Process Control System Cyber Security Standards - An Overview Page: 3 of 13
This article is part of the collection entitled: Office of Scientific & Technical Information Technical Reports and was provided to UNT Digital Library by the UNT Libraries Government Documents Department.
Extracted Text
The following text was automatically extracted from the image on this page using optical character recognition software:
provide a high level, general description of the areas currently considered important when initiating,
implementing or maintaining information security in an organization. [4]
Electronic intrusions are coming from both inside and outside of companies. [5] Although many of the
statistics referenced here deal primarily with IT systems, it would appear that attacks against control
systems are increasing proportionally. These intrusions come in the form of innocent mistakes by an
operator, inappropriate testing by internal organizations, use of inappropriate security policies, attacks by
disgruntled employees or former employees, viruses, and from external attackers. Vulnerability of the
control system to the external attacks has increased with increased external connections and with the
increased use of commercial off the shelf technologies, for which exploits already exist.
Many businesses, as they have become aware of the problems, have begun to respond to these security
threats because of increased potential liability and threat of regulatory compliance. Much of the problem
can be reduced by application of security principles and practices contained in the cyber security
standards. Because of differences in systems, it is important to use the appropriate standards. They can
assist in understanding vulnerabilities in a system, help identify specific system problems, and suggest
solutions. For these standards to be of benefit, it is necessary to understand something of what each
addresses.
This document provides a reference at a point in time. Cyber security standards are evolving at a very
fast pace and hence it is necessary for the user to stay current on what standards exist and their current
status. This paper only presents a brief overview of some of the standards that exist, with an emphasis on
those standards that address control system cyber security.
STANDARDS
A few standards, relevant to control systems in addition to three IT-focused standards, are reviewed.
Several of these are standards, some still in draft form, others are reports or guidelines. It is recognized
that this is not a complete list of standards that deal with cyber security or even control system security,
but this study can help identify those standards that might be of benefit to an organization that uses
process control systems.
The following sections present a brief description of the standards and their current status (as of January
2006). Table 1 provides a summary of the various standards addressed in this paper. A more detailed
analysis of the relationship of the requirements, presented in some of these standards, is contained in two
reports: A Summary of Control System Security Standards Activities in the Energy Sector [6] and
Comparison Study of Industrial Control System Standards against the Control Systems Protection
Framework Cyber-Security Requirements [7].
There is some uncertainty with the actual status of some of these documents. A given document may be
referred to as a standard in one reference and a report in another. This may be due in part to the various
levels of standards. Informative standards provide goals that would assist in securing a system and
suggested ways to meet these goals, but do not contain specific requirements, therefore they are much the
same as a report. On the other hand, Normative standards contain specific requirements that must be
followed. Therefore there is probably more difference between Normative and Informative standards
than between Informative standards and reports or guidelines. These designations are not critical to the
application of the principles contained in the documents. Although every effort has been made to
determine the actual designation by the issuing organization, in some cases there may still be some
confusion.
Upcoming Pages
Here’s what’s next.
Search Inside
This article can be searched. Note: Results may vary based on the legibility of text within the document.
Tools / Downloads
Get a copy of this page or view the extracted text.
Citing and Sharing
Basic information for referencing this web page. We also provide extended guidance on usage rights, references, copying or embedding.
Reference the current page of this Article.
Evans, Robert P. Process Control System Cyber Security Standards - An Overview, article, May 1, 2006; [Idaho Falls, Idaho]. (https://digital.library.unt.edu/ark:/67531/metadc877672/m1/3/: accessed April 16, 2024), University of North Texas Libraries, UNT Digital Library, https://digital.library.unt.edu; crediting UNT Libraries Government Documents Department.