he Process Control Security Requirements Forum (PCSRF), a nearly 600-member group of industry, government and academic technical experts, led by the National Institute of Standards and Technology (NIST), released a new draft set of cyber security requirements for industrial control systems. These security requirements are intended to be used in procurement documents for new industrial control systems or components. The implementation of these requirements will help protect the nation's critical industrial infrastructure from cyber attacks.
The new requirements also should protect against other criminal efforts to remotely access and control production and distribution processes. The proposed requirements should be of special interest to computer security and process control personnel in the electric power, oil, gas, water, chemicals, pharmaceuticals, metals and mining, pulp and paper, and durable goods manufacturing industries.
Currently, network connectivity is a virtual prerequisite for an efficient industrial enterprise, says the group. Many of today's systems were designed years ago to maximize performance, reliability and safety. Security was not a significant consideration since systems usually were confined to in-house use and were based on proprietary hardware and protocols. Today, however, process control systems often incorporate off-the-shelf products, use open protocols and connect to business networksany of which could allow security to be compromised.
The forum's draft report addresses security requirements needed throughout an industrial control system's lifecycle including design, implementation, configuration, maintenance and decommissioning. The draft deals with industrial control systems such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers Requirements for components of the control system such as industrial controller authentication and sensor authentication also are outlined.
Click here to download a complete version of the draft.