Control Systems

• Home

• Calendar

• ICSJWG

• Information Products

• Training

• Recommended Practices

• Assessments

• Standards & References

• Related Sites

• FAQ

Standards & References

This page provides an extensive bibliography of references and standards associated with control system cyber topics. The list is categorized as follows with web links provided where applicable:

• Cyber Security Policy Planning and Preparation
• Establishing Network Segmentation, Firewalls, and DMZs
• Patch, Password, and Configuration Management
• Control System Cyber Security Training for Engineers, Technicians, Administrators, and Operators
• Establishing and Conducting Asset, Vulnerability, and Risk Assessments
• Control System Security Procurement Requirements Specification
• Placement and Use of IDSs and IPDSs
• Authentication, Authorization, and Access Control For Direct and Remote Connectivity
• Securing Wireless Connections
• Use of VPNs and Encryption in Securing Communications
• Establishing a Secure Topology and Architecture
• Applying and Complying with Security Standards
• Ensuring Security when Modernizing and Upgrading

---

Cyber Security Policy Planning and Preparation

• TR99.00.02: Integrating Electronic Security into the Manufacturing and Control Systems Environment, ISA, 2004.
• NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security, Final Public Draft September 29, 2008.
• NIST SP 800-53 Rev 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009.

Additional Information

• 21 Steps to Improve Cyber Security of SCADA Networks," Office of Energy Assurance, Office of Independent Oversight And Performance Assurance, U.S. Department of Energy.
• Kilman, D. and Stamp, J. "Framework for SCADA Security Policy," Sandia Corporation. 2005.
• Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
• NIST SP 800-64 Revision 2, Security Considerations in the System Development Life Cycle, October 2008

Back to top

Establishing Network Segmentation, Firewalls, and DMZs

• Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks, Centre for the Protection of National Infrastructure (CPNI), London, 2005.
• NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
• Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
• NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security, Final Public Draft
  September 29, 2008.

Additional Information

• Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
• Control Systems Cyber Security: Defense in Depth Strategies, May 2006,  U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.

Back to top

Patch, Password, and Configuration Management

• NIST SP: 800-118,  Guide to Enterprise Password Management (Draft)
• NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
• NIST SP: 800-40, Creating a Patch and Vulnerability Management Program, 2005.
• Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
• Dzung, D., Naedele, M., Von Hoff, T., and Crevatin, M. "Security for Industrial Communication Systems," Proceedings of the IEEE. Institute of Electrical and Electronics Engineers Inc. 2005.
• NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security, Final Public Draft September 29, 2008.
• NIST SP 800-53 Rev 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009.

Additional Information

• Ashier, J. and Weiss, J. "Securing your Control System,"2004.
• Wooldridge, S. "SCADA/Business Network Separation: Securing an Integrated System," 2005.
• "21 Steps to Improve Cyber Security of SCADA Networks," Office of Energy Assurance, Office of Independent Oversight And Performance Assurance, U.S. Department of Energy.
• Good Practice Guide on Patch Management, Centre for the Protection of National Infrastructure (CPNI), London, October 24, 2006.
• Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.

Back to top

Control System Cyber Security Training for Engineers, Technicians, Administrators, and Operators

• Wilson, Mark, Hash, Joan, NIST SP: 800-50, Building an Information Technology Security Awareness and Training Program, 2003.
• NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
• Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
• NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security, Final Public Draft
  September 29, 2008.
• NIST SP 800-53 Rev 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009.

Additional Information

• Boyes, W. "Security is More than Hating Microsoft," May 31, 2005.
• Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program,
• Using Operational Security (OPSEC) to Support a Cyber Security Culture in Control Systems Environments (draft), February 2007, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.

Back to top

Establishing and Conducting Asset, Vulnerability, and Risk Assessments

• Rinaldi, et al, Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies, IEEE Control Systems Magazine, 2001.
• GAO-04-354, Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems, U.S. GAO, 2004.
• Stamp, Jason, et al., Common Vulnerabilities in Critical Infrastructure Control Systems, Sandia National Laboratories, 2003.
• Duggan, David, et al, Penetration Testing of Industrial Control Systems, Sandia National Laboratories, Report No SAND2005-2846P, 2005.
• NIST SP: 800-40, Creating a Patch and Vulnerability Management Program, 2005.
• NIST SP: 800-34 Rev. 1, Contingency Planning Guide for Information Technology Systems, 2010.
• NIST SP: 800-61 Rev. 1, Computer Security Incident Handling Guide, March 2008.
• Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
• NIST SP 800-53 Rev 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009.
• NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems, July 2008
• NIST SP: 800-115, Technical Guide to Information Security Testing and Assessment, September 2008.

Additional Information

• Hart, D. "An Approach to Vulnerability Assessment for Navy Supervisory Control and Data Acquisition (SCADA) Systems," Naval Postgraduate School, Monterey, California, September 2004.
• "Supervisory Control and Data Acquisition (SCADA)," Data Comm. for Business, Inc., Oct 1999.
• Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
• Byres, E., and Creery, A. "Industrial Cybersecurity for Power System and SCADA Networks," September 2005.

Back to top

Control System Security Procurement Requirements Specification

• TR99.00.01: Security Technologies for Manufacturing and Control Systems, ISA, 2004.
• TR99.00.02: Integrating Electronic Security into the Manufacturing and Control Systems Environment, ISA, 2004.
• NIST SP 800-53 Rev 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009.

  Additional Information

• Merritt, R. "What Vendors Say About Control System Security," January 31, 2005.
• SCADA and Control Systems Procurement Language Project.
• Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.

Back to top

Placement and Use of IDSs and IPDSs

• NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
• NIST SP: 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS)
• Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.

Additional Information

• Wooldridge, S. "SCADA/Business Network Separation: Securing an Integrated System," 2005.
• Ashier, J. and Weiss, J. "Securing your Control System," 2004.
• Network Monitoring System Designed to Detect Unwanted Wireless Networks, September 14, 2005.
• Rakaczky, E. "Intrusion Insights Best Practices for Control System Security," July 2005.
• Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
• Control Systems Cyber Security: Defense in Depth Strategies, May 2006, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
  
• Mitigations for Security Vulnerabilities Found in Control System Networks, June 2006, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.

Back to top

Authentication, Authorization, and Access Control For Direct and Remote Connectivity

• NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
• NIST SP: 800-73-2, Interfaces for Personal Identity Verification (4 parts), September 2008.
• NIST SP 800-76-1, Biometric Data Specification for Personal Identity Verification, 2007.
• Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
• Baker, Elaine, et al, NIST SP: 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised), March 2007.
• NIST SP 800-53 Rev 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009.
• NIST SP: 800-57 Recommendation for Key Management, March 2007
  • Part 1, General (Revised)
  • Part 2, Best Practices
  • Part 3, Application Specific Key Management Guidance (Draft), October 2008
• NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security, Final Public Draft September 29, 2008.

Additional Information

• Wooldridge, S. "SCADA/Business Network Separation: Securing an Integrated System," 2005.
• Ashier, J. and Weiss, J. "Securing your Control System," 2004.
• "Thales e-Security." 2005.
• Schwaiger, C. and Treytl, A. "Smart Card Based Security for Fieldbus Systems," 2003, Austria Card, Vienna, Austria.
• Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.

Back to top

Securing Wireless Connections

• NIST SP: 800-48 Revision 1, Guide to Securing Legacy IEEE 802.11 Wireless Networks, July 2008.
• NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.

Additional Information

• Pescatore, J. "Keep your Wireless Business Secure," August 21, 2005.
• Network Monitoring System Designed to Detect Unwanted Wireless Networks, September 14, 2005.
• Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
• Securing ZigBee Wireless Networks in Process Control System Environment (draft), April 2007, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program

Back to top

Use of VPNs and Encryption in Securing Communications

• NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
• NIST SP: 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised), March 2007.
• SP 800-56 B,  Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography, August 2009
• NIST SP: 800-57 Recommendation for Key Management, March 2007
  • Part 1, General (Revised)
  • Part 2, Best Practices
  • Part 3, Application Specific Key Management Guidance (Draft), October 2008

Additional Information

• AGA Report No. 12: Cryptographic Protection of SCADA Communications Part 1 Background Policies and Test Plan, American Gas Association, 2006.
• Peterson, D. "Protocol for SCADA Field Communications," July 12, 2005.
• Cohen, B. "VPN Gateway Appliances-Access Remote Data like the Big Guys," April 28, 2005.
• Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.

Back to top

Establishing a Secure Topology and Architecture

• NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
• Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
• NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security, Final Public Draft,
  September 29, 2008.

Additional Information

• "Study Suggest Increased Concerns with Cyber Security and SCADA System Reliability," June 14, 2005.
• Berg, M. and Stamp, J. "A Reference Model for Control and Automation Systems in Electric Power," Sandia Corporation. 2005.
• Control Systems Cyber Security: Defense in Depth Strategies, October 2009, U.S. Department of Homeland Security National Cyber Security Division, Control Systems Security Program.
• Curtis, Ian, ABB. "Security against cyber attack," July 19, 2010.
• Invensys Operations Management (Australia) Pty Ltd. "Integrating control and safety -- where to draw the line," Jan 20, 2009.

Back to top

Applying and Complying with Security Standards

• TSA Pipeline Security Guidelines, Transportation Security Administration, April 2011.
• INGAA Control Systems Cyber Security Guidelines for the Natural Gas Pipeline Industry, Interstate Natural Gas Association of America (INGAA), April 2011.
• TR99.00.01: Security Technologies for Manufacturing and Control Systems, ISA, 2004.
• TR99.00.02: Integrating Electronic Security into the Manufacturing and Control Systems Environment, ISA, 2004.

Additional Information

• Peterson, D. and Howard, D. "Cyber Security for the Electric Sector," September 12, 2005.
• Berg, M. and Stamp, J. "A Reference Model for Control and Automation Systems in Electric Power," Sandia Corporation. 2005.

Back to top

Ensuring Security when Modernizing and Upgrading

• TR99.00.01: Security Technologies for Manufacturing and Control Systems, ISA, 2004.
• Cyber Security Procurement Language for Control Systems, U.S. Department of Homeland Security National Cyber Security Division, September 2009.

Additional Information

• Ladd, E. "Dispelling the myths of HART-enabled devices," April 18, 2005.
• Verhappen, I. "What makes a fieldbus go?" April 27, 2005.
• Verhappen, I., "On the bus: Design hurdles to fieldbus technology," Control Global, 2005.
• NIST SP 800-64 Revision 2, Security Considerations in the System Development Life Cycle, October 2008
• "Supervisory Control and Data Acquisition (SCADA)," Data Comm. for Business, Inc., Oct 1999.
• Digital Bond, British Columbia Institute of Technology, and Byres Research. "OPC Security White Paper #1: Understanding OPC and How it is Deployed," July 27, 2007.
• Digital Bond, British Columbia Institute of Technology, and Byres Research. "OPC Security White Paper #2: OPC Exposed," November 13, 2007.
• Digital Bond, British Columbia Institute of Technology, and Byres Research. "OPC Security White Paper #3: Hardening Guidelines for OPC Hosts," November 13, 2007.

Back to top