Joseph Falco, Frederick M. Proctor, Keith A. Stouffer, Albert J. Wavering
The National Institute of Standards and Technology (NIST) is working to improve the IT security of networked digital control systems used in industrial applications. This effort is being carried out through the Process Control Security Requirements Forum (PCSRF), an industry group organized under the National Information Assurance Program (NIAP). The PCSRF is working with security professionals to assess the vulnerabilities and establish appropriate strategies for the development of policies to reduce IT security risk within the U.S. process controls industry. The outcome of this work will be the development and dissemination of best practices and ultimately Common Criteria, ISO/IEC 15408 based security specifications that will be used in the procurement, development, and retrofit of industrial control systems. In support of this work this paper addresses the computer control systems used within process control industries, their similarities, and network architectures. A generic set of networking system architectures for industrial process control systems is presented. The vulnerabilities associated with these systems and the IT threats these systems are exposed to are also presented along with a discussion of the Common Criteria and its intended use for these efforts. The current status as well as future efforts of the PCSRF are also discussed.
Common Criteria, control system vulnerabilities, critical infrastructure, DCS, Distributed Control Systems, IT security threats, SCADA, security specification, Supervisory Control and Data Acquisition
, Proctor, F.
, Stouffer, K.
and Wavering, A.
IT Security for Industrial Control Systems, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.IR.6859, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=821684
(Accessed December 8, 2023)