Official website of the Department of Homeland Security
This page provides an extensive bibliography of references and standards associated with control system cyber topics. The list is categorized as follows with web links provided where applicable:
- Cyber Security Policy Planning and Preparation
- Establishing Network Segmentation, Firewalls, and DMZs
- Patch, Password, and Configuration Management
- Control System Cyber Security Training for Engineers, Technicians, Administrators, and Operators
- Establishing and Conducting Asset, Vulnerability, and Risk Assessments
- Control System Security Procurement Requirements Specification
- Placement and Use of IDSs and IPDSs
- Authentication, Authorization, and Access Control For Direct and Remote Connectivity
- Securing Wireless Connections
- Use of VPNs and Encryption in Securing Communications
- Establishing a Secure Topology and Architecture
- Applying and Complying with Security Standards
- Ensuring Security when Modernizing and Upgrading
Cyber Security Policy Planning and Preparation
- National Institute of Standards and Technology (NIST) Cybersecurity Framework (the Framework), February 2014.
- NIST SP 800-82 Rev 2, Guide to Industrial Control Systems (ICS) Security, May 2015.
- NIST SP 800-53 Rev 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.
- NIST SP 800-184, Guide for Cybersecurity Event Recovery, December 2016.
- ANSI/ISA-62443-2-1 (99.02.01)-2009 - Security for Industrial Automation and Control Systems:
Establishing an Industrial Automation and Control Systems Security Program (www.isa.org/standards).
Additional Information
- 21 Steps to Improve Cyber Security of SCADA Networks," Office of Energy Assurance, Office of Independent Oversight And Performance Assurance, U.S. Department of Energy.
- Kilman, D. and Stamp, J. "Framework for SCADA Security Policy," Sandia Corporation. 2005.
- Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center, ICS-CERT.
- NIST SP 800-64 Rev 2, Security Considerations in the System Development Life Cycle, October 2008.
- NIST SP 800-160, System Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, November 2016.
Establishing Network Segmentation, Firewalls, and DMZs
- Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks,
Centre for the Protection of National Infrastructure (CPNI), London, 2005. - NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
- NIST SP 800-82 Rev 2, Guide to Industrial Control Systems (ICS) Security, May 2015.
Additional Information
- Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center, ICS-CERT.
- Control Systems Cyber Security: Defense in Depth Strategies, September 2016, U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center, ICS-CERT.
Patch, Password, and Configuration Management
- NIST SP: 800-118, Guide to Enterprise Password Management (Draft)
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- NIST SP: 800-40, Creating a Patch and Vulnerability Management Program, 2005.
- Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
- Dzung, D., Naedele, M., Von Hoff, T., and Crevatin, M. "Security for Industrial Communication Systems," Proceedings of the IEEE. Institute of Electrical and Electronics Engineers Inc. 2005.
- NIST SP 800-82 Rev 2, Guide to Industrial Control Systems (ICS) Security, May 2015.
- NIST SP 800-53 Rev 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.
Additional Information
- Ashier, J. and Weiss, J. "Securing your Control System,"2004.
- Wooldridge, S. "SCADA/Business Network Separation: Securing an Integrated System," 2005.
- "21 Steps to Improve Cyber Security of SCADA Networks," Office of Energy Assurance, Office of Independent Oversight And Performance Assurance, U.S. Department of Energy.
- Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center, ICS-CERT.
Control System Cyber Security Training for Engineers, Technicians, Administrators, and Operators
- Wilson, Mark, Hash, Joan, NIST SP: 800-50, Building an Information Technology Security Awareness and Training Program, 2003.
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
- NIST SP 800-82 Rev 2, Guide to Industrial Control Systems (ICS) Security, May 2015.
- NIST SP 800-53 Rev 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.
Additional Information
- Boyes, W. "Security is More than Hating Microsoft," May 31, 2005.
- Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center, ICS-CERT.
Establishing and Conducting Asset, Vulnerability, and Risk Assessments
- Rinaldi, et al, Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies, IEEE Control Systems Magazine, 2001.
- GAO-04-354, Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems, U.S. GAO, 2004.
- Stamp, Jason, et al., Common Vulnerabilities in Critical Infrastructure Control Systems, Sandia National Laboratories, 2003.
- Duggan, David, et al, Penetration Testing of Industrial Control Systems, Sandia National Laboratories, Report No SAND2005-2846P, 2005.
- NIST SP: 800-40, Creating a Patch and Vulnerability Management Program, 2005.
- NIST SP: 800-34 Rev. 1, Contingency Planning Guide for Information Technology Systems, 2010.
- NIST SP: 800-61 Rev. 2, Computer Security Incident Handling Guide, March 2012.
- Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
- NIST SP 800-53 Rev 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.
- NIST SP 800-53A Rev 1, Guide for Assessing the Security Controls in Federal Information Systems, June 2010.
- NIST SP: 800-115, Technical Guide to Information Security Testing and Assessment, September 2008.
- ANSI/ISA-62443-3-3 (99.03.03)-2013 - Security for industrial automation and control systems Part 3-3:
System security requirements and security levels (www.isa.org/standards). - ISA-TR84.00.09-2013 - Security Countermeasures Related to Safety Instrumented Systems (SIS) (www.isa.org/standards).
Additional Information
- Hart, D. "An Approach to Vulnerability Assessment for Navy Supervisory Control and Data Acquisition (SCADA) Systems," Naval Postgraduate School, Monterey, California, September 2004.
- "Supervisory Control and Data Acquisition (SCADA)," Data Comm. for Business, Inc., Oct 1999.
- Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center, ICS-CERT.
- Byres, E., and Creery, A. "Industrial Cybersecurity for Power System and SCADA Networks," September 2005.
Control System Security Procurement Requirements Specification
- NIST SP 800-53 Rev 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.
- ANSI/ISA-62443-2-1 (99.02.01)-2009 - Security for Industrial Automation and Control Systems:
Establishing an Industrial Automation and Control Systems Security Program (www.isa.org/standards). - ANSI/ISA-62443-1-1 (99.01.01)-2007 - Security for Industrial Automation and Control Systems Part 1:
Terminology, Concepts, and Models (www.isa.org/standards).
Additional Information
- Merritt, R. "What Vendors Say About Control System Security," January 31, 2005.
- SCADA and Control Systems Procurement Language Project, September 2009, U.S. Department of Homeland Security National Cybersecurity and Communication Integration Center, ICS-CERT.
- Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cybersecurity and Communication Integration Center, ICS-CERT.
Placement and Use of IDSs and IPDSs
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- NIST SP: 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS)
- Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
Additional Information
- Wooldridge, S. "SCADA/Business Network Separation: Securing an Integrated System," 2005.
- Ashier, J. and Weiss, J. "Securing your Control System," 2004.
- Network Monitoring System Designed to Detect Unwanted Wireless Networks, September 14, 2005.
- Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center, ICS-CERT.
- Control Systems Cyber Security: Defense in Depth Strategies, September 2016, U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center, ICS-CERT.
- Mitigations for Security Vulnerabilities Found in Control System Networks, June 2006, U.S. Department of Homeland Security National Cybersecurity and Communication Integration Center, ICS-CERT.
.
Authentication, Authorization, and Access Control For Direct and Remote Connectivity
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- NIST SP: 800-73-2, Interfaces for Personal Identity Verification (4 parts), September 2008.
- NIST SP 800-76-1, Biometric Data Specification for Personal Identity Verification, 2007.
- Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
- Baker, Elaine, et al, NIST SP: 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised), March 2007.
- NIST SP 800-53 Rev 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.
- NIST SP: 800-57 Recommendation for Key Management, March 2007
- NIST SP 800-82 Rev 2, Guide to Industrial Control Systems (ICS) Security, May 2015.
- NIST SP 800-85A-4, PIV Card Application and Middleware Interface Test Guidelines, April 2016.
- ANSI/ISA-62443-2-1 (99.02.01)-2009 - Security for Industrial Automation and Control Systems:
Establishing an Industrial Automation and Control Systems Security Program (www.isa.org/standards).
Additional Information
- Wooldridge, S. "SCADA/Business Network Separation: Securing an Integrated System," 2005.
- Ashier, J. and Weiss, J. "Securing your Control System," 2004.
- Schwaiger, C. and Treytl, A. "Smart Card Based Security for Fieldbus Systems," 2003, Austria Card, Vienna, Austria.
- Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cybersecurity and Communication Integration Center, ICS-CERT.
.
Securing Wireless Connections
- NIST SP: 800-48 Revision 1, Guide to Securing Legacy IEEE 802.11 Wireless Networks, July 2008.
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- ISA-TR100.14.01-Part 1-2011, Trustworthiness in Wireless Industrial Automation:
Part 1, Information for End Users and Regulators (www.isa.org/standards).
Additional Information
- Pescatore, J. "Keep your Wireless Business Secure," August 21, 2005.
- Network Monitoring System Designed to Detect Unwanted Wireless Networks, September 14, 2005.
- Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland SecurityNational Cybersecurity and Communication Integration Center, ICS-CERT.
Use of VPNs and Encryption in Securing Communications
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- NIST SP: 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised), March 2007.
- SP 800-56 B, Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography, August 2009
- NIST SP: 800-57 Recommendation for Key Management, March 2007
Additional Information
- Peterson, D. "Protocol for SCADA Field Communications," July 12, 2005.
- Cohen, B. "VPN Gateway Appliances-Access Remote Data like the Big Guys," April 28, 2005.
- Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cybersecurity and Communication Integration Center, ICS-CERT.
Establishing a Secure Topology and Architecture
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
- NIST SP 800-82 Rev 2, Guide to Industrial Control Systems (ICS) Security, May 2015.
- NIST SP 800-125B, Secure Virtual Network Configuration for Virtual Machine (VM) Protection, March 2016.
Additional Information
- "Study Suggest Increased Concerns with Cyber Security and SCADA System Reliability," June 14, 2005.
- Berg, M. and Stamp, J. "A Reference Model for Control and Automation Systems in Electric Power," Sandia Corporation. 2005.
- Control Systems Cyber Security: Defense in Depth Strategies, September 2016, U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center, ICS-CERT.
- Curtis, Ian, ABB. "Security against cyber attack," July 19, 2010.
- Invensys Operations Management (Australia) Pty Ltd. "Integrating control and safety -- where to draw the line," Jan 20, 2009.
Applying and Complying with Security Standards
- TSA Pipeline Security Guidelines, Transportation Security Administration, April 2011.
- INGAA Control Systems Cyber Security Guidelines for the Natural Gas Pipeline Industry,
Interstate Natural Gas Association of America (INGAA), April 2011. - ANSI/ISA-62443-2-1 (99.02.01)-2009 - Security for Industrial Automation and Control Systems:
Establishing an Industrial Automation and Control Systems Security Program (www.isa.org/standards).
Additional Information
- Peterson, D. and Howard, D. "Cyber Security for the Electric Sector," September 12, 2005.
- Berg, M. and Stamp, J. "A Reference Model for Control and Automation Systems in Electric Power," Sandia Corporation. 2005.
Ensuring Security when Modernizing and Upgrading
- ANSI/ISA-62443-2-1 (99.02.01)-2009 - Security for Industrial Automation and Control Systems:
Establishing an Industrial Automation and Control Systems Security Program (www.isa.org/standards). - Cyber Security Procurement Language for Control Systems, September 2009, U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center, ICS-CERT.
Additional Information
- NIST SP 800-183, Network of 'Things', July 2016.
- Ladd, E. "Dispelling the myths of HART-enabled devices," April 18, 2005.
- Verhappen, I. "What makes a fieldbus go?" April 27, 2005.
- Verhappen, I., "On the bus: Design hurdles to fieldbus technology," Control Global, 2005.
- NIST SP 800-64 Revision 2, Security Considerations in the System Development Life Cycle, October 2008
- "Supervisory Control and Data Acquisition (SCADA)," Data Comm. for Business, Inc., Oct 1999.
- Digital Bond, British Columbia Institute of Technology, and Byres Research.
"OPC Security White Paper #1: Understanding OPC and How it is Deployed," July 27, 2007. - Digital Bond, British Columbia Institute of Technology, and Byres Research.
"OPC Security White Paper #2: OPC Exposed," November 13, 2007. - Digital Bond, British Columbia Institute of Technology, and Byres Research.
"OPC Security White Paper #3: Hardening Guidelines for OPC Hosts," November 13, 2007.