Control Systems Security Program (CSSP)
Information Products
- Attack Methodology Analysis: SQL Injection Attacks
September 2005 (US-CERT secured portal) - Backdoors and Holes in Network Perimeters: A Case Study for Improving Your Control System Security
August 2005 - Catalog of Control Systems Security: Recommendations for Standards Developers
June 2010 - Common Control System Vulnerability
November 2005 - Control Systems Communications Encryption Primer
December 2009 - Creating Cyber Forensics Plans for Control Systems
August 2008 - Common Cyber Security Vulnerabilities Observed in DHS Industrial Control
Systems Assessments
July 2009 - Critical Infrastructure and Control Systems Security Curriculum
March 2008 - Cyber Security Procurement Language for Control Systems
September 2009 - Cyber Security Response to Physical Security Breaches
November 2007 - A Comparison of Electrical Sector Cyber Security Standards and Guidelines
October 2004 - A Comparison of Oil and Gas Segment
Cyber Security Standards
November 2004 - Developing an Industrial Control Systems Cybersecurity Incident Response Capability
October 2009 - Personnel Security Guidelines
September 2004 - Potential Vulnerabilities in Municipal Communications Networks
December 2006 - Primer Control Systems Cyber Security Framework and Technical Metrics
June 2009 - Recommended Practice Case Study: Cross-Site Scripting
February 2007 - Recommended Practice for Patch Management of Control Systems
December 2008 - Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth Strategies
October 2009 - Security Implications of OPC, OLE, DCOM, and RPC in Control Systems
January 2006 (US-CERT secured portal) - Securing Control System Modems
January 14, 2008 - Securing WLANs Using 802.11i (draft)
February 2007 - Securing your SCADA and Industrial Control Systems
June 2007 - Securing ZigBee Wireless Networks in Process Control System Environments (draft)
April 2007 - An Undirected Attack Against Critical Infrastructure: A Case Study for Improving your Control System Security
September 2005 - Using Operational Security (OPSEC) to Support a Cyber Security Culture in Control Systems Environments (draft)
February 2007
- Becoming NERC CIP-Compliant
September 2007
Jay Abshier
Control - The Blueprint to Security
March 8, 2007
Idaho National Laboratory - Cyber assessment methods: Here is the plan for enhancing control system security.
November 1, 2005
By May Robin Permann and Kenneth Rohde
InTech - Defense in Cyberspace - Beating Cyber Threats That Target Mesh Networks
September 2008
Trent Nelson and Jeff Becker
InTech - The DHS Control Systems Security Program
3rd Quarter 2006
John Hammer, Jeffrey Hahn, Trent Nelson, Julio Rodriguez, Jeffrey Tebbe
UTC Journal - Forget the Silos, Build the Bridges
December 2007
Eric Byres, Jim Bauhs, and Brian Mason
InTech - Hacktivisim Attacks May Rise, Homeland Security Official Warns
August 22, 2007
Carolyn Duffy Marsan
Network World - Industrial Network Integrity
October, 1, 2006
Ian Verhappen and Eric Byres
InTech - Infrastructure Protection in the Ancient World
January 2009
Michael J. Assante, INL Proceedings of the 42nd Hawaii International Conference on System Sciences - 2009 - Insidious threat to control systems
January 01, 2005
By Eric Byres and Justin Lowe
Intech - The Invisible Threat
September 2007
Dan Hebert
Industrial Networking - Lessons In Cyber Security
April 2007
Wes Iversen
AutomationWorld - Look to Standards for Secure Plants
May 1, 2006
By Robert Evans
InTech - Oil and Gas Processor Goes Wireless on the LAN, Proper Data Protection is a Mandatory Requirement to Ensure PAN Communications' Security and Safety
April 1, 2007
Mohammed Al-Saeed, Soliman Al-Walaie, and Mojed Al-Subaie
InTech - SCADA State of Denial
April 16, 2007
Kelly Jackson Higgins
Dark Reading - Securing Legacy Control Systems
July 1, 2009
Peter Welander
Control Engineering - Security Incidents and Threats in SCADA and Process Industries
May 2007
Eric Byres, David Leversage, and Nake Kube
Industrial Ethernet Book - Sniffing out rats - Government regulations steering chemical industry's security tactics to safeguard against intruders
August 2007
Ellen Fussell Policastro
InTech - Sound Security Strategy, Whether Military, Physical, or Cyber Security, is the Concept of "Defense in Depth"
-- Firewalls Don't Fail Me Now
March 1, 2007
Eric Byres
InTech - U.S. makes securing SCADA systems a priority
October 28, 2005
Robert Lemos
SecurityFocus - Uncovering Cyber Flaws - To ensure the safety and security of the process, company, and staff, find the vulnerabilities and break a negative chain of events
January 2006
Eric Byres and Matthew Franz
InTech - What Happens in Plant Stays in Plant
March 1, 2007
May Permann, John Hammer, Ken Rohde, and Kathy Lee
InTech - Wolves at the Door(s) of the House of Straw
December 11, 2007
Eric Byres
Control Global - Wolves at the Security House Door(s), Part 2
January, 2008
Eric Byres
Control Global
- 21 Steps to Improve Cyber Security of SCADA Networks
Office of Energy Assurance
Office of Independent Oversight And Performance Assurance
U.S. Department of Energy. - Attributes of Smart Grid Systems - Current Cyber Security Issues
U.S. Department of Energy Office of Electricity Delivery and Energy Reliability, National SCADA Test Bed
April 2009 - Centre for the Protection of National Infrastructure (CPNI), Good practice guidelines
CPNI provides integrated (combining information, personnel and physical) security advice to the businesses and organizations which make up the national (U.K.) infrastructure. - Centre for the Protection of National Infrastructure (CPNI) SCADA
Nine Process Control and SCADA Security documents are available for download. - Common Cyber Security Vulnerabilities Observed in Control System Assessments by the INL NSTB Program
Idaho National Laboratory
November 2008 - Critical Infrastructure Protection -
"Challenges and Efforts to Secure Control Systems"
- Cyberspace Policy Review - Assuring a Trusted and Resilient Information and Communications Infrastructure,
May 2009
Cyber Storm Exercise Report
DHS National Cyber Security Division
September 12, 2006 - EPA Needs to Determine What Barriers
Prevent Water Systems from Securing
Known Supervisory Control and Data
Acquisition (SCADA) Vulnerabilities
United States Environmental Protection Agency, Office of Inspector General
Final Briefing Report - 2005-P-00002
January 6, 2005 - Federal Energy Regulatory Commission Staff Preliminary Assessment of the North American Electric Reliability Corporation's Proposed Mandatory Reliability Standards on Critical Infrastructure Protection
December 11, 2006 - GAO Report to Congressional Requesters, GAO- 04-354
March 2004 - Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks
February 2005 - Lessons Learned From Cyber Security Assessments of SCADA and Energy Management Systems
U.S. Department of Energy Office of Electricity Delivery and Energy Reliability, National SCADA Test Bed
September 2006 - National Infrastructure Protection Plan - Partnering to Enhance Protection and Resiliency 2009
- National Strategy to Secure Cyberspace February 2003
- North American Electric Reliability Council (NERC) Reliability Standards including Critical Infrastructure Protection (CIP) standards
Although the nine CIP standards available for download were written for the electricity sector, the ideas presented have much broader application. - North American Electric Reliability Council (NERC) Security Guidelines for the Electricity Sector
The Library of CIP Documents page on the ESISAC (Electricity Sector Information Sharing and Analysis Center) website has seventeen NERC Security Guidelines available for download. The ideas presented have wider application beyond the electricity sector. - OPC Security White Paper #1 Understanding OPC and How it is Deployed, Digital Bond, British Columbia Institute of Technology, and Byres Research. An introduction to what OPC is, what are its basic components and how it is actually deployed in the real world.
July 2007 - OPC Security White Paper #2 OPC Exposed, Digital Bond, British Columbia Institute of Technology, and Byres Research. What are the risks and vulnerabilities incurred in deploying OPC in a control environment?
November 2007 - OPC Security White Paper #3 Hardening Guidelines for OPC Hosts, Digital Bond, British Columbia Institute of Technology, and Byres Research. How can a server or workstation running OPC be secured in a simple and effective manner?
November 2007 - Process Control Systems in the Chemical Industry: Safety vs. Security
Idaho National Laboratory
April 2005 - Roadmap to Secure Control Systems in the Chemical Sector
Prepared by Chemical Sector Roadmap Working Group, Sponsored by U.S. Department of Homeland Security and the Chemical Sector Coordinating Council
September 2009 - SCADA and Control Systems Procurement Project: Cyber Security Procurement Language for Control Systems
- Strategy for Securing Control Systems
DHS National Cyber Security Division
October 2009 - Top 10 Vulnerabilities of Control Systems and Their Associated Mitigations, 2007
North American Electric Reliability Council Control Systems Security Working Group and U.S. Department of Energy National SCADA Test Bed Program
December 7, 2006 - Wireless Procurement Language in Support of Advanced Metering Infrastructure Security
U.S. Department of Energy Office of Electricity Delivery and Energy Reliability, National SCADA Test Bed
August 2009
- Control System Security Poster
January 2007 - Control System Security Program Fact Sheet
April 2009 - Cyber Security Evaluation Tool (CSET) Fact Sheet
August 2009 - Cyber Security Procurement Language for Control Systems Brochure
April 2009 - Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
November 2009 - Industrial Control Systems Joint Working Group (ICSJWG)
November 2009 - Strategy for Securing Control Systems Fact Sheet