skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: A Survey of Security Tools for the Industrial Control System Environment

Abstract

This report details the results of a survey conducted by Idaho National Laboratory (INL) to identify existing tools which could be used to prevent, detect, mitigate, or investigate a cyber-attack in an industrial control system (ICS) environment. This report compiles a list of potentially applicable tools and shows the coverage of the tools in an ICS architecture.

Authors:
 [1];  [1]
  1. Idaho National Lab. (INL), Idaho Falls, ID (United States)
Publication Date:
Research Org.:
Idaho National Lab. (INL), Idaho Falls, ID (United States)
Sponsoring Org.:
USDOE Office of Nuclear Energy (NE)
OSTI Identifier:
1376870
Report Number(s):
INL/EXT-17-42229
TRN: US1800557
DOE Contract Number:
AC07-05ID14517
Resource Type:
Technical Report
Country of Publication:
United States
Language:
English
Subject:
42 ENGINEERING; CONTROL SYSTEMS; SECURITY; COMPUTERIZED CONTROL SYSTEMS; Controls Cyber; ICS; Industrial Control System Cyber Security

Citation Formats

Hurd, Carl M., and McCarty, Michael V. A Survey of Security Tools for the Industrial Control System Environment. United States: N. p., 2017. Web. doi:10.2172/1376870.
Hurd, Carl M., & McCarty, Michael V. A Survey of Security Tools for the Industrial Control System Environment. United States. doi:10.2172/1376870.
Hurd, Carl M., and McCarty, Michael V. Mon . "A Survey of Security Tools for the Industrial Control System Environment". United States. doi:10.2172/1376870. https://www.osti.gov/servlets/purl/1376870.
@article{osti_1376870,
title = {A Survey of Security Tools for the Industrial Control System Environment},
author = {Hurd, Carl M. and McCarty, Michael V.},
abstractNote = {This report details the results of a survey conducted by Idaho National Laboratory (INL) to identify existing tools which could be used to prevent, detect, mitigate, or investigate a cyber-attack in an industrial control system (ICS) environment. This report compiles a list of potentially applicable tools and shows the coverage of the tools in an ICS architecture.},
doi = {10.2172/1376870},
journal = {},
number = ,
volume = ,
place = {United States},
year = {Mon Jun 12 00:00:00 EDT 2017},
month = {Mon Jun 12 00:00:00 EDT 2017}
}

Technical Report:

Save / Share:
  • Cyber security standards, guidelines, and best practices for control systems are critical requirements that have been delineated and formally recognized by industry and government entities. Cyber security standards provide a common language within the industrial control system community, both national and international, to facilitate understanding of security awareness issues but, ultimately, they are intended to strengthen cyber security for control systems. This study and the preliminary findings outlined in this report are an initial attempt by the Control Systems Security Center (CSSC) Standard Awareness Team to better understand how existing and emerging industry standards, guidelines, and best practices address cybermore » security for industrial control systems. The Standard Awareness Team comprised subject matter experts in control systems and cyber security technologies and standards from several Department of Energy (DOE) National Laboratories, including Argonne National Laboratory, Idaho National Laboratory, Pacific Northwest National Laboratory, and Sandia National Laboratories. This study was conducted in two parts: a standard identification effort and a comparison analysis effort. During the standard identification effort, the Standard Awareness Team conducted a comprehensive open-source survey of existing control systems security standards, regulations, and guidelines in several of the critical infrastructure (CI) sectors, including the telecommunication, water, chemical, energy (electric power, petroleum and oil, natural gas), and transportation--rail sectors and sub-sectors. During the comparison analysis effort, the team compared the requirements contained in selected, identified, industry standards with the cyber security requirements in ''Cyber Security Protection Framework'', Version 0.9 (hereafter referred to as the ''Framework''). For each of the seven sector/sub-sectors listed above, one standard was selected from the list of standards identified in the identification effort. The requirements in these seven standards were then compared against the requirements given in the Framework. This comparison identified gaps (requirements not covered) in both the individual industry standards and in the Framework. In addition to the sector-specific standards reviewed, the team compared the requirements in the cross-sector Instrumentation, Systems, and Automation Society (ISA) Technical Reports (TR) 99 -1 and -2 to the Framework requirements. The Framework defines a set of security classes separated into families as functional requirements for control system security. Each standard reviewed was compared to this template of requirements to determine if the standard requirements closely or partially matched these Framework requirements. An analysis of each class of requirements pertaining to each standard reviewed can be found in the comparison results section of this report. Refer to Appendix A, ''Synopsis of Comparison Results'', for a complete graphical representation of the study's findings at a glance. Some of the requirements listed in the Framework are covered by many of the standards, while other requirements are addressed by only a few of the standards. In some cases, the scope of the requirements listed in the standard for a particular industry greatly exceeds the requirements given in the Framework. These additional families of requirements, identified by the various standards bodies, could potentially be added to the Framework. These findings are, in part, due to the maturity both of the security standards themselves and of the different industries current focus on security. In addition, there are differences in how communication and control is used in different industries and the consequences of disruptions via security breaches to each particular industry that could affect how security requirements are prioritized. The differences in the requirements listed in the Framework and in the various industry standards are due, in part, to differences in the level and purpose of the standards. While the requirements in the Framework are fairly specific, many of the industry standard requirements are more general in nature. Additionally, the Framework requirements, derived from the ''Common Criteria for Information Technology Security Evaluation'', are component-based, while most of the industry standards are system-based. The findings of this study will allow the CSSC Framework Team and the standards organizations responsible for the reviewed standards to quickly grasp the relationship between their requirements and the Framework, as well as the relationship between their standard and other industry sectors. This will help identify areas for future work in developing improved security standards.« less
  • This fact sheet describes how the Industrial Technologies Program steam software tools can help industrial plants identify steam system improvements to save energy and money.
  • There seems to be little real help for the new system administrator of a UNIX system with regards to system security. This is especially true if the person is coming from a different operating system. To help the administrator to learn the security features on the system, and some possible security holes, there needs to be a set of tools that can be used to audit the system and teach the administrator, or user, where some problems might be. A set of tools designed for this purpose is described within. 11 refs.
  • Contents: Framework for Analysis; Approach; Briefings; Proposed Study Assignments; and Way Ahead.