The new requirements also should protect against other criminal efforts to remotely access and control production and distribution processes. The proposed requirements should be of special interest to computer security and process control personnel in the electric power, oil, gas, water, chemicals, pharmaceuticals, metals and mining, pulp and paper, and durable goods manufacturing industries.
Currently, network connectivity is virtually a prerequisite for an efficient industrial enterprise. Many of today's systems were designed years ago to maximize performance, reliability and safety. Security was not a significant consideration since systems usually were confined to in-house use and were based on proprietary hardware and protocols. Today, however, process control systems often incorporate off-the-shelf products, use open protocols and connect to business networks--any of which could allow security to be compromised.
The forum's draft report addresses security requirements needed throughout an industrial control system's lifecycle including design, implementation, configuration, maintenance and decommissioning. The draft deals with industrial control systems such as Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and Programmable Logic Controllers (PLCs). Requirements for components of the control system such as industrial controller authentication and sensor authentication also are outlined.
*The PCSRF System Protection Profile for Industrial Control Systems (SPP-ICS) is available for download and review at http://www.isd.mel.nist.gov/projects/processcontrol/SPP-ICSv1.0.doc.