Background
_____________

PROBLEM STATEMENT

The widespread use of general information technologies for: (i) remote monitoring and control of electric power generation/distribution systems and pipeline distribution systems; (ii) controlling industrial processes in the oil and gas, water, chemical, pharmaceutical, food and beverage, pulp and paper, and other industries; and (iii) controlling rail and air traffic, has unintentionally introduced security vulnerabilities. These Supervisory Control and Data Acquisition Systems (SCADA) and Industrial Control Systems (hereafter referred to as "industrial/process control systems") are time critical and are designed to maximize performance, reliability and safety. In the past, security has not been a significant consideration because these systems were often "air-gapped" from any other networks and were based on proprietary hardware and protocols. But today, the isolation that protected these types of systems no longer exists. Current industrial/process control systems are often connected to the business networks to improve overall enterprise operations and decision making. Since current industrial/process control systems use the same commercial off-the-shelf-products and open protocols as general information systems (e.g. Windows platforms, Internet protocols), they are vulnerable to the same types of threats (e.g., malicious code, spyware, human error, accidents, physical disruption, acts of nature) as general information systems. Industrial/process control systems are pervasive throughout the nation's critical infrastructure, and therefore, failures or corruption in these systems can result in serious disruptions to the critical infrastructures they support.

CURRENT STATE OF THE SCIENCE OR TECHNOLOGY

There are many activities currently underway to secure industrial/process control systems. These activities are focused on defining security controls and standards for such systems. There are industry specific efforts, such as in the electric, water, and oil and gas industries. There are cross-industry efforts such as those ongoing in the ISA-SP 99 Manufacturing and Control Systems Security Committee, the NIST-hosted Process Control Security Requirements Forum (PCSRF) and the Department of Homeland Security (DHS)-hosted Process Control Systems Forum (PCSF). There are also international efforts such as those ongoing within the IEC-65C Process Measurement and Control: Digital Communications Committee. There are efforts ongoing at the Department of Energy (DOE) National Laboratories such as Sandia National Laboratory and Idaho National Laboratory, but the results of these efforts have not been widely distributed. In addition, NIST has developed a suite of security standards and guidance documents in the form of Federal Information Processing Standards (FIPS) and Special Publications (800 series) for federal information systems that could be (and in some cases already have been) adopted, adapted, or extended by specific communities of interest, including the industrial/process control community. There is an immediate need to have cross-pollination of these efforts to: (i) share information; (ii) increase coordination; (iii) reduce duplication of effort; and (iv) foster convergence of solutions.

PROPOSED SOLUTION

While the majority of the industrial/process control systems are owned and operated by the private sector, many of these systems are owned and operated by federal, state, and local governments.¹ Through NIST's assigned responsibility to develop and promulgate security standards for federal information systems, NIST's Information Technology Laboratory (ITL) Computer Security Division (CSD), in cooperation with NIST's Manufacturing Engineering Laboratory (MEL) Intelligent systems Division (ISD), has the ability to establish information security standards for federally owned/operated industrial/process control systems as well as for those industrial/process controls systems that are operated by contractors on behalf of the federal government. As part of its FISMA Implementation Project, NIST has developed FIPS 200, Minimum Security Requirements for Federal Information and Information Systems (a mandatory standard that applies to federal information systems) and a corresponding set of minimum baseline security controls in NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems. Using FIPS 200 and NIST Special Publication 800-53 as a foundation, this project proposes to develop expanded versions of these documents that are applicable to federally owned/operated industrial/process control systems (including industrial/process controls systems that are operated by contractors on behalf of the federal government). It should also be noted that many companies in the private sector will use (or are currently using) NIST security standards and guidance on a voluntary basis as they attempt to demonstrate a level of security "due diligence" for their information systems and/or industrial/process control systems.

IMPACT

The primary impact of this work will be the development of security requirements and baseline security controls for federally owned/operated industrial/process control systems (including industrial/process controls systems that are operated by contractors on behalf of the federal government) that will significantly improve the security of these types of systems. A likely secondary impact will be the voluntary adoption of the same or similar security requirements and baseline security controls by the private sector industrial/process control community. Adoption of common government and industry requirements and baseline security controls will greatly reduce the vulnerability of critical infrastructure systems that are supported by SCADA/industrial control systems. Standard security requirements and baseline security controls will raise the security bar on all such systems.
 

Footnote:
1. Many private industries are also regulated by federal state, and/or local governments.