "Industrial Cybersecurity for Power System and SCADA Networks," September 2005.
Top
Control System Security Procurement Requirements Specification
- TR99.00.01: Security Technologies for Manufacturing and Control Systems, ISA, 2004.
- TR99.00.02: Integrating Electronic Security into the Manufacturing and Control Systems Environment, ISA, 2004.
- NIST SP 800-53 Rev 2, Recommended Security Controls for Federal
Information Systems, December 2007.
Additional Information
- Merritt, R. "What Vendors Say About Control System Security," January 31, 2005.
- SCADA and Control Systems Procurement Language Project.
- Catalog of Control Systems Security: Recommendations for Standards Developers, January 2008, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
- Cyber Security Procurement Language for Control Systems, U.S. Department of Homeland Security National Cyber Security Division.
Top
Placement and Use of IDSs and IPDSs
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- NIST SP: 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS)
- Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
Additional Information
- Wooldridge, S. "SCADA/Business Network Separation: Securing an Integrated System," 2005.
- "Battling the Cyber Menace," Power Engineering International. 2005.
- Ashier, J. and Weiss, J. "Securing your Control System," 2004.
- Network Monitoring System Designed to Detect Unwanted Wireless Networks, September 14, 2005.
- "New Way to Secure Ethernet Networks against Hackers," May 17, 2005.
- Rakaczky, E. "Intrusion Insights Best Practices for Control System Security," July 2005.
- Catalog of Control Systems Security: Recommendations for Standards Developers, January 2008, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
- Control Systems Cyber Security: Defense in Depth Strategies, May 2006, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
- Mitigations for Security Vulnerabilities Found in Control System Networks, June 2006, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
Top
Authentication, Authorization, and Access Control For Direct and Remote Connectivity
- AGA-12, Cryptographic Protection of SCADA Communications, Part 1: Background, Policies and Test Plan, March 14, 2006.
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- NIST SP: 800-73, Interfaces for Personal Identity Verification, 2006.
- NIST SP 800-76-1, Biometric Data Specification for Personal Identity Verification, 2007.
- Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
- Baker, Elaine, et al, NIST SP: 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised), March 2007.
- NIST SP: 800-57 Recommendation for Key Management, March
2007
- NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security, Second Public Draft
September 28, 2007.
- NIST SP 800-53 Rev 2, Recommended Security Controls for Federal
Information Systems, December 2007.
Additional Information
- Wooldridge, S. "SCADA/Business Network Separation: Securing an Integrated System," 2005.
- Ashier, J. and Weiss, J. "Securing your Control System," 2004.
- "Thales e-Security." 2005.
- Schwaiger, C. and Treytl, A. "Smart Card Based Security for Fieldbus Systems," 2003, Austria Card, Vienna, Austria.
- Catalog of Control Systems Security: Recommendations for Standards Developers, January 2008, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
- Mitigations for Security Vulnerabilities Found in Control System Networks, June 2006, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
- Recommended Practice for Securing Control System Modems, January 2008, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
Top
Securing Wireless Connections
- NIST SP: 800-48 Revision 1, Guide to Securing
Legacy IEEE 802.11 Wireless Networks, July 2008.
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
Additional Information
- Pescatore, J. "Keep your Wireless Business Secure," August 21, 2005.
- Network Monitoring System Designed to Detect Unwanted Wireless Networks, September 14, 2005.
- Catalog of Control Systems Security: Recommendations for Standards Developers, January 2008, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
- Securing WLANS Using 802.11i (draft), February 2007, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
- Securing ZigBee Wireless Networks in Process Control System Environment (draft), April 2007, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program
Top
Use of VPNs and Encryption in Securing Communications
- AGA-12, Cryptographic Protection of SCADA Communications, Part 1: Background, Policies and Test Plan, March 14, 2006.
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- NIST SP: 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised), March 2007.
- NIST SP: 800-57 Recommendation for Key Management, March
2007
Additional Information
- "Thales e-Security." 2005.
- Peterson, D. "Protocol for SCADA Field Communications," July 12, 2005.
- Cohen, B. "VPN Gateway Appliances-Access Remote Data like the Big Guys," April 28, 2005.
- Catalog of Control Systems Security: Recommendations for Standards Developers, January 2008, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
Top
Establishing a Secure Topology and Architecture
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
- NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security, Second Public Draft
September 28, 2007.
Additional Information
- "Study Suggest Increased Concerns with Cyber Security and SCADA System Reliability," June 14, 2005.
- Berg, M. and Stamp, J. "A Reference Model for Control and Automation Systems in Electric Power," Sandia Corporation. 2005.
- Control Systems Cyber Security: Defense in Depth Strategies, May 2006, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
- Backdoors and Holes in Network Perimeters: A Case Study for Improving Your Control System Security, August 2005, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
- Mitigations for Security Vulnerabilities Found in Control System Networks, June 2006, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
Top
Applying and Complying with Security Standards
- TR99.00.01: Security Technologies for Manufacturing and Control Systems, ISA, 2004.
- TR99.00.02: Integrating Electronic Security into the Manufacturing and Control Systems Environment, ISA, 2004.
- System Protection Profile - Industrial Control Systems (SPP-ICS), NIST Internal Report.
Additional Information
- Peterson, D. and Howard, D. "Cyber Security for the Electric Sector," September 12, 2005.
- "Best Security Practices for SCADA Systems Utilizing the ISO 17799 Standard," Internet Security Systems, Inc.
- Blankenship, S. "New Tools Coming For Ramped Up Plant Cyber security Standards," Power Engineering, April 2005.
- Berg, M. and Stamp, J. "A Reference Model for Control and Automation
Systems in Electric Power," Sandia Corporation. 2005.
Top
Ensuring Security when Modernizing and Upgrading
- TR99.00.01: Security Technologies for Manufacturing and Control Systems, ISA, 2004.
- Cyber Security Procurement Language for Control Systems.
Additional Information
- Ladd, E. "Dispelling the myths of HART-enabled devices," April 18, 2005.
- Verhappen, I. "What makes a fieldbus go?" April 27, 2005.
- Verhappen, I., "On the bus: Design hurdles to fieldbus technology," Control Global, 2005.
- "Supervisory Control and Data Acquisition (SCADA)," Data Comm. for Business, Inc., Oct 1999.
Top
|