Protecting industrial controls

"System Protection Profile ? Industrial Control Systems"

About 500 academic, government and industry technical experts recently released a common set of cybersecurity requirements that could help the electrical power, oil and gas, and water industries, among other critical infrastructures and utilities, strengthen their computer-based systems.

The draft document, "System Protection Profile (SPP) for Industrial Control Systems," was issued by the Process Control Security Requirements Forum, which was formed by the National Institute of Standards and Technology in 2001. Although Version 1.0 of the requirements was completed more than six months ago, it was publicly announced earlier this month.

An industrial control system (ICS) is a computer system that automates an industrial process at, for example, a dam or water plant. There are several varieties of ICS — including Supervisory Control and Data Acquisition systems — but all share the same basic elements. The SPP provides a starting point for these types of systems.

Keith Stouffer, chairman of the forum and a mechanical engineer at NIST, said the document is a starting point for all industries. Vendors of industrial control systems have been working on the document with forum members for the past two years, Stouffer said.

"What we're trying to do is create a business case for the vendors as a starting point for these security requirements," he said.

In the past, he said, vendors have complained that requirements were so specific to a company or sector that developing such systems was improbable. "So what we're trying to show the vendors is no matter what type of industry you're in, these are the types of requirements that are pretty much common across them all," he said. "It's a starting point for them to start putting some of these capabilities into their products."

The document's security requirements should help officials in the various industries prepare requests for proposals for new industrial control systems. The document, which Stouffer said would be revised and updated as feedback comes in, includes requirements for an industrial control system's operating policies and procedures, IT-based system components, their interfaces and interoperability, and physical protection of a system.

The issue of cybersecurity has generally risen as an important issue, but industry and the public, industrial controls have received less attention. Most of these proprietary systems were developed without security in mind and were largely segregated from other networks.

"This has been called security through obscurity," a forum document states. "But today, these process control systems are often connected to the business networks to allow business people to make decisions and use commercial off-the-shelf products and open protocols.

A Government Accountability Office report this spring states that several factors are contributing to an escalating risk to control systems, including adoption of standardized technologies with known vulnerabilities, connectivity with other networks, insecure remote connections and widespread availability of technical information about them.

Stouffer said this draft document is even being distributed in Europe and Japan. But he acknowledged that funding to improve these systems still remains a big issue. "Obviously most people are still looking for money from the government to take care of this," he said.

Forum members include representatives from government, academia and critical infrastructure and related process control industries, which also include chemicals, pharmaceuticals, metals and mining, manufacturing, and pulp and paper.