Skip to content

Home  |   FAQ  |   Contact  |   Privacy & Use

customize
Control Systems

Highlights

Program Announcements

DHS selected Industrial Defender as a licensed distributor of CS2SAT
December 18, 2008

The U. S. Department of Homeland Security (DHS) has selected Industrial Defender as a licensed distributor of the Control System Cyber Security Self-Assessment Tool (CS2SAT), which is a software application tool that is designed to assist critical infrastructure asset owners and operators with a comprehensive approach for assessing the cyber security posture of industrial control system and Supervisory Control and Data Acquisition (SCADA) networks.  - View Industrial Defender's press release.

Recommended Practice for Patch Management of Control Systems
 December 17, 2008

Patch management of industrial control systems is critical to resolve security vulnerabilites and functional issues. The objective of a patch management program is to create a consistently configured environment that is secure against known vulnerabilities in operating system and application software. However, a single solution does not exist that adequately addresses the patch management processes of both traditional information technology (IT) data networks and industrial control systems (ICSs). While IT patching typically requires relatively frequent downtime to deploy critical patches, any sudden or unexpected downtime of ICSs can have serious operational consequences. As a result, there are more stringent requirements for patch validation prior to implementation in ICS networks. The Department of Homeland Security (DHS) Control Systems Security Program (CSSP) recognizes that control systems owners/operators should have an integrated plan that identifies a separate approach to patch management for ICS. This document specifically identifies issues and recommends practices for ICS patch management in order to strengthen overall ICS security.

DHS Control Systems Self Assessment Tool (CS2SAT) Licensed for Distribution to the Water and Waste Water Sector
October 1, 2008

The Water Environment Research Foundation (WERF) and the American Water Works Association Research Foundation (AwwaRF) are new distributors of the Control System Cyber Security Self-Assessment Tool (CS2SAT) to the water and waste water sector. They are authorized to distribute the tool only for WERF subscribers and AwwaRF members.

Recommended Practice: Creating Cyber Forensics Plans for Control Systems
August 25, 2008

This document addresses the issues encountered in developing and maintaining a cyber forensics plan for control systems environments. This recommended practice supports forensic practitioners in creating a control systems forensics plan, and assumes evidentiary data collection and preservation using forensic best practices. The goal of this recommended practice is not to reinvent proven methods, but to leverage them in the best possible way. As such, the material in this recommended practice provides users with the appropriate foundation to allow these best practices to be effective in a control systems domain.

NIST released Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems. This publication provides comprehensive assessment procedures for the security controls in NIST Special Publication 800-53 (as amended) and important guidance for federal agencies in building effective security assessment plans.
July 2, 2008

GAO Examined Tennessee Valley Authority Information Security Practices Protecting its Control Systems
June 11, 2008

The United States Government Accountability Office (GAO) was asked to determine whether the Tennessee Valley Authority (TVA), a federal corporation and the nation's largest public power company, has implemented appropriate information security practices to protect its control systems. The GAO examined the security practices in place at several TVA facilities; analyzed the agency's information security policies, plans, and procedures against federal law and guidance; and interviewed agency officials who are responsible for overseeing TVA's control systems and their security. What GAO found.

Critical Infrastructure and Control Systems Security Curriculum
June 11, 2008

The Critical Infrastructure and Control Systems Security Curriculum is designed as a tool to be employed by an instructor for use in creating a masters-level professional course on Critical Infrastructure and Control Systems Security. The objective of any course constructed with this tool will to convey fundamental organizational and economic principles required to (1) effectively manage high-impact risk to infrastructure services, and (2) design and implement public policies and business strategies that mitigate such risks. Even though many of the case examples are drawn from control systems, the principles will apply to other critical infrastructure situations.

A December 10, 2007 SANS Consensus Document details successful projects undertaken by US government agencies to implement the National Strategy to Secure Cyberspace
December 19, 2007

Three white papers, "Understanding OPC and How it is Deployed", "OPC Exposed", and "Hardening Guidelines for OPC Hosts" provide: an overview of OPC Technology and how it is actually deployed in industry; outline the risks and vulnerabilities incurred in deploying OPC in a control systems environment; and summarize current good practices for securing OPC applications running on Windows-based hosts.
January 14, 2008

Lofty Perch to License DHS Control Systems Self Assessment Tool (CS2SAT)
February 27, 2008

Lofty Perch, Inc. recently announced that it has been selected by the Department of Homeland Security to be a licensed distributor of the DHS Control Systems Cyber Security Self-Assessment Tool (CS2SAT). This application, created at the Idaho National Laboratory for the DHS National Cyber Security Division, was developed specifically to assist SCADA and Process Control System-users in improving the cyber security posture of their control systems. The CS2SAT application is a security assessment support tool based on industry standards, best practices, and
regulatory guidance, and assists asset owners and operators in identifying actionable mitigations for their control system architectures. (more)

ISA Automation Standards Compliance Institute to distribute DHS NCSD Control Systems Self Assessment Tool (CS2SAT)
February 27, 2008

The ISA Automation Standards Compliance Institute (ASCI) recently completed an agreement with the Idaho National Laboratory to distribute CS2SAT on behalf of the United States Department of Homeland Security. The tool is distributed with a training video, online documentation and, 2 hours of phone support from control systems cyber security specialists to help licensees structure their self assessment approach.

The CS2SAT was developed by the Control Systems Security Program of the Department of Homeland Security's National Cyber Security Division. The purpose of the CS2SAT is to provide organizations that use SCADA
(Supervisory Control and Data Acquisition) and industrial control systems, with a self-assessment tool for evaluating the security of the control system. The tool pulls its recommendations from a database of the best available cyber security practices, which have been adapted specifically for application to industry control system networks and components. Each recommendation is linked to a set of actions that can be applied to remediate specific security vulnerabilities. (more)

Online training - OPSEC for Control Systems
January 14, 2008

This innovative, web-based course introduces control systems employees to the basic concepts of operations security (OPSEC) and applies these concepts to the control system environment. Course lessons let you check
your understanding of the concepts with interactive exercises in which you explore different environments to discover problems. You even have the opportunity to play the "bad guy" and try to disrupt a competitor's
manufacturing process.
Check out the training course OPSEC for Control Systems.

Catalog of Control Systems Security: Recommendations for Standards Developers
January 14, 2008

This catalog presents a compilation of practices that various industry bodies have recommended to increase the security of control systems from both physical and cyber attacks. It is not limited for use by a specific industry sector but can be used by all sectors to develop a framework needed to produce a sound cyber security program. It should be viewed as a collection of recommendations to be considered and judiciously employed, as appropriate, when reviewing and developing cyber security standards for control systems. The recommendations in this catalog are intended to be broad enough to provide any industry using control systems the flexibility needed to develop sound cyber security standards specific to their individual security needs.

Cyber Security Response to Physical Security Breaches
November 28, 2007

Physical break-ins and other unauthorized entries into critical infrastructure locations, such as electrical power substations, have historically been viewed as traditional property crimes where trespass, theft, and vandalism were the motives. However, the current trend of using computer networks to remotely monitor and control unmanned facilities has also increased the possibility that these physical property crimes could be used to conceal less discernible cyber crimes. A topical paper has been prepared and posted on the US-CERT website that provides discussion and guidance for the security managers of these facilities. This paper, "Cyber Security Response to Physical Security Breaches" utilizes an electrical substation break-in scenario to illustrate steps that can be taken to assist security managers to determine whether a cyber security intrusion may have occurred. It offers a process for escalation of the investigation to determine extent of the intrusion and steps to initiate a recovery to a known state. Feedback is welcome and can be sent to cssp@hq.dhs.gov.

The Chemical Sector Cyber Security Program has announced the release of a guidance document outlining the Department of Homeland Security's Protected Critical Infrastructure Information Program.
August 22, 2007
"Using the Protected Critical Infrastructure Information (PCII) Program to Share Information with the Department of Homeland Security" is a first step in helping chemical companies develop practices and obtain information so that they can share information with DHS in a secure manner.

Recommended Practices Guide Securing ZigBee Wireless Networks in Process Control System Environments (Draft) released
July 11, 2007
This paper addresses design principles and best practices regarding the secure implementation and operation of ZigBee wireless networks. Its focus is on the secure deployment of ZigBee networks in industrial environments, such as manufacturing and process automation facilities.

ZigBee is a protocol specification and industry standard for a type of wireless communications technology generically known as Low-Rate Wireless Personal Area Networks (LR-WPAN). LR-WPAN technology is characterized by low-cost, low-power wireless devices that self-organize into a short-range wireless communication network to support relatively low throughput applications such as distributed sensing and monitoring.

The document begins with a conceptual overview of LR-WPAN technology and the role that the ZigBee protocol plays in the development and standardization process. A section on the IEEE 802.15.4 specification upon which ZigBee is based is then presented, followed by a description of the ZigBee standard and its various components. A following section describes the ZigBee security architecture, services, and features. Next, a section on secure LR-WPAN network design principles is presented, followed by a list of specific recommended security best practices that can be used as a guideline for organizations considering the deployment of ZigBee networks. Finally, a section on technical issues and special considerations for installations of LR-WPAN networks in industrial environments is presented. A concluding section summarizes key points and is followed by a list of technical references related to the topics presented in this document.

New recommended practices and supporting document
February 28, 2007
Drafts of recommended practices "Securing WLANs Using 802.11i," and "Using Operational Security (OPSEC) to support a Cyber Security Culture in Control Systems Environments," and supporting document, "Recommended Practice Case Study: Cross-Site Scripting," have been posted to the Recommended Practices website to assist asset owners and operators in security techniques to reduce the risk to cyber attacks. "Securing WLANs Using 802.11i" addresses design principles and best practices regarding the secure implementation and operation of Wireless LAN (WLAN) communication networks based on the IEEE 802.11 protocol. "Using Operational Security (OPSEC) to support a Cyber Security Culture in Control Systems Environments" reviews several key operational cyber security elements that are important for control systems and industrial networks and how those elements can drive the creation of a cyber security-sensitive culture. In doing so, it provides guidance and direction for developing operational security strategies including: creating cyber OPSEC plans for control systems, embedding cyber security into the operations life cycle, and creating technical and nontechnical security mitigation strategies. "Recommended Practice Case Study: Cross-Site Scripting" describes the details of an information security attack, known as cross-site scripting, which could be used against control systems, and explains practices to mitigate this threat.

Web-based cyber security training
February 13, 2007
The web-based training, "Cyber Security for Control Systems Engineers & Operators" is intended for control system (also referred to as SCADA, DCS, or PCS) employees whose primary job is not cyber security. The training consists of five lessons covering threats, risks, cyber attacks, risk assessments and mitigations for control systems. The "Threats and Risks" lesson describes the security threats to control systems and provides examples to illustrate these threats. The "Specific Risks to Control Systems" lesson provides a demo of a control system cyber attack and discusses some of the specific risks to control systems. The "Cyber Attacks" lesson introduces the cyber attack process. The "Risk Assessment and Mitigation Overview" lesson defines terms used to describe risk assessment and mitigation and provides an overview of the process. Finally, the "Mitigation for Control Systems" lesson discusses cyber security concerns specific to control systems and describes methods for mitigation some of these risks. The training will take about 50 minutes to complete.

To connect to the training:

  1. Click here to access the training site and click on "create an account now"
  2. Enter registration information and click "Submit"
  3. Enter your newly created userid/password, which is your email address entered and the password you chose.
  4. Click on "Cyber Security for Control Systems Engineers & Operators"
  5. You will be asked to complete a short demographic survey prior to beginning the training on the page titled "Please Tell Us About Yourself"
  6. After clicking submit, you'll be taken to a "Registration Complete" page.
  7. Simply click on "Cyber Security for Control Systems Engineers & Operators" to begin the training. The registration process occurs only once, but allows us to create an account that can be used multiple times (leave and return to the training as many times as you like) along with gathering information about those that access the training.
The first screen of the training gives an overview of how to use the interactive environment of online learning effectively along with giving the course overview. This training was developed through the Control Systems Security Program, established by the U.S. Department of Homeland Security National Cyber Security Division.

NIAC makes public report
February 13, 2007
The National Infrastructure Advisory Council (NIAC) provides the President, through the Secretary of Homeland Security, with advice on the security of the critical infrastructure sectors and their information systems. The Council has made public a report it approved January 16. 2007: Convergence of Physical and Cyber Technologies and Related Security Management Challenges Working Group Final Report and Recommendations. Their other reports and recommendations can be found at http://www.dhs.gov/niac.

Potential Vulnerabilities in Municipal Communications Networks
December 5, 2006
Potential Vulnerabilities in Municipal Communications Networks provides a discussion of risks associated with the integration of local networks and recommendations to aid city managers in establishing and maintaining protection of these integrated networks. The whitepaper was written by the DHS National Cyber Security Division, Control Systems Security Program to increase awareness of city managers of increased risk and unintended consequences that may result from the integration of local networks.

DHS recognizes that the upgrading of network technologies in municipalities to improve the efficiency of operations by connecting previously independent systems and to provide new sources of revenue is a prevalent practice. The maintenance of adequate cyber security to protect both the information and physical infrastructure is a significant issue when municipal managers take advantage of these technologies.