•
security vulnerabilities addressed by this technology;
•
typical deployment;
•
known issues and weaknesses;
•
assessment of use in the manufacturing and control system environment.
In addition it discusses anticipated future directions, offers recommendations and guidance, and points
the reader to information sources and reference material.
While TR1 can be considered a primer, TR2 offers more comprehensive information regarding
methodologies and components necessary to create a complete security program, and suggests a
process to implement more secure systems. Since most control systems are a combination of newer
and legacy components, rather than a “built-from-scratch” environment, each system will require
individual evaluation.
Today SP99 is developing a draft of the first of what will be a series of industry standards related to
manufacturing security.
The NIST PCSRF’s System Protection Profile for Industrial Control Systems (SPP-ICS), released in
2004, is a baseline document that states necessary industrial security requirements at an
implementation-independent level. It will be used to create security specifications for specific systems
and components, such as a water treatment system or a power substation.
The NIST PCSRF includes a number of members of the SP99 Committee, and is chartered to define
common information security requirements for process control systems in the future. The Forum
consists of more than 450 members from government, academic, and private sectors.
The current document is an extension of ISO/IEC 15408 Common Criteria. Common Criteria is
widely used in secure government operations, such as the FAA. The SPP-ICS looks at these concepts
in relation to industrial automation. Industrial facilities can use it to specify security functional
requirements for new systems. At the same time, vendors can use it to demonstrate assurance that
their products meet these security requirements.
8