IT Security for Industrial Control Systems: Requirements Specification and Performance Testing
Joseph A. Falco, James D. Gilsinn, Keith A. Stouffer
The United States Government as well as the industrial controls sector has come to realize that securing computer systems that control industrial production and distribution is vital to the protection of key components of its critical infrastructure and the health of the associated economies at risk. Current systems are designed first and foremost to meet performance, reliability, safety, and flexibility requirements. Yet, as these systems are steadily integrated with information technology (IT) solutions to promote corporate connectivity and remote access capabilities, serious new vulnerabilities are being introduced into the operational system components. To address these issues, the National Institute of Standards and Technology (NIST) is defining and applying standard information security requirements for information security products and approaches to secure industrial control systems. NIST is also developing performance test methods to insure that resultant security solutions to not adversely effect the critical operational requirements of these control systems.NIST work to define security requirements is being carried out the Process Control Security Requirements Forum (PCSRF). The PCSRF is a NIST mediated, working group, of representatives from the various industrial sectors within the industrial community and the vendors that design, produce, and/or integrate components and systems for the industry. The group is also supported by professional and governmental organizations. The PCSRF is working with security professionals to assess the vulnerabilities and establish appropriate strategies for the development of policies and countermeasures that the U.S. industrial controls community would employ through a combination IT and non-IT mechanisms to reduce residual risk on its control systems to an acceptable level. The Common Criteria for Information Technology Security Evaluation, also known as ISO/IEC 15408, is being used to document the results of this effort in the form of Protection Profile security specifications.Parallel to PCSRF efforts, NIST has developed, a laboratory scale testbed comprised of several implementations of typical industrial control and networking equipment as well as relevant sensors and actuators. This testbed is being used to develop performance measures tests that can be applied to industrial control security products to determine if particular time-sensitive requirements can be met. These performance metrics pertain to real-time requirements for data transfer, such as minimal latency and timing jitter and are not considered in traditional IT networks. Work being performed on this testbed includes the development of metrics and tests to evaluate the performance of industrial networking equipment as well as the development of tests for evaluating the effects of security implementations on the operation of industrial control systems.
, Gilsinn, J.
and Stouffer, K.
IT Security for Industrial Control Systems: Requirements Specification and Performance Testing, To Be Determined, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=823502
(Accessed February 24, 2024)