Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

IT Security for Industrial Control Systems



Joseph Falco, Frederick M. Proctor, Keith A. Stouffer, Albert J. Wavering


The National Institute of Standards and Technology (NIST) is working to improve the IT security of networked digital control systems used in industrial applications. This effort is being carried out through the Process Control Security Requirements Forum (PCSRF), an industry group organized under the National Information Assurance Program (NIAP). The PCSRF is working with security professionals to assess the vulnerabilities and establish appropriate strategies for the development of policies to reduce IT security risk within the U.S. process controls industry. The outcome of this work will be the development and dissemination of best practices and ultimately Common Criteria, ISO/IEC 15408 based security specifications that will be used in the procurement, development, and retrofit of industrial control systems. In support of this work this paper addresses the computer control systems used within process control industries, their similarities, and network architectures. A generic set of networking system architectures for industrial process control systems is presented. The vulnerabilities associated with these systems and the IT threats these systems are exposed to are also presented along with a discussion of the Common Criteria and its intended use for these efforts. The current status as well as future efforts of the PCSRF are also discussed.
NIST Interagency/Internal Report (NISTIR) - 6859
Report Number


Common Criteria, control system vulnerabilities, critical infrastructure, DCS, Distributed Control Systems, IT security threats, SCADA, security specification, Supervisory Control and Data Acquisition


Falco, J. , Proctor, F. , Stouffer, K. and Wavering, A. (2002), IT Security for Industrial Control Systems, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online],, (Accessed June 23, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created February 27, 2002, Updated October 12, 2021