Control system security
|This article needs additional citations for verification. (November 2010)|
Control system security is the prevention of intentional or unintentional interference with the proper operation of industrial automation and control systems. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and communications. They rely on computers, networks, operating systems, applications, and programmable controllers, each of which could contain security vulnerabilities. The 2010 discovery of the Stuxnet worm demonstrated the vulnerability of these systems to cyber incidents. The United States and other governments have passed cyber-security regulations requiring enhanced protection for control systems operating critical infrastructure.
Control system security is known by several other names such as SCADA security, PCN security, industrial network security, and control system cyber security.
- 1 Risks
- 2 Vulnerability of control systems
- 3 Government efforts
- 4 Control system security standards
- 5 Guidance documents
- 6 Control system security certification
- 7 References
- 8 External links
Insecurity of industrial automation and control systems can lead the following risks:
- Environmental impact
- Lost production
- Equipment damage
- Information theft
- Company image
Vulnerability of control systems
Industrial automation and control systems have become far more vulnerable to security incidents due to the following trends that have occurred over the last 10 to 15 years.
- Heavy use of Commercial Off-the Shelf Technology (COTS) and protocols. Integration of technology such as MS Windows, SQL, and Ethernet means that process control systems are now vulnerable to the same viruses, worms and trojans that affect IT systems
- Enterprise integration (using plant, corporate and even public networks) means that process control systems (legacy) are now being subjected to stresses they were not designed for
- Demand for Remote Access - 24/7 access for engineering, operations or technical support means more insecure or rogue connections to control system
- Public Information - Manuals on how to use control system are publicly available to would be attackers as well as to legitimate users
The U.S. Government Computer Emergency Readiness team (US-CERT) has instituted a Control Systems Security Program (CSSP) which has made available a large set of free National Institute of Standards and Technology (NIST) standards documents regarding control system security.
Control system security standards
ISA/IEC-62443 (Formerly ISA-99)
ISA/IEC-62443 is a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). This guidance applies to end-users (i.e. asset owner), system integrators, security practitioners, and control systems manufacturers responsible for manufacturing, designing, implementing, or managing industrial automation and control systems.
These documents were originally referred to as ANSI/ISA-99 or ISA99 standards, as they were created by the International Society for Automation (ISA) and publicly released as American National Standards Institute (ANSI) documents. In 2010, they were renumbered to be the ANSI/ISA-62443 series. This change was intended to align the ISA and ANSI document numbering with the corresponding International Electrotechnical Commission (IEC) standards.
All ISA work products are now numbered using the convention “ISA-62443-x-y” and previous ISA99 nomenclature is maintained for continuity purposes only. Corresponding IEC documents are referenced as “IEC 62443-x-y”. The approved IEC and ISA versions are generally identical for all functional purposes.
ISA99 remains the name of the Industrial Automation and Control System Security Committee of the ISA. Since 2002, the committee has been developing a multi-part series of standards and technical reports on the subject of IACS security. These work products are then submitted to the ISA approval and then publishing under ANSI. They are also submitted to IEC for review and approval as standards and specifications in the IEC 62443 series.
All ISA-62443 standards and technical reports are organized into four general categories called General, Policies and Procedures, System and Component.
- The first (top) category includes common or foundational information such as concepts, models and terminology. Also included are work products that describe security metrics and security life cycles for IACS.
- The second category of work products targets the Asset Owner. These address various aspects of creating and maintaining an effective IACS security program.
- The third category includes work products that describe system design guidance and requirements for the secure integration of control systems. Core in this is the zone and conduit design model.
- The fourth category includes work products that describe the specific product development and technical requirements of control system products. This is primarily intended for control product vendors, but can be used by integrator and asset owners for to assist in the procurement of secure products.
More information about the activities and plans of the ISA99 committee is available on the committee Wiki site ()
American Petroleum Institute
North American Electric Reliability Committee (NERC)
American Chemistry Council
Control system security certification
ISA Security Compliance Institute
Related to the work of ISA 99 is the work of the ISA Security Compliance Institute. The ISA Security Compliance Institute (ISCI) has developed compliance test specifications for ISA99 and other control system security standards. They have also created an ANSI accredited certification program called ISASecure for the certification of industrial automation devices such as programmable logic controllers (PLC), distributed control systems (DCS) and safety instrumented systems (SIS). These types of devices provided automated control of industrial processes such as those found in the oil & gas, chemical, electric utility, manufacturing, food & beverage and water/wastewater processing industries. There is growing concern from both governments as well as private industry regarding the risk that these systems could be intentionally compromised by "evildoers" such as hackers, disgruntled employees, organized criminals, terrorist organizations or even state-sponsored groups. The recent news about the industrial control system malware known as Stuxnet has heightened concerns about the vulnerability of these systems.