NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

IT Security for Industrial Control Systems

Published

Author(s)

Joseph Falco, Frederick M. Proctor, Keith A. Stouffer, Albert J. Wavering

Abstract

The National Institute of Standards and Technology (NIST) is working to improve the IT security of networked digital control systems used in industrial applications. This effort is being carried out through the Process Control Security Requirements Forum (PCSRF), an industry group organized under the National Information Assurance Program (NIAP). The PCSRF is working with security professionals to assess the vulnerabilities and establish appropriate strategies for the development of policies to reduce IT security risk within the U.S. process controls industry. The outcome of this work will be the development and dissemination of best practices and ultimately Common Criteria, ISO/IEC 15408 based security specifications that will be used in the procurement, development, and retrofit of industrial control systems. In support of this work this paper addresses the computer control systems used within process control industries, their similarities, and network architectures. A generic set of networking system architectures for industrial process control systems is presented. The vulnerabilities associated with these systems and the IT threats these systems are exposed to are also presented along with a discussion of the Common Criteria and its intended use for these efforts. The current status as well as future efforts of the PCSRF are also discussed.
Citation
NIST Interagency/Internal Report (NISTIR) - 6859
Report Number
6859
NIST Pub Series
NIST Interagency/Internal Report (NISTIR)
Pub Type
NIST Pubs

Download Paper

https://doi.org/10.6028/NIST.IR.6859
Local Download

Keywords

Common Criteria, control system vulnerabilities, critical infrastructure, DCS, Distributed Control Systems, IT security threats, SCADA, security specification, Supervisory Control and Data Acquisition

Citation

Falco, J. , Proctor, F. , Stouffer, K. and Wavering, A. (2002), IT Security for Industrial Control Systems, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.IR.6859, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=821684 (Accessed October 14, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created February 27, 2002, Updated October 12, 2021
Was this page helpful?