SP 800-82. Guide to Industrial Control Systems (ICS) Security: Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC)

The purpose of this document is to provide guidance for securing industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other systems performing control functions. The document provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. Because there are many different types of ICS with varying levels of potential risk and impact, the document provides a list of many different methods and techniques for securing ICS. The document should not be used purely as a checklist to secure a specific system. Readers are encouraged to perform a risk-based assessment on their systems and to tailor the recommended guidelines and solutions to meet their specific security, business and operational requirements. The scope of this document includes ICS that are typically used in the electric, water and wastewater, oil and natural gas, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (automotive, aerospace, and durable goods) industries.

[1]  Marianne Swanson,et al.  SP 800-18 Rev. 1. Guide for Developing Security Plans for Federal Information Systems , 2006 .

[2]  D. R. Kuhn,et al.  Security for Telecommuting and Broadband Communications , 2002 .

[3]  Joint Task Force Transformation Initiative SP 800-53A Rev. 1. Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans , 2010 .

[4]  J. Stamp,et al.  Common vulnerabilities in critical infrastructure control systems. , 2003 .

[5]  Jonas Berge Fieldbuses for Process Control: Engineering, Operation, and Maintenance , 2001 .

[6]  D. Richard Kuhn,et al.  SP 800-58. Security Considerations for Voice Over IP Systems , 2005 .

[7]  Dawn M. Cappelli,et al.  Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors , 2005 .

[8]  Karen A. Scarfone,et al.  SP 800-123. Guide to General Server Security , 2008 .

[9]  Karen Kent,et al.  SP 800-77. Guide to IPsec VPNs , 2005 .

[10]  Stuart A. Boyer Supervisory Control and Data Acquisition , 1993 .

[11]  Joe Falco,et al.  Using Host-based Anti-virus Software on Industrial Control Systems: Integration Guidance and a Test Methodology for Assessing Performance Impacts , 2006 .

[12]  Edward Roback,et al.  SP 800-23. Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products , 2000 .

[13]  Edward Roback,et al.  SP 800-12. An Introduction to Computer Security: the NIST Handbook , 1995 .

[14]  Emmanuel Aroms NIST Special Publication 800-18 Revision 1 Guide for Developing Security Plans for Federal Information Systems , 2012 .

[15]  L. Johnson,et al.  Minimum Security Requirements for Federal Information and Information Systems , 2006 .

[16]  David Bailey,et al.  Practical SCADA for industry , 2003 .

[17]  Timothy Grance,et al.  Guide to Integrating Forensic Techniques into Incident Response , 2006 .

[18]  Xing Li,et al.  SP 800-88 Rev. 1. Guidelines for Media Sanitization , 2006 .

[19]  Karen A. Scarfone,et al.  SP 800-115. Technical Guide to Information Security Testing and Assessment , 2008 .

[20]  Ronald S. Ross,et al.  Guide for security-focused configuration management of information systems , 2011 .

[21]  Wayne Jansen,et al.  Guidelines on Active Content and Mobile Code , 2008 .

[22]  Karen A. Scarfone,et al.  SP 800-127. Guide to Securing WiMAX Wireless Communications , 2010 .

[23]  Gary Stoneburner,et al.  SP 800-27 Rev. A. Engineering Principles for Information Technology Security (A Baseline for Achieving Security), Revision A , 2004 .

[24]  Marianne Swanson,et al.  Security Self-Assessment Guide for Information Technology Systems , 2001 .

[25]  Ramaswamy Chandramouli,et al.  SP 800-96. PIV Card to Reader Interoperability Guidelines , 2006 .

[26]  R. E. Fraser Process measurement and control : introduction to sensors, communication, adjustment, and control , 2001 .

[27]  Karen A. Scarfone,et al.  SP 800-46 Rev. 1. Guide to Enterprise Telework and Remote Access Security , 2009 .

[28]  Joan Hash,et al.  SP 800-100. Information Security Handbook: A Guide for Managers , 2006 .

[29]  S. Radack Personal Identity Verification (PIV) of Federal Employees and Contractors , 2005 .

[30]  Murugiah P. Souppaya,et al.  SP 800-92. Guide to Computer Security Log Management , 2006 .

[31]  Joan Hash,et al.  Building an Information Technology Security Awareness and Training Program , 2003 .

[32]  Peter Mell,et al.  SP 800-83. Guide to Malware Incident Prevention and Handling , 2005 .

[33]  Kelley L. Dempsey,et al.  Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations: National Institute of Standards and Technology Special Publication 800-137 , 2011 .

[34]  Timothy Grance,et al.  SP 800-36. Guide to Selecting Information Technology Security Products , 2003 .

[35]  David A. Cooper,et al.  Guidelines for the selection, configuration, and use of Transport Layer Security (TLS) implementations , 2005 .

[36]  Peter Mell,et al.  NIST Special Publication on Intrusion Detection Systems , 2001 .

[37]  James P. Peerenboom,et al.  Identifying, understanding, and analyzing critical infrastructure interdependencies , 2001 .

[38]  James Peerenboom,et al.  Infrastructure Interdependencies: Overview of Concepts and Terminology , 2001 .

[39]  Shirley M. Radack,et al.  Federal Information Processing Standard (FIPS) 199, Standards for Security | NIST , 2004 .

[40]  Ronald E. Fisher,et al.  Analyzing Cross-Sector Interdependencies , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[41]  Timothy Grance,et al.  SP 800-35. Guide to Information Technology Security Services , 2003 .

[42]  Matthew J. Fanto,et al.  SP 800-52. Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations , 2005 .

[43]  Murugiah P. Souppaya,et al.  Security Configuration Checklists Program for IT Products: Guidance for Checklists Users and Developers , 2005 .

[44]  Stuart A. Boyer Scada: Supervisory Control and Data Acquisition , 1993 .

[45]  William E. Burr,et al.  Cryptographic Algorithms and Key Sizes for Personal Identity Verification , 2010 .

[46]  Ramaswamy Chandramouli,et al.  SP 800-73-3. Interfaces for Personal Identity Verification , 2010 .

[47]  Karen A. Scarfone,et al.  SP 800-61 Rev. 1. Computer Security Incident Handling Guide , 2008 .

[48]  Elaine B. Barker,et al.  SP 800-56A. Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised) , 2007 .

[49]  Marianne M. Swanson,et al.  Recommended Security Controls for Federal Information Systems , 2005 .

[50]  T. Grance,et al.  SP 800-122. Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) , 2010 .

[51]  Kelvin T. Erickson,et al.  Plantwide process control , 1999 .

[52]  Karen A. Scarfone,et al.  SP 800-111. Guide to Storage Encryption Technologies for End User Devices , 2007 .

[53]  David A. Cooper,et al.  SP 800-78-3. Cryptographic Algorithms and Key Sizes for Personal Identification Verification , 2010 .

[54]  William C. Barker,et al.  Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories , 2008 .

[55]  Timothy Grance,et al.  Contingency Planning Guide For Information Technology Systems: Recommendations Of The National Institute Of Standards And Technology , 2004 .

[56]  Sheila E. Frankel,et al.  Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i , 2007 .

[57]  Joan Hash,et al.  Security Guide for Interconnecting Information Technology Systems , 2002 .

[58]  William C. Barker Guideline for Identifying an Information System as a National Security System , 2003 .