Standard for Control System Security and Cyber Security
Is there any acceptable standard for enforcing cyber security in the control system domain? Do different companies follow their own standard for cyber security?
- Login or register to post comments
- 2497 reads
- Permalink
- 2 comments
Correction on the status of ISA99 documents
Allow me to expand on (and correct) the information about the ISA99 committee and its work products. As of this date the committee has released two standards and two technical reports. (The second technical report is no longer current and will eventually be withdrawn).
The standards are:
1. ANSI/ISA-99.00.01-2007, Security for Industrial Automation and Control Systems: Concepts, Terminology and Models
This standard is the conceptual foundation for the remaining standards in the series.
2. ANSI/ISA-99.02.01-2009 - Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program
This standard focuses on what is required to design an effective security program for control systems, including what is common with and what if different from that required for more traditional IT systems.
The technical report is:
3. ANSI/ISA-99.00.01-2007 - Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts, and Models
This technical report was originally released in 2004 and updated in 2007. We expect that it will be updated every 2-3 years as new information becomes available.
The ISA99 page (http://www.isa.org/MSTemplate.cfm?MicrositeID=988&CommitteeID=6821) is actually a bit out of date, but if you click on the "List of Standards for the Committee" link you will get more recent information.
The committee will soon be releasing a roadmap that describes our vision for the full set of standards on this subject. At this time the roadmap has identified a total of 14 documents (11 standards and 3 technical reports) that will be required to fully address the subject.
Eric Cosman
ISA99 Co-chair
Security Standards
There is not a widely accepted standard at this time.
There is NERC but this applies to the commerical power industry. It could be used by anybody looking for a place to get started.
In my experience most companies are developing their own internal standards based on the current best practices.
You can/should be working with your control system vendors to see what they recommend for security.
You might want to get familiar with the ISA SP99 standards that have been published so far. Right now the documents available are:
ANSI/ISA–99.00.01–2007
Security for Industrial Automation
and Control Systems
Part 1: Terminology, Concepts, and Models
ANSI/ISA-TR99.00.02-2004, Integrating Electronic Security into the Manufacturing and Control Systems Environment
These are the first set of documents from the SP99 work and will help you get familar with the direction this upcoming (in a few years) standard is taking.
You should note that much of the work in a security program has to do with what the "asset owner" (user company) does to make a program work. While control systems have to facilitate the activities much of the work involves user training and setting up the policies and procedures required to maintain system security.
There is also considerable information out there by just googling SCADA Security or control system security.