Control Systems Security Program (CSSP)
Frequently Asked Questions (FAQ)
What is the Control Systems Security Program's mission?
The Department of Homeland Security (DHS) National Cyber Security Division (NCSD) established the Control Systems Security Program (CSSP) to guide a cohesive effort between government and industry to improve the security posture of control systems within the nation's critical infrastructure. The CSSP assists control systems vendors and asset owners/operators in identifying security vulnerabilities and developing measures to strengthen their security posture and reduce risk through sound mitigation strategies.
What are the critical infrastructure sectors?
Homeland Security Presidential Directive 7 (HSPD-7), National Infrastructure Protection Plan (NIPP), and federal policies identified and categorized U.S. critical infrastructure into the following 18 critical infrastructure sectors and key resources, referred to as CI/KR.
- Agriculture and Food
- Banking and Finance
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Base
- Drinking Water and Water Treatment Systems
- Emergency Services
- Government Facilities
- Information Technology
- National Monuments and Icons
- Nuclear Reactors, Materials, and Waste
- Postal and Shipping
- Public Health and Healthcare
- Transportation Systems
How Does CSSP coordinate work with other government stakeholders?
The CSSP has established the Control Systems Security Working Group (CSSWG) for federal stakeholders that provides a forum by which the federal government can communicate and coordinate its efforts to increase the cyber security of control systems in critical infrastructures. These efforts facilitate interaction and collaboration between and among federal departments and agencies regarding control systems cyber security initiatives.
The CSSWG is a team of individuals from various federal departments and agencies who have roles and responsibilities in securing industrial control systems within the critical infrastructure of the United States. Since there are similar cyber security challenges from sector to sector, this collaboration effort benefits the nation by promoting and leveraging existing work and maximizing the efficient use of resources.
How is the CSSP working with industry?
The CSSP is partnering with members of the control community to help develop and vet recommended practices, provide guidance in supporting the CSSP's incident response capability, and participate in leadership working groups to ensure the community's cyber security concerns are considered in our products and deliverables.
The CSSP is also working to facilitate discussions between the federal government and the control systems vendor community, establishing relationships that are meant to foster an environment of collaboration to address common control systems cyber security issues. The CSSP is also developing a suite of tools, which when complete will provide asset owners and operators with the ability to measure the security posture of their control systems environments and to identify the appropriate cyber security mitigation measures they should implement.
How does the program protect submitted information?
The PCII Program, established in response to the Critical Infrastructure Information Act of 2002 (CII Act), creates a new framework for protecting certain types of information. The PCII program enables members of the private sector to, for the first time, voluntarily submit confidential information regarding the nation's critical infrastructure to the Department of Homeland Security (DHS) with the assurance that the information will be protected from public disclosure.
All work performed by associated national laboratories is protected through contractual agreements. These agreements allow proprietary information to be viewed securely by individuals performing work related to each project and protect it.
How can I participate?
The success of the CSSP is dependent upon the active involvement of the control systems community in providing insight for the program. Many opportunities to participate in this important work exist. There is a need for help in standards bodies, industry work groups, and forums.
The only way to ensure the success of the CSSP in providing national level situational awareness of the cyber status of our nation's critical control systems is through control systems community submissions of cyber incidents and vulnerabilities to US-CERT. Submissions can be made through the landing page of the Control Systems Security Program website.
How do I contact the CSSP?
If you would like to contact the CSSP please send inquiries to:
US-CERT Control Systems Security Program
National Cyber Security Division
US Department of Homeland Security
Mail Stop 8500
245 Murray Lane, SW, Building 410
Washington, DC 20528