Control system security

Control system security

Control system security is the prevention of intentional or unintentional interference with the proper operation of industrial automation and control systems. These control systems manage essential services including electricity, petroleum production, water, transportation, manufacturing, and communications. They rely on computers, networks, operating systems, applications, and programmable controllers, each of which could contain security vulnerabilities. The 2010 discovery of the Stuxnet worm demonstrated the vulnerability of these systems to cyber incidents. The United States and other governments have passed cyber-security regulations requiring enhanced protection for control systems operating critical infrastructure.

Control system security is known by several other names such as SCADA security, PCN security, industrial network security, and control system cyber security.



Insecurity of industrial automation and control systems can lead the following risks:

  • Safety
  • Environmental impact
  • Lost production
  • Equipment damage
  • Information theft
  • Company image

Vulnerability of control systems

Industrial automation and control systems have become far more vulnerable to security incidents due to the following trends that have occurred over the last 10 to 15 years.

  • Heavy use of Commercial Off-the Shelf Technology (COTS) and protocols. Integration of technology such as MS Windows, SQL, and Ethernet means that process control systems are now vulnerable to the same viruses, worms and trojans that affect IT systems Increased Connectivity
  • Enterprise integration (using plant, corporate and even public networks) means that process control systems (legacy) are now being subjected to stresses they were not designed for
  • Demand for Remote Access - 24/7 access for engineering, operations or technical support means more insecure or rogue connections to control system
  • Public Information - Manuals on how to use control system are publicly available to would be attackers as well as to legitimate users

Regulation of control system security is rare. The United States, for example, only does so for the nuclear power and the chemical industries.[1]

Government efforts

The U.S. Government Computer Emergency Readiness team (US-CERT) has instituted a Control Systems Security Program (CSSP) which has made available a large set of free National Institute of Standards and Technology (NIST) standards documents regarding control system security.

Control system security standards


ISA99 is the Industrial Automation and Control System Security Committee of the International Society for Automation (ISA). The committee is developing a multi-part series of standards and technical reports on the subject, several of which have been publicly released. Work products from the ISA99 committee are also submitted to IEC as standards and specifications in the IEC 63443 series.

  • ISA-99.01.01 (formerly referred to as "Part 1") (ANSI/ISA 99.00.01) is approved and published.
  • ISA-TR99.01.02 is a master glossary of terms used by the committee. This document is still a working draft but the content is available on the committee Wiki site (
  • ISA-99.01.03 identifies a set of compliance metrics for IACS security. This document is currently under development.
  • ISA-99.02.01 (formerly referred to as "Part 2") (ANSI/ISA 99.02.01-2009) addresses how to establish an IACS security program. This standard is approved and published. It has also been approved and published by the IEC as IEC 62443-2-1
  • ISA-99.02.02 addresses how to operate an IACS security program. This standard is currently under development.
  • ISA-TR99.02.03 is a technical report on the subject of patch management. This report is currently under development.
  • ISA-TR99.03.01 ([1])is a technical report on the subject of suitable technologies for IACS security. This report is approved and published.
  • ISA-99.03.02 addresses how to define security assurance levels using the zones and conduits concept. This standard is currently under development.
  • ISA-99.03.03 defines detailed technical requirements for IACS security. This standard is currently under development.
  • ISA-99.03.04 addresses the requirements for the development of secure IACS products and solutions. This standard is currently under development.
  • Standards in the ISA-99.04.xx series address detailed technical requirements at the component level. These standards are currently under development.

More information about the activities and plans of the ISA99 committee is available on the committee Wiki site ([2])

American Petroleum Institute

API 1164 Pipeline SCADA Security

North American Electric Reliability Committee (NERC)

NERC Critical Infrastructure Protection (CIP) Standards

Guidance documents

American Chemistry Council

ChemITC Guidance Documents

Insightful Articles

Industrial Netorking Security

Control system security certification

ISA Security Compliance Institute

Related to the work of ISA 99 is the work of the ISA Security Compliance Institute. The ISA Security Compliance Institute (ISCI) has developed compliance test specifications for ISA99 and other control system security standards. They have also created an ANSI accredited certification program called ISASecure for the certification of industrial automation devices such as programmable logic controllers (PLC), distributed control systems (DCS) and safety instrumented systems (SIS). These types of devices provided automated control of industrial processes such as those found in the oil & gas, chemical, electric utility, manufacturing, food & beverage and water/wastewater processing industries. There is growing concern from both governments as well as private industry regarding the risk that these systems could be intentionally compromised by "evildoers" such as hackers, disgruntled employees, organized criminals, terrorist organizations or even state-sponsored groups. The recent news about the industrial control system malware known as Stuxnet has heightened concerns about the vulnerability of these systems.


  1. ^ Gross, Michael Joseph (2011-04). "A Declaration of Cyber-War". Vanity Fair. Condé Nast. Retrieved March 03, 2011. 

External links

Wikimedia Foundation. 2010.