Control Systems Security Recommendations

Wednesday, July 14, 2010 @ 08:07 PM gHale


Protecting critical infrastructures and key resources is essential to the security, public health and safety, and economic vitality.
Fundamental to that protection is ensuring the security of the systems that control these infrastructures. Developing and applying robust security standards enables control systems to be secure.
However, the catch is also to build in security that will not impede or slow down the daily operation of a plant.
Development of security standards for control systems is maturing. However, standards often lack the detailed guidance needed to ensure adequate protection from the emerging threats of cyber attacks on control systems.
There is now a government catalog put out by the Department of Homeland Security that talks about recommended security controls specifically designed to provide various industry sectors the framework needed to develop sound security standards, guidelines, and best practices.
These are just recommendations. They do not in any way replace the need for applying sound engineering judgment, best practices, and risk assessments. Decisions regarding when, where, and how these standards should come into play by the specific industry sectors. This catalog provides those decision-makers with a common framework from which to select security controls for control systems.
Control systems are Supervisory Control and Data Acquisition (SCADA) systems, process control systems, distributed control systems, and other control systems specific to any of the critical infrastructure industry sectors. Although differences in these systems exist, their similarities enable a common framework for discussing and defining security controls. Currently, control system security standards come from a variety of standards development groups to meet the needs of different industry sectors and regulatory environments. However, the standards produced for a specific sector may not always be consistent or comparable with similar standards developed in another sector. These developing standards often have differing emphases and levels of detail concerning specific security controls.
Throughout the development of this document, the following control system aspects went into consideration:
• Proprietary Control System Technology: A large percentage of control system hardware and software is proprietary. However, some vendors are moving toward marketing products that use nonproprietary, off-the-shelf technologies. Control system networks also may use proprietary or industry-specific protocols. The proprietary nature of control systems also requires professionals with system-specific knowledge to operate them.
• Control System Equipment Life Cycle: The life cycle for control system hardware is from 5 to 15 years (or more) as compared to the 2 to 3-year (or shorter) life cycle for information technology (IT) business systems. Building security into control system equipment is a recent development. Typically, legacy control systems do not contain the standard security functionality included in many IT systems such as cryptography or auditing.
• Real Time Operation: The control systems should be in operation continuously. Any interruption in service may have catastrophic results to human life and property. This is a key difference between control systems and IT business systems. Real time operation presents a unique challenge for securing these systems because security cannot compromise the reliable operation of the control system.
The goal of a control systems security program is to balance security while operating within resource limits. To download the catalog, please go to Homeland Security.



Leave a Reply

You must be logged in to post a comment.