GarrettCom Ethernet Networks and Web Management User Manual

•

security vulnerabilities addressed by this technology;

•

typical deployment;

•

known issues and weaknesses;

•

assessment of use in the manufacturing and control system environment.

In addition it discusses anticipated future directions, offers recommendations and guidance, and points

the reader to information sources and reference material.

While TR1 can be considered a primer, TR2 offers more comprehensive information regarding

methodologies and components necessary to create a complete security program, and suggests a

process to implement more secure systems. Since most control systems are a combination of newer

and legacy components, rather than a “built-from-scratch” environment, each system will require

individual evaluation.

Today SP99 is developing a draft of the first of what will be a series of industry standards related to

manufacturing security.

The NIST PCSRF’s System Protection Profile for Industrial Control Systems (SPP-ICS), released in

2004, is a baseline document that states necessary industrial security requirements at an

implementation-independent level. It will be used to create security specifications for specific systems

and components, such as a water treatment system or a power substation.

The NIST PCSRF includes a number of members of the SP99 Committee, and is chartered to define

common information security requirements for process control systems in the future. The Forum

consists of more than 450 members from government, academic, and private sectors.

The current document is an extension of ISO/IEC 15408 Common Criteria. Common Criteria is

widely used in secure government operations, such as the FAA. The SPP-ICS looks at these concepts

in relation to industrial automation. Industrial facilities can use it to specify security functional

requirements for new systems. At the same time, vendors can use it to demonstrate assurance that

their products meet these security requirements.

8