Information Products
CSSP Documents
Documents produced by the Control Systems Security Program.
Articles
Published articles related to control systems security.
Other Government Documents
Control Systems security documents published by government agencies.
Other Organization Documents
Control Systems security documents published by industrial or professional organizations.
Vulnerability Notes
Vulnerabilities related to control systems security.
Standards and References
A bibliography of references and standards associated with control system cyber topics.
Fact Sheets, Posters, and Brochures
Fact sheets, posters, and brochures, generally produced by the Control Systems Security Program.
CSSP Documents
Attack Methodology Analysis: SQL Injection Attacks
September 2005 (US-CERT secured portal)
Backdoors and Holes in Network Perimeters: A Case Study for Improving Your Control System Security
August 2005
Catalog of Control Systems Security: Recommendations for Standards Developers
January 14, 2008
Common Control System Vulnerability
November 2005
Creating Cyber Forensics Plans for Control Systems
August 2008
Critical Infrastructure and Control Systems Security Curriculum
March 2008
Cyber Security Procurement Language for Control Systems
August 2008
Cyber Security Response to Physical Security Breaches
November 2007
A Comparison of Electrical Sector Cyber Security Standards and Guidelines
October 2004
A Comparison of Oil and Gas Segment
Cyber Security Standards
November 2004
Control Systems Cyber Security: Defense in Depth Strategies
May 2006
DHS Bulletin: Securing Control Systems
February 2005
Personnel Security Guidelines
September 2004
Potential Vulnerabilities in Municipal Communications Networks
December 2006
Recommended Practice Case Study: Cross-Site Scripting
February 2007
Security Implications of OPC, OLE, DCOM, and RPC in Control Systems
January 2006 (US-CERT secured portal)
Securing Control System Modems
January 14, 2008
Securing WLANs Using 802.11i (draft)
February 2007
Securing your SCADA and Industrial Control Systems
June 2007
Securing ZigBee Wireless Networks in Process Control System Environments (draft)
April 2007
An Undirected Attack Against Critical Infrastructure: A Case Study for Improving your Control System Security
September 2005
Using Operational Security (OPSEC) to Support a Cyber Security Culture in Control Systems Environments (draft)
February 2007
Top
Articles
10 Control System Security Threats
April 1, 2007
Peter Welander
Control Engineering
Becoming NERC CIP-Compliant
September 2007
Jay Abshier
Control
The Blueprint to Security
March 8, 2007
Idaho National Laboratory
Cyber assessment methods: Here is the plan for enhancing control system security.
November 1, 2005
By May Robin Permann and Kenneth Rohde
InTech
DHS, industry use LOGIIC to combat cyberthreats
December 11, 2006
Government Computer News
The DHS Control Systems Security Program
3rd Quarter 2006
John Hammer, Jeffrey Hahn, Trent Nelson, Julio Rodriguez, Jeffrey Tebbe
UTC Journal
Forget the Silos, Build the Bridges
December 2007
Eric Byres, Jim Bauhs, and Brian Mason
InTech
Hacktivisim Attacks May Rise, Homeland Security Official Warns
August 22, 2007
Carolyn Duffy Marsan
Network World
Industrial Network Integrity
October, 1, 2006
Ian Verhappen and Eric Byres
InTech
Infrastructure Protection in the Ancient World - What the Romans can tell us about their Aqueducts - What we may apply to our modern infrastructures
Michael J. Assante, INL
Insidious threat to control systems
January 01, 2005
By Eric Byres and Justin Lowe
Intech
The Invisible Threat
September 2007
Dan Hebert
Industrial Networking
Lessons In Cyber Security
April 2007
Wes Iversen
AutomationWorld
Look to Standards for Secure Plants
May 1, 2006
By Robert Evans
InTech
Oil and Gas Processor Goes Wireless on the LAN, Proper Data Protection is a Mandatory Requirement to Ensure PAN Communications' Security and Safety
April 1, 2007
Mohammed Al-Saeed, Soliman Al-Walaie, and Mojed Al-Subaie
InTech
SCADA State of Denial
April 16, 2007
Kelly Jackson Higgins
Dark Reading
Security Incidents and Threats in SCADA and Process Industries
May 2007
Eric Byres, David Leversage, and Nake Kube
Industrial Ethernet Book
Sniffing out rats - Government regulations steering chemical industry's security tactics to safeguard against intruders
August 2007
Ellen Fussell Policastro
InTech
Sound Security Strategy, Whether Military, Physical, or Cyber Security, is the Concept of "Defense in Depth"
-- Firewalls Don't Fail Me Now
March 1, 2007
Eric Byres
InTech
U.S. makes securing SCADA systems a priority
October 28, 2005
Robert Lemos
SecurityFocus
Uncovering Cyber Flaws - To ensure the safety and security of the process, company, and staff, find the vulnerabilities and break a negative chain of events
January 2006
Eric Byres and Matthew Franz
InTech
What Happens in Plant Stays in Plant
March 1, 2007
May Permann, John Hammer, Ken Rohde, and Kathy Lee
InTech
Wolves at the Door(s) of the House of Straw
December 11, 2007
Eric Byres
Control Global
Wolves at the Security House Door(s), Part 2
January, 2008
Eric Byres
Control Global
Top
Other Government Documents
Critical Infrastructure Protection -
"Challenges and Efforts to Secure Control Systems"
GAO Report to Congressional Requesters, GAO- 04-354
March 2004
Cyber Storm Exercise Report
DHS National Cyber Security Division
September 12, 2006
EPA Needs to Determine What Barriers
Prevent Water Systems from Securing
Known Supervisory Control and Data
Acquisition (SCADA) Vulnerabilities
United States Environmental Protection Agency, Office of Inspector General
Final Briefing Report - 2005-P-00002
January 6, 2005
Federal Energy Regulatory Commission Staff Preliminary Assessment of the North American Electric Reliability Corporation's Proposed Mandatory Reliability Standards on Critical Infrastructure Protection
December 11, 2006
Lessons Learned From Cyber Security Assessments of SCADA and Energy Management Systems
U.S. Department of Energy Office of Electricity Delivery and Energy Reliability, National SCADA Test Bed
September 2006
Process Control Systems in the Chemical Industry: Safety vs. Security
Idaho National Laboratory
April 2005
SCADA and Control Systems Procurement Project: Cyber Security Procurement Language for Control Systems
Top
Other Organization Documents
Centre for the Protection of National Infrastructure (CPNI), Good practice guidelines
CPNI provides integrated (combining information, personnel and physical) security advice to the businesses and organizations which make up the national (U.K.) infrastructure.
Centre for the Protection of National Infrastructure (CPNI) SCADA
Nine Process Control and SCADA Security documents are available for download.
Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks
February 2005
North American Electric Reliability Council (NERC) Reliability Standards including Critical Infrastructure Protection (CIP) standards
Although the nine CIP standards available for download were written for the electricity sector, the ideas presented have much broader application.
North American Electric Reliability Council (NERC) Security Guidelines for the Electricity Sector
The Library of CIP Documents page on the ESISAC (Electricity Sector Information Sharing and Analysis Center) website has seventeen NERC Security Guidelines available for download. The ideas presented have wider application beyond the electricity sector.
OPC Security White Paper #1 Understanding OPC and How it is Deployed, Digital Bond, British Columbia Institute of Technology, and Byres Research. An introduction to what OPC is, what are its basic components and how it is actually deployed in the real world.
July 2007
OPC Security White Paper #2 OPC Exposed, Digital Bond, British Columbia Institute of Technology, and Byres Research. What are the risks and vulnerabilities incurred in deploying OPC in a control environment?
November 2007
OPC Security White Paper #3 Hardening Guidelines for OPC Hosts, Digital Bond, British Columbia Institute of Technology, and Byres Research. How can a server or workstation running OPC be secured in a simple and effective manner?
November 2007
Top 10 Vulnerabilities of Control Systems and Their Associated Mitigations, 2007
North American Electric Reliability Council Control Systems Security Working Group and U.S. Department of Energy National SCADA Test Bed Program
December 7, 2006
Top
Vulnerability Notes
Citect CitectSCADA buffer overflow
June 2008
Wonderware SuiteLink null pointer dereference
May 2008
GE Fanuc CIMPLICITY HMI heap buffer overflow
January 2008
GE Fanuc Proficy Information Portal allows arbitrary file upload and execution
January 2008
GE Fanuc Proficy Information Portal transmits authentication credentials in plain text
January 2008
Gesytec Easylon OPC Server fails to properly validate OPC server handles
December 2007
Invensys Wonderware InTouch creates insecure NetDDE share
November 2007
LiveData Server fails to properly handle Connection-Oriented Transport Protocol packets
May 2007
LiveData Protocol Server fails to properly handle requests for WSDL files
May 2007
Takebishi Electric DeviceXPlorer OPC Server fails to properly validate OPC server handles
March 2007
NETxAutomation NETxEIB OPC Server fails to properly validate OPC server handles
March 2007
ICONICS Dialog Wrapper Module ActiveX control vulnerable to buffer overflow
January 2007
SISCO OSI Stack fails to properly handle malformed packets
January 2007
SISCO OSI stack fails to properly validate packets
September 2006
Tamarack MMSd components fail to properly handle malformed packets
July 2006
LiveData ICCP Server heap buffer overflow vulnerability
May 2006
Top
Fact Sheets, Posters, and Brochures
Control System Cyber Security Self-Assessment Tool Brochure (CS2SAT)
June 2008
Control System Security Poster
January 2007
Control System Security Program Fact Sheet
January 2007
Cyber Security Procurement Language for Control Systems Brochure
March 2006
Top
|