• Home »
• National SCADA Test Bed

While cyber security standards are available to address cyber security of Information Technology (IT) systems, there are few technical Control System cyber security standards that have been released at this time. NSTB work includes supporting the development of industry standards covering cyber security of control systems.

The NSTB program participated in the formal review of the following standards:

• IEC 62443, Security for Industrial Process Measurement and Control, DRAFT
• ISA-99.00.01, Security for Industrial Automation and Control Systems, Part 1: Concepts, Terminology and Models, DRAFT
• ISA-99.00.02, Security for Industrial Automation and Control Systems, Part 2: Establishing an Industrial Automation and Control System Security Program, DRAFT
• NERC Standard CIP-002 through -009, Cyber Security, June 2006
• NIST Special Publication 800-53 Revision 1, Recommended Security Controls for Federal Information Systems, December 2006
• NIST Special Publication 800-82, Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control System Security, DRAFT

Work to date includes the identification and comparison of standards that are appropriate repositories of relevant guidance. The results of that study are available in two reports "A Comparison of Cross-Sector Cyber Security Standards” — 651kB PDF", and "A Summary of Control System Security Standards Activities in the Energy Sector” — 425kB PDF." Ongoing efforts in the standards area also include a detailed analysis of the topics and level of coverage contained in the standards identified in the reports.

The following standards are applicable to Control System cyber security:

• AGA Report No. 12, Cryptographic Protection of SCADA Communications, Part 1: Background, Policies and Test Plan, American Gas Association, March 2006
• API Standard 1164, Pipeline SCADA Security, September 2004
• Guidance for Addressing Cybersecurity in the Chemical Industry, Version 3.0, May 2006 (The CIDX Cyber Security Initiative was consolidated into the Chemical Sector Cyber Security Program under the Chemical Information Technology Council in 2006.)
• IEC 61850-SER, Communication Networks and Systems in Substations
• IEC 60870-6, Telecontrol Equipment and Systems Part 6: Telecontrol protocols compatible with ISO standards and ITU-T recommendations, (Also referred to as IEC standard TASE.2)
• IEC 62351-1, Data and Communications Security, Introduction, May 2007
• IEC 62443, Security for Industrial Process Measurement and Control, DRAFT
• IEC TR 62210, Power system control and associated communications - Data and communication security, May 2003
• IEEE Std 1402-2000, IEEE Guide for Electric Power Substation Physical and Electronic Security, January 2000
• ISA-99.00.01, Security for Industrial Automation and Control Systems, Part 1: Concepts, Terminology and Models, DRAFT
• ISA-99.00.02, Security for Industrial Automation and Control Systems, Part 2: Establishing an Industrial Automation and Control System Security Program, DRAFT
• ISA-TR99.00.01-2004, Security Technologies for Manufacturing and Control Systems, March 2004
• ISA-TR99.00.02-2004, Integrating Electronic Security into the Manufacturing and Control Systems Environment, April 2004
• ISO/IEC 17799, Information technology - Code of practice for information security management, June 2005
• ISO/IEC 27001, Information technology - Security techniques - Information security management systems - Requirements, October 2005
• ISO/IEC 27002:2005, Information technology - Code of practice for information security management, June 2005 (Redesignation of ISO/IEC 17799:2005)
• NERC Standard CIP-002 through -009, Cyber Security, June 2006
• NERC Security Guidelines for the Electricity Sector: Control System - Business Network Electronic Connectivity, May 2005
• NERC Security Guidelines for the Electricity Sector: Vulnerability and Risk Assessment, June 2002
• NIST System Protection Profile - Industrial Control Systems, April 2004
• NIST Special Publication 800-53 Revision 1, Recommended Security Controls for Federal Information Systems, December 2006, Appendix F, Augmented for ICS, June 2007
• NIST Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security, SECOND PUBLIC DRAFT