Protecting industrial controls

"System Protection Profile ? Industrial Control Systems"

About 500 academic, government and industry technical experts recently released a common set of cybersecurity requirements that could help the electrical power, oil and gas, and water industries, among other critical infrastructures and utilities, strengthen their computer-based systems.

The draft document, "System Protection Profile (SPP) for Industrial Control Systems," was issued by the Process Control Security Requirements Forum, which was formed by the National Institute of Standards and Technology in 2001. Although Version 1.0 of the requirements was completed more than six months ago, it was publicly announced earlier this month.

An industrial control system (ICS) is a computer system that automates an industrial process at, for example, a dam or water plant. There are several varieties of ICS — including Supervisory Control and Data Acquisition systems — but all share the same basic elements. The SPP provides a starting point for these types of systems.

Keith Stouffer, chairman of the forum and a mechanical engineer at NIST, said the document is a starting point for all industries. Vendors of industrial control systems have been working on the document with forum members for the past two years, Stouffer said.

"What we're trying to do is create a business case for the vendors as a starting point for these security requirements," he said.

In the past, he said, vendors have complained that requirements were so specific to a company or sector that developing such systems was improbable. "So what we're trying to show the vendors is no matter what type of industry you're in, these are the types of requirements that are pretty much common across them all," he said. "It's a starting point for them to start putting some of these capabilities into their products."

The document's security requirements should help officials in the various industries prepare requests for proposals for new industrial control systems. The document, which Stouffer said would be revised and updated as feedback comes in, includes requirements for an industrial control system's operating policies and procedures, IT-based system components, their interfaces and interoperability, and physical protection of a system.

The issue of cybersecurity has generally risen as an important issue, but industry and the public, industrial controls have received less attention. Most of these proprietary systems were developed without security in mind and were largely segregated from other networks.

"This has been called security through obscurity," a forum document states. "But today, these process control systems are often connected to the business networks to allow business people to make decisions and use commercial off-the-shelf products and open protocols.

A Government Accountability Office report this spring states that several factors are contributing to an escalating risk to control systems, including adoption of standardized technologies with known vulnerabilities, connectivity with other networks, insecure remote connections and widespread availability of technical information about them.

Stouffer said this draft document is even being distributed in Europe and Japan. But he acknowledged that funding to improve these systems still remains a big issue. "Obviously most people are still looking for money from the government to take care of this," he said.

Forum members include representatives from government, academia and critical infrastructure and related process control industries, which also include chemicals, pharmaceuticals, metals and mining, manufacturing, and pulp and paper.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.