NIST Industrial Control Security Testbed

Intelligent Systems Program

Intelligent Industrial Control System Security and Industrial Network Standards

Program Manager: Keith Stouffer

Annual FTEs: 4.5 NIST staff

Leverages 1.0 contracted professional staff funded by ITL

Challenge: 

The accelerating trend to use general information technologies, such as wireless and Ethernet, to monitor, control and interconnect industrial control systems is unintentionally introducing security vulnerabilities, which could allow the systems to be compromised.  Industrial control systems, including supervisory control and data acquisition (SCADA) systems and distributed control systems (DCS), are used extensively in U.S. manufacturing and are an integral part of the U.S. critical infrastructure.  Industrial control systems are used to manufacture products such as automobiles and pharmaceuticals, and move products around such as electricity, oil and water.  Securing these systems is a challenge.  They often have time critical performance requirements and standard IT security technology can impact timing and inhibit performance of these systems.  It can be difficult to balance performance, reliability, safety and security requirements.  Though challenging, it is critical to secure the existing systems that manufacture the goods and deliver the services that we all rely on, and drive toward built-in security for new systems that will be deployed in the future.  The long-term challenge is to develop a framework of security standards and supporting performance test methods for industrial control systems and industrial networks that is broadly supported by equipment manufacturers and solution providers, and is widely adopted by users, providing a consistent level of security across the critical infrastructures.

Overview

This program supports the Department of Homeland Security (DHS) National Infrastructure Protection Plan (NIPP), which specifies critical manufacturing as a critical infrastructure sector and industrial control systems as critical assets within the critical infrastructure and key resource (CI/KR) sectors that need to be protected from terrorist attack. The program will develop standards and test methods to measure and improve the security and performance of industrial control systems.  The program will produce products that will address new safety and security challenges, drive technology change, and reduce the potential of negative environmental impacts.  The program has three primary objectives to address the challenges:  secure existing systems; drive toward built-in security for new systems that will be deployed in the future; and develop security and performance test methods for these systems.

Why NIST?

Since 2000, NIST has been working cooperatively with communities in the public and private sectors, providing an unbiased approach to developing specific guidance on the application of security con­trols to industrial control systems.  NIST is looked to as a leader in the industrial control system security standards development area, holding leadership positions in the Instrumentation, Systems, and Automation Society (ISA) and technical advisory positions in ISA, International Electrotechnical Commission (IEC) and CIGRE (International Council for Large Electric Systems) committees.  NIST has also long been a leader in establishing per­formance measures, providing leadership at the Open DeviceNet Vendors Association (ODVA) Ethernet/IP Plug-Fests, which provide manufacturers a place to test the perfor­mance and interoperability of their Ether­net/IP devices for industrial systems.

Projects

Intelligent Industrial Control System Security and Industrial Network Standards

Program Objectives

Objective 1:  Secure existing industrial control systems to reduce the risk of compromise and potential negative impacts including loss of production, loss of life and environmental impacts.

Federal industrial control system security
Anticipated Completion Date:  Q4/2010

Project Overview

The project will provide federal organizations that operate industrial control systems (e.g., Bonneville Power Administration, Bureau of Reclamation, Federal Aviation Administration, Tennessee Valley Authority), the required technical guidance and baseline security safeguards to secure these systems, significantly reducing the risk of compromise and negative impacts to federal critical infrastructure.  In addition, NIST will actively work with the North American Electric Reliability Corporation and Federal Energy Regulatory Commission to facilitate the development of security standards for the North American electric sector that are commensurate with the security standards for federal agencies that operate industrial control systems in the electric sector.

Deliverables and Intermediate Milestones [include planned accomplishments for both to quarter/year]:

Customers:

• Bonneville Power Administration
• Bureau of Reclamation
• Federal Aviation Administration
• Tennessee Valley Authority

Collaborators:

• Bonneville Power Administration
• CIGRE - International Council for Large Electric Systems
• Department of Homeland Security
• Federal Aviation Administration
• Federal Energy Regulatory Commission
• Instrumentation, Systems, and Automation Society (ISA)
• North American Electric Reliability Corporation
• Tennessee Valley Authority

Intelligent Industrial Control System Security and Industrial Network Standards

Private sector industrial control system security
Anticipated Completion Date:  Q4/2010

Project Overview

The project will provide the private sector organizations that operate industrial control systems, the technical guidance and baseline security safeguards to secure these systems, significantly reducing the risk of compromise and negative impacts to these systems.  Program staff will provide leadership within standards development organizations (e.g. ISA99 Industrial Automation and Control System Security Committee) to drive the adoption and implementation of common security requirements and baseline security safeguards.  Having a harmonized set of security requirements and baseline security safeguards will provide consistent levels of protection for both public and private sector critical infrastructure.

Deliverables and Intermediate Milestones [include planned accomplishments for both to quarter/year]:

Customers:

• ChevronTexaco
• Dow
• ExxonMobil
• General Motors
• Georgia-Pacific
• International Electrotechnical Commission
• ISA
• Procter & Gamble

Collaborators:

• ChevronTexaco
• Department of Homeland Security
• Dow
• ExxonMobil
• General Motors
• International Electrotechnical Commission
• ISA
• Procter & Gamble
  

Intelligent Industrial Control System Security and Industrial Network Standards

Objective 2:  Drive innovation and technology change to provide built-in security for new industrial control systems that will be deployed in the future. 

Specific technical security requirements for industrial control systems
Anticipated Completion Date:  Q4/2011

Project Overview

Many of the industrial control systems currently installed were not designed with security as a concern.   They were designed to maximize performance, reliability and safety, therefore any security solutions must be bolted on, which is not the most effective solution.  In order to provide more secure industrial control systems in the future, security capabilities need to be designed into future components and systems.  Program staff will assume leadership positions within the ISA99 standards committees to drive innovation and advance technology, specifying the security requirements that vendors will use to develop future products as well as certify those products under the new ISA Security Compliance Institute.

Deliverables and Intermediate Milestones [include planned accomplishments for both to quarter/year]:

Customers:

• Cisco
• Emerson
• General Electric
• Honeywell
• Invensys
• ISA
• Microsoft
• Siemens

Collaborators:

• ChevronTexaco
• Department of Homeland Security
• Dow
• DuPont
• ExxonMobil
• General Motors
• Georgia-Pacific
• ISA
• Procter & Gamble

Intelligent Industrial Control System Security and Industrial Network Standards

Objective 3:  Develop industrial network security test beds and performance test methods to characterize components and determine standards compliance. 

Industrial network security test beds and performance test methods
Anticipated Completion Date:  Q4/2011

Project Overview

The project will develop industrial network security and performance test methods to increase standards adoption by providing users with a way to determine standards compliance and ensuring that the standards are technically sound and feasible.  These performance test methods will ensure device interoperability and that components from multiple manufacturers will be “plug and play” compatible.  The performance test methods will be exercised during the bi-annual Plug-Fests. Program staff will also work with the ISA100 Wireless Systems for Automation Committee to advance technology, specifying the performance requirements that vendors will use to develop future wireless products as well as certify those products under the new ISA Wireless Compliance Institute.

Deliverables and Intermediate Milestones [include planned accomplishments for both to quarter/year]:

Customers:

• DaimlerChrysler
• Dust Networks
• Ford
• General Electric
• General Motors
• HMS Industrial Networks
• Honeywell
• Invensys
• ISA
• Nivis
• Rockwell
• Texas Instruments
• United States Council for Automotive Research (USCAR)
• Woodhead

Collaborators:

• Cargill
• ChevronTexaco
• Dow
• DuPont
• ExxonMobil
• ISA
• ODVA
• Procter & Gamble
• USCAR