Search US-CERT: Go button customize

Control Systems

• CSSP Home
• Calendar
• ICS-CERT
• ICSJWG
• Information Products
• Training
• Recommended Practices
• Assessments
• Standards & References
• Related Sites
• FAQ

 

DHS Threat Advisory

 

Control Systems Security Program (CSSP)

Highlights

Program Announcements

The Strategy for Securing Control Systems (subsequently referred to as the Strategy) has been created by the U.S. Department of Homeland Security (DHS), National Cyber Security Division (NCSD), as part of the overall mission to coordinate and lead efforts to improve control systems security in the nation's critical infrastructures. The primary goal of the Strategy is to build a long-term common vision where effective risk management of control systems security can be realized through successful coordination efforts. Implementing the Strategy will create a common vision with respect to participation, information sharing, coalition building, and leadership activities. Its implementation will improve coordination among relevant stakeholders within government and private-sector, thereby reducing cybersecurity risks to control systems.
October 28, 2009

The first edition of the Roadmap to Secure Control Systems in the Chemical Sector was issued on September 1, 2009. The Roadmap describes a plan for voluntarily improving cybersecurity in the Chemical Sector. Download the roadmap.
September 3, 2009

DHS National Cyber Security Division Releases New Tool

The Cyber Security Evaluation Tool (CSET) is a new product of the Department of Homeland Security (DHS) National Cyber Security Division (NCSD). CSET assists organizations in protecting their key national cyber assets. It is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards. The output from CSET is a prioritized list of recommendations for improving the cybersecurity posture of the organization's enterprise and industrial control cyber systems. Read more
[25 August 2009]

Common Cyber Security Vulnerabilities

The "Common Cyber Security Vulnerabilities Observed in DHS Industrial Control Systems Assessments" report presents results from 15 ICS assessments performed under the CSSP from 2004 through 2008. Although information found in individual stakeholder reports is protected from disclosure, the security of the critical infrastructure as a whole can be improved by sharing information on common security problems with those in industry responsible for developing and maintaining ICS. For this reason, vulnerability information was collected, analyzed, and organized in a way that the most prevalent issues could be identified and mitigated by those responsible for individual systems without disclosing the identity of the associated ICS product.

To read this report, click here. [22 July 2009]

Primer Control Systems Cyber Security Framework and Technical Metrics
July 15, 2009

The Department of Homeland Security Control Systems Security Program has developed a control systems cyber security framework and a set of technical metrics to aid owner-operators in managing control systems cyber security. The framework defines seven relevant cyber security dimensions and provides the foundation for managing control systems cyber security. Based on the developed control systems cyber security framework, a set of ten technical metrics associated with seven security dimensions are provided that allow control systems owner-operators to track improvements or degradations in their individual control systems security posture.

To learn more, click here.

Industrial Control Systems Joint Working Group
June, 3, 2009

The Department of Homeland Security (DHS) Control Systems Security Program (CSSP) has established the Industrial Control Systems Joint Working Group (ICSJWG). This group will continue the successful public and private partnerships created by the Process Control System Forum (PCSF). The historical archives of the PCSF website can be found here.

International Conference Plays Cyber War Games
May 19, 2009

International Conference Plays Cyber War Games On the morning of April 2, a specialty chemical company came under cyber attack in a fictitious scenario. Aggressors hired by a competing company were trying to hack into the chemical processing systems. If the hackers succeeded, the company risked losing an early market share on a revolutionary chemical it planned to unveil. Teams at the chemical company worked tirelessly for the next 12 hours to defend the network and company secrets from attack.

This scenario was developed by the U.S. Department of Homeland Security (DHS) as part of an industrial control systems exercise to simulate real threats facing our nation's critical infrastructure, such as chemical facilities, power plants and communications networks. At the recent 2009 International Control Systems Cyber Security Advanced Training, sponsored by the DHS, the Control Systems Security Program (CSSP) worked to raise cyber aware-ness with the international community about the threats facing critical infrastructure. Read more.

Interview of the Director of the DHS Control System Security Program
March 25, 2009

Listen to Digital Bond's Dale Peterson interview Sean McGurk, the Director of the DHS Control System Security Program.

Article in Government Technology highlights new ICSJWG

The U.S. Department of Homeland Security has created a collaborative venture for public-and private-sector organizations in order to nip problems in the bud that are associated with industrial control systems--at least the ones that can be nipped by computer. The Control Systems Security Program (CSSP), offered by the Department of Homeland Security's National Cybersecurity Division, has created the Industrial Control Systems Joint Working Group (ICSJWG) to allow the federal government to work with vendors and state and local agencies to address high-tech issues in their operations. For more information, go to http://www.govtech.com/gt/articles/625825
March 9, 2009.

A presentation on the Cyber Security Procurement Language for Control Systems was given at the SANS Process Control & SCADA Security Summit 2009. Download the presentation that was given and/or the document itself.
February 5, 2009

Recommended Practice for Patch Management of Control Systems
December 17, 2008

Patch management of industrial control systems is critical to resolve security vulnerabilites and functional issues. The objective of a patch management program is to create a consistently configured environment that is secure against known vulnerabilities in operating system and application software. However, a single solution does not exist that adequately addresses the patch management processes of both traditional information technology (IT) data networks and industrial control systems (ICSs). While IT patching typically requires relatively frequent downtime to deploy critical patches, any sudden or unexpected downtime of ICSs can have serious operational consequences. As a result, there are more stringent requirements for patch validation prior to implementation in ICS networks. The Department of Homeland Security (DHS) Control Systems Security Program (CSSP) recognizes that control systems owners/operators should have an integrated plan that identifies a separate approach to patch management for ICS. This document specifically identifies issues and recommends practices for ICS patch management in order to strengthen overall ICS security.

Recommended Practice: Creating Cyber Forensics Plans for Control Systems
August 25, 2008

This document addresses the issues encountered in developing and maintaining a cyber forensics plan for control systems environments. This recommended practice supports forensic practitioners in creating a control systems forensics plan, and assumes evidentiary data collection and preservation using forensic best practices. The goal of this recommended practice is not to reinvent proven methods, but to leverage them in the best possible way. As such, the material in this recommended practice provides users with the appropriate foundation to allow these best practices to be effective in a control systems domain.

Cyber Security Procurement Language for Control Systems
August 20, 2008

The Cyber Security Procurement Language for Control Systems summarizes security principles that should be considered when developing system specifications and procuring control systems products (software, systems, and networks) and provides example language to incorporate into procurement specifications. The guidance is offered as a resource for informative use-it is not intended as a policy or standard. This document serves as a "tool kit" designed to reduce cyber security risks in control systems through the procurement cycle to assist with the management of known vulnerabilities and weaknesses by delivering more secure systems, and enables asset owners to request security "built-in" rather than "bolted on."

NIST released Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems. This publication provides comprehensive assessment procedures for the security controls in NIST Special Publication 800-53 (as amended) and important guidance for federal agencies in building effective security assessment plans.
July 2, 2008

GAO Examined Tennessee Valley Authority Information Security Practices Protecting its Control Systems
June 11, 2008

The United States Government Accountability Office (GAO) was asked to determine whether the Tennessee Valley Authority (TVA), a federal corporation and the nation's largest public power company, has implemented appropriate information security practices to protect its control systems. The GAO examined the security practices in place at several TVA facilities; analyzed the agency's information security policies, plans, and procedures against federal law and guidance; and interviewed agency officials who are responsible for overseeing TVA's control systems and their security. What GAO found.

Critical Infrastructure and Control Systems Security Curriculum
June 11, 2008

The Critical Infrastructure and Control Systems Security Curriculum is designed as a tool to be employed by an instructor for use in creating a masters-level professional course on Critical Infrastructure and Control Systems Security. The objective of any course constructed with this tool will to convey fundamental organizational and economic principles required to (1) effectively manage high-impact risk to infrastructure services, and (2) design and implement public policies and business strategies that mitigate such risks. Even though many of the case examples are drawn from control systems, the principles will apply to other critical infrastructure situations.

Three white papers, "Understanding OPC and How it is Deployed", "OPC Exposed", and "Hardening Guidelines for OPC Hosts" provide: an overview of OPC Technology and how it is actually deployed in industry; outline the risks and vulnerabilities incurred in deploying OPC in a control systems environment; and summarize current good practices for securing OPC applications running on Windows-based hosts.
January 14, 2008

Online training - OPSEC for Control Systems
January 14, 2008

This innovative, web-based course introduces control systems employees to the basic concepts of operations security (OPSEC) and applies these concepts to the control system environment. Course lessons let you check
your understanding of the concepts with interactive exercises in which you explore different environments to discover problems. You even have the opportunity to play the "bad guy" and try to disrupt a competitor's
manufacturing process.
Check out the training course OPSEC for Control Systems.

Catalog of Control Systems Security: Recommendations for Standards Developers
January 14, 2008

This catalog presents a compilation of practices that various industry bodies have recommended to increase the security of control systems from both physical and cyber attacks. It is not limited for use by a specific industry sector but can be used by all sectors to develop a framework needed to produce a sound cyber security program. It should be viewed as a collection of recommendations to be considered and judiciously employed, as appropriate, when reviewing and developing cyber security standards for control systems. The recommendations in this catalog are intended to be broad enough to provide any industry using control systems the flexibility needed to develop sound cyber security standards specific to their individual security needs.

A December 10, 2007 SANS Consensus Document details successful projects undertaken by US government agencies to implement the National Strategy to Secure Cyberspace
December 19, 2007

Cyber Security Response to Physical Security Breaches
November 28, 2007

Physical break-ins and other unauthorized entries into critical infrastructure locations, such as electrical power substations, have historically been viewed as traditional property crimes where trespass, theft, and vandalism were the motives. However, the current trend of using computer networks to remotely monitor and control unmanned facilities has also increased the possibility that these physical property crimes could be used to conceal less discernible cyber crimes. A topical paper has been prepared and posted on the US-CERT website that provides discussion and guidance for the security managers of these facilities. This paper, "Cyber Security Response to Physical Security Breaches" utilizes an electrical substation break-in scenario to illustrate steps that can be taken to assist security managers to determine whether a cyber security intrusion may have occurred. It offers a process for escalation of the investigation to determine extent of the intrusion and steps to initiate a recovery to a known state. Feedback is welcome and can be sent to cssp@hq.dhs.gov.

The Chemical Sector Cyber Security Program has announced the release of a guidance document outlining the Department of Homeland Security's Protected Critical Infrastructure Information Program.
August 22, 2007
"Using the Protected Critical Infrastructure Information (PCII) Program to Share Information with the Department of Homeland Security" is a first step in helping chemical companies develop practices and obtain information so that they can share information with DHS in a secure manner.

Recommended Practices Guide Securing ZigBee Wireless Networks in Process Control System Environments (Draft) released
July 11, 2007
This paper addresses design principles and best practices regarding the secure implementation and operation of ZigBee wireless networks. Its focus is on the secure deployment of ZigBee networks in industrial environments, such as manufacturing and process automation facilities.

ZigBee is a protocol specification and industry standard for a type of wireless communications technology generically known as Low-Rate Wireless Personal Area Networks (LR-WPAN). LR-WPAN technology is characterized by low-cost, low-power wireless devices that self-organize into a short-range wireless communication network to support relatively low throughput applications such as distributed sensing and monitoring.

The document begins with a conceptual overview of LR-WPAN technology and the role that the ZigBee protocol plays in the development and standardization process. A section on the IEEE 802.15.4 specification upon which ZigBee is based is then presented, followed by a description of the ZigBee standard and its various components. A following section describes the ZigBee security architecture, services, and features. Next, a section on secure LR-WPAN network design principles is presented, followed by a list of specific recommended security best practices that can be used as a guideline for organizations considering the deployment of ZigBee networks. Finally, a section on technical issues and special considerations for installations of LR-WPAN networks in industrial environments is presented. A concluding section summarizes key points and is followed by a list of technical references related to the topics presented in this document.

New recommended practices and supporting document
February 28, 2007
Drafts of recommended practices "Securing WLANs Using 802.11i," and "Using Operational Security (OPSEC) to support a Cyber Security Culture in Control Systems Environments," and supporting document, "Recommended Practice Case Study: Cross-Site Scripting," have been posted to the Recommended Practices website to assist asset owners and operators in security techniques to reduce the risk to cyber attacks. "Securing WLANs Using 802.11i" addresses design principles and best practices regarding the secure implementation and operation of Wireless LAN (WLAN) communication networks based on the IEEE 802.11 protocol. "Using Operational Security (OPSEC) to support a Cyber Security Culture in Control Systems Environments" reviews several key operational cyber security elements that are important for control systems and industrial networks and how those elements can drive the creation of a cyber security-sensitive culture. In doing so, it provides guidance and direction for developing operational security strategies including: creating cyber OPSEC plans for control systems, embedding cyber security into the operations life cycle, and creating technical and nontechnical security mitigation strategies. "Recommended Practice Case Study: Cross-Site Scripting" describes the details of an information security attack, known as cross-site scripting, which could be used against control systems, and explains practices to mitigate this threat.

Web-based cyber security training
February 13, 2007
The web-based training, "Cyber Security for Control Systems Engineers & Operators" is intended for control system (also referred to as SCADA, DCS, or PCS) employees whose primary job is not cyber security. The training consists of five lessons covering threats, risks, cyber attacks, risk assessments and mitigations for control systems. The "Threats and Risks" lesson describes the security threats to control systems and provides examples to illustrate these threats. The "Specific Risks to Control Systems" lesson provides a demo of a control system cyber attack and discusses some of the specific risks to control systems. The "Cyber Attacks" lesson introduces the cyber attack process. The "Risk Assessment and Mitigation Overview" lesson defines terms used to describe risk assessment and mitigation and provides an overview of the process. Finally, the "Mitigation for Control Systems" lesson discusses cyber security concerns specific to control systems and describes methods for mitigation some of these risks. The training will take about 50 minutes to complete.

To connect to the training:

1. Click here to access the training site and click on "create an account now"
2. Enter registration information and click "Submit"
3. Enter your newly created userid/password, which is your email address entered and the password you chose.
4. Click on "Cyber Security for Control Systems Engineers & Operators"
5. You will be asked to complete a short demographic survey prior to beginning the training on the page titled "Please Tell Us About Yourself"
6. After clicking submit, you'll be taken to a "Registration Complete" page.
7. Simply click on "Cyber Security for Control Systems Engineers & Operators" to begin the training. The registration process occurs only once, but allows us to create an account that can be used multiple times (leave and return to the training as many times as you like) along with gathering information about those that access the training.

The first screen of the training gives an overview of how to use the interactive environment of online learning effectively along with giving the course overview. This training was developed through the Control Systems Security Program, established by the U.S. Department of Homeland Security National Cyber Security Division.

NIAC makes public report
February 13, 2007
The National Infrastructure Advisory Council (NIAC) provides the President, through the Secretary of Homeland Security, with advice on the security of the critical infrastructure sectors and their information systems. The Council has made public a report it approved January 16. 2007: Convergence of Physical and Cyber Technologies and Related Security Management Challenges Working Group Final Report and Recommendations. Their other reports and recommendations can be found at http://www.dhs.gov/niac.

Potential Vulnerabilities in Municipal Communications Networks
December 5, 2006
Potential Vulnerabilities in Municipal Communications Networks provides a discussion of risks associated with the integration of local networks and recommendations to aid city managers in establishing and maintaining protection of these integrated networks. The whitepaper was written by the DHS National Cyber Security Division, Control Systems Security Program to increase awareness of city managers of increased risk and unintended consequences that may result from the integration of local networks.

DHS recognizes that the upgrading of network technologies in municipalities to improve the efficiency of operations by connecting previously independent systems and to provide new sources of revenue is a prevalent practice. The maintenance of adequate cyber security to protect both the information and physical infrastructure is a significant issue when municipal managers take advantage of these technologies.