Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

IT Security for Industrial Control Systems: Requirements Specification and Performance Testing



Joseph A. Falco, James D. Gilsinn, Keith A. Stouffer


The United States Government as well as the industrial controls sector has come to realize that securing computer systems that control industrial production and distribution is vital to the protection of key components of its critical infrastructure and the health of the associated economies at risk. Current systems are designed first and foremost to meet performance, reliability, safety, and flexibility requirements. Yet, as these systems are steadily integrated with information technology (IT) solutions to promote corporate connectivity and remote access capabilities, serious new vulnerabilities are being introduced into the operational system components. To address these issues, the National Institute of Standards and Technology (NIST) is defining and applying standard information security requirements for information security products and approaches to secure industrial control systems. NIST is also developing performance test methods to insure that resultant security solutions to not adversely effect the critical operational requirements of these control systems.NIST work to define security requirements is being carried out the Process Control Security Requirements Forum (PCSRF). The PCSRF is a NIST mediated, working group, of representatives from the various industrial sectors within the industrial community and the vendors that design, produce, and/or integrate components and systems for the industry. The group is also supported by professional and governmental organizations. The PCSRF is working with security professionals to assess the vulnerabilities and establish appropriate strategies for the development of policies and countermeasures that the U.S. industrial controls community would employ through a combination IT and non-IT mechanisms to reduce residual risk on its control systems to an acceptable level. The Common Criteria for Information Technology Security Evaluation, also known as ISO/IEC 15408, is being used to document the results of this effort in the form of Protection Profile security specifications.Parallel to PCSRF efforts, NIST has developed, a laboratory scale testbed comprised of several implementations of typical industrial control and networking equipment as well as relevant sensors and actuators. This testbed is being used to develop performance measures tests that can be applied to industrial control security products to determine if particular time-sensitive requirements can be met. These performance metrics pertain to real-time requirements for data transfer, such as minimal latency and timing jitter and are not considered in traditional IT networks. Work being performed on this testbed includes the development of metrics and tests to evaluate the performance of industrial networking equipment as well as the development of tests for evaluating the effects of security implementations on the operation of industrial control systems.
To Be Determined


critical infrastructure, industrial control system, metrics, PCSRF, performance, requirements, security, testing


Falco, J. , Gilsinn, J. and Stouffer, K. (2004), IT Security for Industrial Control Systems: Requirements Specification and Performance Testing, To Be Determined, [online], (Accessed July 25, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created October 28, 2004, Updated February 17, 2017