[ISN] New security standards to strengthen SCADA
isn at c4i.org
Mon Nov 22 07:14:05 EST 2004
By Mark Willoughby
NOVEMBER 18, 2004
The security of critical-infrastructure processes, long festering as a
thorny issue in securing everything from food and water to energy and
transportation, will be getting a boost from proposed standards for
The National Institute of Standards and Technology (NIST) fostered the
creation of the Process Control Security Requirements Forum in 2001.
The group issued the first draft of its System Protection Profile for
Industrial Control Systems (SPP ICS) in October.
"It started out as a group of a dozen end users," said Keith Stouffer,
the forum's chairman and an engineer at NIST. "Now we have about 600
members. It includes everybody from the process control world," he
said, such as users, academics, government officials, integrators and
The original group held about 10 meetings and "a bunch of conference
calls" seeking input from the 13 critical-infrastructure groups
designated by the U.S. Department of Homeland Security, Stouffer said.
Those infrastructure groups include critical civil services such as
transportation, food, water utilities, electric power, pharmaceuticals
and energy, and typically are large users of process control or
Supervisory Control and Data Acquisition (SCADA) systems.
"SCADA systems were designed around reliability and safety, not
security. Now SCADA systems are becoming increasingly interconnected
with IP networks and have become vulnerable to Internet threats,"
The group looked initially to model their security standards after the
work done by the National Information Assurance Partnership, a
partnership between the National Security Agency and NIST that
administers the Common Criteria Evaluation and Validation Scheme for
"There's no other formal languages for specifying security
requirements," Stouffer said, adding that the SPP "says what needs to
be done, not how you have to address it."
The SPP requirements address system life-cycle security and were
developed by consensus, he said. They will be periodically updated
with marketplace feedback.
"It's not a NIST specification. It comes from industry. We're trying
to get people to think about security from the get-go when
architecting a system," Stouffer said. The SPP ICS includes such
time-honored security concepts as defense in-depth, or layered
security, extending from industrial process sensors and programmable
logic controllers (PLC) up through the factory control and enterprise
business hierarchy to the Internet.
The process control security issues addressed in the draft SPP ICS
mirror security baselines found elsewhere. According to Stouffer they
1. Spoofing countermeasures: To prevent masquerading attacks and to
maintain confidentiality and data integrity for PLC and sensor
2. Identification and authorization: For both users and data, "to make
sure the data is authentic" between devices, sensors, PLCs,
controllers and up the manufacturing hierarchy, including human
3. Logging and auditing: To provide forensic capabilities if
something goes wrong, with time and date stamps.
4. Encryption: Voluntary encryption for sensitive or private
information, where necessary.
5. Default security: Products need to come secure from the vendor
"out of the box" with security turned on by default.
6. Physical security: To maintain the integrity of the system.
7. Policies and procedures: To provide for secure management
"Certification has only recently been discussed. It hasn't been worked
out if certification is useful," Stouffer said. "That will be a
marketplace issue. There are issues with certification, like cost."
The cost of having a commercial software product undergo a Common
Criteria evaluation can be $250,000 and up, according to industry
A user representative on the forum, Thomas Good of Du Pont Co. in
Wilmington, Del., said the new standards would have an impact on the
security of industrial processes in "two to three years," as well as
on their management.
"By having a set of products available with configurable security
features, end users can select the appropriate off-the-shelf device
and configure its security features to match their risk/impact
situation," he said. "Companies will consider SPP ICS compliant
control systems on modernization projects or new production lines when
the risk is sufficiently high. Due to the total cost of replacement, I
would not anticipate many companies ripping out and replacing existing
Some retraining may be required for plant operations, Good said.
"Effective use of new security features will likely require skills not
currently found in many process control system managers," he said.
Sources for the additional security knowledge would be the internal IT
organization, more training for process control operators, or bringing
in contractors, he said.
Process control vendor Honeywell International Inc. expects to see a
ready marketplace for SPP ICS-compliant products.
"We believe our customers will be adopting these requirements," said
Kevin Staggs, a Honeywell control systems planner in Phoenix. Many
products already meet some of the requirements, he said.
"We understand that security is a journey more than a destination. We
will be continuing to evolve our products and services to meet the
requirements of our customers." Cost, he said, should not be an
objection to SPP ICS compliance because the security will be "baked
into the system" for the customer to configure.
Mark Willoughby, CISSP, is a 20-year IT industry veteran and
journalist with degrees in computer science and journalism. For the
past seven years, he has tracked security and risk management
start-ups and is a managing consultant at MessagingGroup, a
Denver-based content development specialist.
More information about the ISN