Appendix A

BRIEF OVERVIEW OF SP99 AND PCSRF

At the vanguard of developing security guidelines for industrial control systems are the Instrumentation, Systems, and Automation Society (ISA) and the National Institute of Standards and Technology (NIST). ISA, through its SP99 committee, has published two technical reports on manufacturing and control systems security that address the growing threats to industrial system security. The NIST Process Control Security Requirements Forum (PCSRF) has issued the System Protection Profile for Industrial Control Systems (SPP-ICS).

The SP99 committee, Manufacturing and Control Systems Security, represents a cross-section of the industrial market with representation from control system vendors, end-users, system integrators, consultants, and cyber security vendors. The first two reports from the committee, which were published in 2004, are: "Security Technologies for Manufacturing and Control Systems" (ISA- TR99.00.01-2004, or TR1) and "Integrating Electronic Security into the Manufacturing and Control Systems Environment" (ISA-TR99.00.02-2004 or TR2).

TR1 provides guidance for using currently available electronic security technologies, without making specific technology recommendations. It categorizes 28 electronic security technologies into five ‘buckets”:

•authentication and authorization;

•filtering/blocking/access control;

•encryption and data validation;

•audit, measurement, monitoring and detection tools;

•computer software and physical security controls.

Both control engineers and IT management can use the document to understand the opportunities and limitations of deploying IT-based security methods in a real-time environment.

The document provides information on each technology regarding: