Appendix a, Brief overview of sp99 and pcsrf – GarrettCom Ethernet Networks and Web Management User Manual

APPENDIX A

BRIEF OVERVIEW OF SP99 AND PCSRF

At the vanguard of developing security guidelines for industrial control systems are the

Instrumentation, Systems, and Automation Society (ISA) and the National Institute of Standards and

Technology (NIST). ISA, through its SP99 committee, has published two technical reports on

manufacturing and control systems security that address the growing threats to industrial system

security. The NIST Process Control Security Requirements Forum (PCSRF) has issued the System

Protection Profile for Industrial Control Systems (SPP-ICS).

The SP99 committee, Manufacturing and Control Systems Security, represents a cross-section of the

industrial market with representation from control system vendors, end-users, system integrators,

consultants, and cyber security vendors. The first two reports from the committee, which were

published in 2004, are: "Security Technologies for Manufacturing and Control Systems" (ISA-

TR99.00.01-2004, or TR1) and "Integrating Electronic Security into the Manufacturing and Control

Systems Environment" (ISA-TR99.00.02-2004 or TR2).

TR1 provides guidance for using currently available electronic security technologies, without making

specific technology recommendations. It categorizes 28 electronic security technologies into five

‘buckets”:

•

authentication and authorization;

•

filtering/blocking/access control;

•

encryption and data validation;

•

audit, measurement, monitoring and detection tools;

•

computer software and physical security controls.

Both control engineers and IT management can use the document to understand the opportunities and

limitations of deploying IT-based security methods in a real-time environment.

The document provides information on each technology regarding:

7