Protecting industrial controls

"System Protection Profile ? Industrial Control Systems"

About 500 academic, government and industry technical experts recently released a common set of cybersecurity requirements that could help the electrical power, oil and gas, and water industries, among other critical infrastructures and utilities, strengthen their computer-based systems.

The draft document, "System Protection Profile (SPP) for Industrial Control Systems," was issued by the Process Control Security Requirements Forum, which was formed by the National Institute of Standards and Technology in 2001. Although Version 1.0 of the requirements was completed more than six months ago, it was publicly announced earlier this month.

An industrial control system (ICS) is a computer system that automates an industrial process at, for example, a dam or water plant. There are several varieties of ICS — including Supervisory Control and Data Acquisition systems — but all share the same basic elements. The SPP provides a starting point for these types of systems.

Keith Stouffer, chairman of the forum and a mechanical engineer at NIST, said the document is a starting point for all industries. Vendors of industrial control systems have been working on the document with forum members for the past two years, Stouffer said.

"What we're trying to do is create a business case for the vendors as a starting point for these security requirements," he said.

In the past, he said, vendors have complained that requirements were so specific to a company or sector that developing such systems was improbable. "So what we're trying to show the vendors is no matter what type of industry you're in, these are the types of requirements that are pretty much common across them all," he said. "It's a starting point for them to start putting some of these capabilities into their products."

The document's security requirements should help officials in the various industries prepare requests for proposals for new industrial control systems. The document, which Stouffer said would be revised and updated as feedback comes in, includes requirements for an industrial control system's operating policies and procedures, IT-based system components, their interfaces and interoperability, and physical protection of a system.

The issue of cybersecurity has generally risen as an important issue, but industry and the public, industrial controls have received less attention. Most of these proprietary systems were developed without security in mind and were largely segregated from other networks.

"This has been called security through obscurity," a forum document states. "But today, these process control systems are often connected to the business networks to allow business people to make decisions and use commercial off-the-shelf products and open protocols.

A Government Accountability Office report this spring states that several factors are contributing to an escalating risk to control systems, including adoption of standardized technologies with known vulnerabilities, connectivity with other networks, insecure remote connections and widespread availability of technical information about them.

Stouffer said this draft document is even being distributed in Europe and Japan. But he acknowledged that funding to improve these systems still remains a big issue. "Obviously most people are still looking for money from the government to take care of this," he said.

Forum members include representatives from government, academia and critical infrastructure and related process control industries, which also include chemicals, pharmaceuticals, metals and mining, manufacturing, and pulp and paper.


  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.