GarrettCom Ethernet Networks and Web Management guide

•security vulnerabilities addressed by this technology;

•typical deployment;

•known issues and weaknesses;

•assessment of use in the manufacturing and control system environment.

In addition it discusses anticipated future directions, offers recommendations and guidance, and points the reader to information sources and reference material.

While TR1 can be considered a primer, TR2 offers more comprehensive information regarding methodologies and components necessary to create a complete security program, and suggests a process to implement more secure systems. Since most control systems are a combination of newer and legacy components, rather than a “built-from-scratch” environment, each system will require individual evaluation.

Today SP99 is developing a draft of the first of what will be a series of industry standards related to manufacturing security.

The NIST PCSRF’s System Protection Profile for Industrial Control Systems (SPP-ICS), released in 2004, is a baseline document that states necessary industrial security requirements at an implementation-independent level. It will be used to create security specifications for specific systems and components, such as a water treatment system or a power substation.

The NIST PCSRF includes a number of members of the SP99 Committee, and is chartered to define common information security requirements for process control systems in the future. The Forum consists of more than 450 members from government, academic, and private sectors.

The current document is an extension of ISO/IEC 15408 Common Criteria. Common Criteria is widely used in secure government operations, such as the FAA. The SPP-ICS looks at these concepts in relation to industrial automation. Industrial facilities can use it to specify security functional requirements for new systems. At the same time, vendors can use it to demonstrate assurance that their products meet these security requirements.