Cybersecurity for Factory Control Systems Project

Factory control systems need to be protected from vulnerabilities that may arise as a result of their increased connectivity and use of widespread information technology. Scalable, multi-level cybersecurity is essential to realize the full potential of knowledge-based smart manufacturing, but the safety-critical and time-sensitive requirements of smart manufacturing control systems make deployment difficult. This project provides the measurement science necessary to develop standards for securing smart manufacturing control systems against cyber attack, and specifies the test methods and metrics to validate that standards have been correctly implemented.

Develop and deploy measurement science for securing smart manufacturing control systems against cyber attack, by adapting modern IT security techniques to work in safety-critical and time-sensitive environments, delivering results to standards organizations by 2014.

Scalable, multi-level cybersecurity is an essential technology to realize the full potential of knowledge-based smart manufacturing.^[1]While industry is making progress in developing and using smart manufacturing, the infrastructure and capabilities needed to deliver the full potential of this knowledge-based manufacturing have yet to be developed. Limitations in cybersecurity continue to impede progress.^[2] Early deployment of traditional IT security into manufacturing control systems interfered with safety and time-critical operations and led to the recognition that the solution required adaptation of these techniques. This project will develop measurement science needed to expand traditional IT security techniques into factory control systems by researching methods to measure the quantitative impacts of cybersecurity on real-time performance, resource use, reliability and safety. The project also introduces the concept of Security Assurance Levels (SALs) to describe the protection factor needed to ensure the security of a factory control system. The concept of Safety Integrity Levels (SILs), which safety systems have used for almost two decades, will be leveraged to develop the SALs. Together these comprise measurable requirements that fulfill industry needs to reduce the risk and accelerate the deployment of safe and secure smart manufacturing control systems.

Factory control systems are used in all areas of manufacturing across discrete, batch and continuous operations. Leaders from companies across these broad domains have joined their voices in the Smart Manufacturing Leadership Coalition (SMLC) to champion the need for safe and secure smart manufacturing control systems. Project staff have engaged SMLC leaders since the early 2000's in the NIST-led Process Control Security Requirements Forum (PCSRF), which produced functional standards outlining needed capabilities for adding cybersecurity to legacy systems and building it into new systems. These efforts were successful in safeguarding manufacturing infrastructure against hackers and malfeasant individuals, but escalation in the sophistication of attacks and the depth of foreign state sponsorship (e.g., the Stuxnet worm affecting Siemens controllers^[3]) requires a continually improved response. Recognizing that the correctness of traditional IT cybersecurity algorithms and protocols has already been established by experts elsewhere, this project responds by researching methods for quantitatively determining the impact of adding security capabilities on performance, reliability and safety. The project will leverage the Factory Network Testbed, established under the Factory Equipment Network Testing Framework project, to analyze the performance impact of cybersecurity safeguards and countermeasures. Using the technical results learned from this analysis, project researchers will work with their collaborators in the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC) to develop cybersecurity standards for factory control systems. Project staff contributions will ensure that the standards are written so that compliance can be measured, and that performance (i.e., safety, reliability, real-time communication) can be measured and assured at target levels of acceptability. The project staff will participate with ISA's Security Compliance Institute (ISCI), which develops certification specifications for industrial automation suppliers and operational sites. ISCI plans to develop certification specifications and test methods for three areas: Devices and Systems, Supplier Practices, and User Practices. Currently, certification specifications and test methods have been developed for embedded devices under the Devices and Systems area. Project staff will work with ISCI to expand the current success in the Devices and Systems area to the User Practices area, where certification specifications and test methods will be developed for factory control systems. Working through ISCI ensures that ultimately the project's outcomes will be immediately useable by the championing industries.

• Outcome: NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and Organizations, Revision 3 standardizes the security controls for federally owned/operated industrial control systems. 
• Outcome: NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security provides guidance on how to secure manufacturing and industrial control systems while addressing their unique performance, reliability, and safety requirements.
• Impact: NIST SP 800-82 has been downloaded over 1,000,000 times and is recognized by the community as one of the most valuable ICS security documents available today.
• Outcome: ANSI/ISA-99.02.01-2009 Security for Industrial Automation and Control Systems: Establishing and Industrial Automation and Control Systems Security Program provides comprehensive guidance on developing an industrial control system security program.

The project's technical results will contribute to manufacturing control system cybersecurity standards being developed within ISA and IEC, specifically ISA-99 and IEC 62443 suite of standards.

[1] Smart Manufacturing Leadership Coalition, "Implementing 21^st Century Smart Manufacturing," Workshop Summary Report, June 24, 2011, Figure 1-3.

[2] Ibid., page v.

[3] "Is Stuxnet the 'best' malware ever?" Gregg Keizer, InfoWorld, September 16, 2010.