APPENDIX A
BRIEF OVERVIEW OF SP99 AND PCSRF
At the vanguard of developing security guidelines for industrial control systems are the
Instrumentation, Systems, and Automation Society (ISA) and the National Institute of Standards and
Technology (NIST). ISA, through its SP99 committee, has published two technical reports on
manufacturing and control systems security that address the growing threats to industrial system
security. The NIST Process Control Security Requirements Forum (PCSRF) has issued the System
Protection Profile for Industrial Control Systems (SPP-ICS).
The SP99 committee, Manufacturing and Control Systems Security, represents a cross-section of the
industrial market with representation from control system vendors, end-users, system integrators,
consultants, and cyber security vendors. The first two reports from the committee, which were
published in 2004, are: "Security Technologies for Manufacturing and Control Systems" (ISA-
TR99.00.01-2004, or TR1) and "Integrating Electronic Security into the Manufacturing and Control
Systems Environment" (ISA-TR99.00.02-2004 or TR2).
TR1 provides guidance for using currently available electronic security technologies, without making
specific technology recommendations. It categorizes 28 electronic security technologies into five
‘buckets”:
•
authentication and authorization;
•
filtering/blocking/access control;
•
encryption and data validation;
•
audit, measurement, monitoring and detection tools;
•
computer software and physical security controls.
Both control engineers and IT management can use the document to understand the opportunities and
limitations of deploying IT-based security methods in a real-time environment.
The document provides information on each technology regarding:
7