Control Systems Security Program (CSSP)
Information Products
- CSSP Year in Review -- FY 2011
October 2011 - Catalog of Control Systems Security: Recommendations for Standards Developers
April 2011 - Common Cyber Security Vulnerabilities in Industrial Control
Systems
May 2011 - Cyber Security Assessments of Industrial Control Systems
November 2010 - Configuring and Managing Remote Access for Industrial Control Systems
November 2010 - Primer Control Systems Cyber Security Framework and Technical Metrics
June 2009 - Cyber Security Procurement Language for Control Systems
September 2009 - Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies
October 2009 - Developing an Industrial Control Systems Cybersecurity Incident Response Capability
October 2009 - Control Systems Communications Encryption Primer
December 2009 - Securing Control System Modems
January 14, 2008 - Critical Infrastructure and Control Systems Security Curriculum
March 2008 - Creating Cyber Forensics Plans for Control Systems
August 2008 - Recommended Practice for Patch Management of Control Systems
December 2008 - Recommended Practice Case Study: Cross-Site Scripting
February 2007 - Securing WLANs Using 802.11i (draft)
February 2007 - Using Operational Security (OPSEC) to Support a Cyber Security Culture in Control Systems Environments (draft)
February 2007 - Securing ZigBee Wireless Networks in Process Control System Environments (draft)
April 2007 - Securing your SCADA and Industrial Control Systems
June 2007 - Cyber Security Response to Physical Security Breaches
November 2007 - Security Implications of OPC, OLE, DCOM, and RPC in Control Systems
January 2006 (US-CERT secured portal) - Potential Vulnerabilities in Municipal Communications Networks
December 2006 - Backdoors and Holes in Network Perimeters: A Case Study for Improving Your Control System Security
August 2005 - Attack Methodology Analysis: SQL Injection Attacks
September 2005 (US-CERT secured portal) - An Undirected Attack Against Critical Infrastructure: A Case Study for Improving your Control System Security
September 2005 - Personnel Security Guidelines
September 2004
- Configuring and Managing Remote Access for Industrial Control Systems
Centre for the Protection of National Infrastructure (CPNI), Control Systems Security Program (CSSP). This paper examines control system network architectures and explores good practice on remote access. Length is 67 pages. April 2011. - 21 Steps to Improve Cyber Security of SCADA Networks
Office of Energy Assurance, Office of Independent Oversight and Performance Assurance, U.S. Department of Energy. If you prefer a list of cybersecurity improvements, then read this short, 10-page document. - Study of Security Attributes of Smart Grid Systems - Current Cyber Security Issues
U.S. Department of Energy Office of Electricity Delivery and Energy Reliability, National SCADA Test Bed (NSTB). This report introduces Smart Grid architecture and identifies cybersecurity concerns with current and past implementations. Length is 39 pages. April 2009. - Good Practice Guide - Process Control and SCADA Security
The Centre for the Protection of National Infrastructure (CPNI) produced this document that provides good practice guidelines for process control and SCADA systems. Length is 26 pages. - CPNI SCADA Documents and Website
Nine Process Control and SCADA Security documents are available for download at the Centre for the Protection of National Infrastructure (CPNI) website. - Common Cyber Security Vulnerabilities Observed in Control System Assessments by the INL NSTB Program
Idaho National Laboratory (INL) National SCADA Test Bed (NSTB). This paper examines common cyber vulnerabilities found in electric power SCADA systems and explains how to mitigate them. Length is 55 pages. November 2008. - Critical Infrastructure Protection -
Challenges and Efforts to Secure Control Systems
U.S. General Accounting Office (GAO). This information-packed report to Congress recommends improvement of control system security and explores the current trends and threats to these systems. Length is 74 pages. March 2004. - Cyberspace Policy Review - Assuring a Trusted and Resilient Information and Communications Infrastructure
President Obama ordered a comprehensive review of cybersecurity strategy, policy, and standards as a starting point for developing broad goals to protect cyberspace communication infrastructure. Length is 76 pages. May 2009. - Cyber Storm Exercise Report
Department of Homeland Security National Cyber Security Division. A mock cyber attack scenario on multiple government and private entities is described in this report, and significant findings of the exercise are reported. Length is 23 pages. September 12, 2006. - EPA Needs to Determine What Barriers Prevent Water Systems from Securing Known Supervisory Control and Data Acquisition (SCADA) Vulnerabilities
United States Environmental Protection Agency, Office of Inspector General
Final Briefing Report - 2005-P-00002. This report identifies well-known system vulnerabilities found in SCADA networks and then explores why water asset owners are slow to implement cybersecurity protection. Length is 44 pages. January 6, 2005. - Lessons Learned From Cyber Security Assessments of SCADA and Energy Management Systems
U.S. Department of Energy Office of Electricity Delivery and Energy Reliability, National SCADA Test Bed (NSTB). This document represents a survey and classification of vulnerabilities found in actual testbed SCADA systems and presents the necessary steps to mitigate their impact. Length is 29 pages. September 2006. - National Infrastructure Protection Plan - Partnering to Enhance Protection and Resiliency
A plan for protecting critical infrastructure and key resources of the United States is the subject of this document. Length is 188 pages. 2009. - North American Electric Reliability Council (NERC) Reliability Standards
The Critical Infrastructure Protection (CIP) tab on the NERC web page contains NERC standards for cybersecurity that can be applied to other industries as well. - Process Control Systems in the Chemical Industry: Safety vs. Security
Idaho National Laboratory. This short, eight-page document makes the case for cybersecurity in the chemical industry. April 2005. - Roadmap to Secure Control Systems in the Chemical Sector
Prepared by Chemical Sector Roadmap Working Group, sponsored by the U.S. Department of Homeland Security and the Chemical Sector Coordinating Council. This Chemical Sector working group has developed five goals along with milestones to implementing a cybersecurity strategy. Length is 76 pages. September 2009. - Strategy for Securing Control Systems - Coordinating and Guiding Federal, State and Private Sector Initiatives
Department of Homeland Security (DHS) National Cyber Security Division. This DHS document develops and describes a strategy to protect the United States' critical infrastructure and key resources. Length is 128 pages. October 2009. - Top 10 Vulnerabilities of Control Systems and Their Associated Mitigations, 2007
North American Electric Reliability Council Control Systems Security Working Group and U.S. Department of Energy National SCADA Test Bed Program. This short, eight-page document lists 10 top vulnerabilities found in control systems and offers a graded approach to mitigating them. December 7, 2006. - Wireless Procurement Language in Support of Advanced Metering Infrastructure Security
U.S. Department of Energy Office of Electricity Delivery and Energy Reliability, National SCADA Test Bed. This document explains procurement language specifications for procuring wireless products integrated in advanced metering infrastructure. Length is 38 pages. August 2009.
- Control System Security Poster
January 2007 - Control System Security Program Fact Sheet
January 2011 - Cyber Security Evaluation Tool (CSET) Fact Sheet
January 2011 - Cyber Security Procurement Language for Control Systems Brochure
April 2009 - Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
January 2011 - Industrial Control Systems Joint Working Group (ICSJWG)
January 2011 - National Cybersecurity and Communications Integration Center (NCCIC)
January 2011 - Strategy for Securing Control Systems Fact Sheet
- Incident Handling Brochure