This page provides an extensive bibliography of references and standards associated with control system cyber topics. The list is categorized as follows with web links provided where applicable:
- Cyber Security Policy Planning and Preparation
- Establishing Network Segmentation, Firewalls, and DMZs
- Patch, Password, and Configuration Management
- Control System Cyber Security Training for Engineers, Technicians, Administrators, and Operators
- Establishing and Conducting Asset, Vulnerability, and Risk Assessments
- Control System Security Procurement Requirements Specification
- Placement and Use of IDSs and IPDSs
- Authentication, Authorization, and Access Control For Direct and Remote Connectivity
- Securing Wireless Connections
- Use of VPNs and Encryption in Securing Communications
- Establishing a Secure Topology and Architecture
- Applying and Complying with Security Standards
- Ensuring Security when Modernizing and Upgrading
Cyber Security Policy Planning and Preparation
- National Institute of Standards and Technology (NIST) Cybersecurity Framework (the Framework), February 2014.
- NIST SP 800-82 Rev 2, Guide to Industrial Control Systems (ICS) Security, May 2015.
- NIST SP 800-53 Rev 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.
- NIST SP 800-184, Guide for Cybersecurity Event Recovery, December 2016.
- ANSI/ISA-62443-2-1 (99.02.01)-2009 - Security for Industrial Automation and Control Systems:
Establishing an Industrial Automation and Control Systems Security Program (www.isa.org/standards).
Additional Information
- 21 Steps to Improve Cyber Security of SCADA Networks," Office of Energy Assurance, Office of Independent Oversight And Performance Assurance, U.S. Department of Energy.
- Kilman, D. and Stamp, J. "Framework for SCADA Security Policy," Sandia Corporation. 2005.
- Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center, ICS-CERT.
- NIST SP 800-64 Rev 2, Security Considerations in the System Development Life Cycle, October 2008.
- NIST SP 800-160, System Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, November 2016.
Establishing Network Segmentation, Firewalls, and DMZs
- Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks,
Centre for the Protection of National Infrastructure (CPNI), London, 2005. - NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
- NIST SP 800-82 Rev 2, Guide to Industrial Control Systems (ICS) Security, May 2015.
Additional Information
- Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center, ICS-CERT.
- Control Systems Cyber Security: Defense in Depth Strategies, September 2016, U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center, ICS-CERT.
Patch, Password, and Configuration Management
- NIST SP: 800-118, Guide to Enterprise Password Management (Draft)
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- NIST SP: 800-40, Creating a Patch and Vulnerability Management Program, 2005.
- Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
- Dzung, D., Naedele, M., Von Hoff, T., and Crevatin, M. "Security for Industrial Communication Systems," Proceedings of the IEEE. Institute of Electrical and Electronics Engineers Inc. 2005.
- NIST SP 800-82 Rev 2, Guide to Industrial Control Systems (ICS) Security, May 2015.
- NIST SP 800-53 Rev 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.
Additional Information
- Ashier, J. and Weiss, J. "Securing your Control System,"2004.
- Wooldridge, S. "SCADA/Business Network Separation: Securing an Integrated System," 2005.
- "21 Steps to Improve Cyber Security of SCADA Networks," Office of Energy Assurance, Office of Independent Oversight And Performance Assurance, U.S. Department of Energy.
- Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center, ICS-CERT.
Control System Cyber Security Training for Engineers, Technicians, Administrators, and Operators
- Wilson, Mark, Hash, Joan, NIST SP: 800-50, Building an Information Technology Security Awareness and Training Program, 2003.
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
- NIST SP 800-82 Rev 2, Guide to Industrial Control Systems (ICS) Security, May 2015.
- NIST SP 800-53 Rev 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.
Additional Information
- Boyes, W. "Security is More than Hating Microsoft," May 31, 2005.
- Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center, ICS-CERT.
Establishing and Conducting Asset, Vulnerability, and Risk Assessments
- Rinaldi, et al, Identifying, Understanding, and Analyzing Critical Infrastructure Interdependencies, IEEE Control Systems Magazine, 2001.
- GAO-04-354, Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems, U.S. GAO, 2004.
- Stamp, Jason, et al., Common Vulnerabilities in Critical Infrastructure Control Systems, Sandia National Laboratories, 2003.
- Duggan, David, et al, Penetration Testing of Industrial Control Systems, Sandia National Laboratories, Report No SAND2005-2846P, 2005.
- NIST SP: 800-40, Creating a Patch and Vulnerability Management Program, 2005.
- NIST SP: 800-34 Rev. 1, Contingency Planning Guide for Information Technology Systems, 2010.
- NIST SP: 800-61 Rev. 2, Computer Security Incident Handling Guide, March 2012.
- Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
- NIST SP 800-53 Rev 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.
- NIST SP 800-53A Rev 1, Guide for Assessing the Security Controls in Federal Information Systems, June 2010.
- NIST SP: 800-115, Technical Guide to Information Security Testing and Assessment, September 2008.
- ANSI/ISA-62443-3-3 (99.03.03)-2013 - Security for industrial automation and control systems Part 3-3:
System security requirements and security levels (www.isa.org/standards). - ISA-TR84.00.09-2013 - Security Countermeasures Related to Safety Instrumented Systems (SIS) (www.isa.org/standards).
Additional Information
- Hart, D. "An Approach to Vulnerability Assessment for Navy Supervisory Control and Data Acquisition (SCADA) Systems," Naval Postgraduate School, Monterey, California, September 2004.
- "Supervisory Control and Data Acquisition (SCADA)," Data Comm. for Business, Inc., Oct 1999.
- Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center, ICS-CERT.
- Byres, E., and Creery, A. "Industrial Cybersecurity for Power System and SCADA Networks," September 2005.
Control System Security Procurement Requirements Specification
- NIST SP 800-53 Rev 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.
- ANSI/ISA-62443-2-1 (99.02.01)-2009 - Security for Industrial Automation and Control Systems:
Establishing an Industrial Automation and Control Systems Security Program (www.isa.org/standards). - ANSI/ISA-62443-1-1 (99.01.01)-2007 - Security for Industrial Automation and Control Systems Part 1:
Terminology, Concepts, and Models (www.isa.org/standards).
Additional Information
- Merritt, R. "What Vendors Say About Control System Security," January 31, 2005.
- SCADA and Control Systems Procurement Language Project, September 2009, U.S. Department of Homeland Security National Cybersecurity and Communication Integration Center, ICS-CERT.
- Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cybersecurity and Communication Integration Center, ICS-CERT.
Placement and Use of IDSs and IPDSs
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- NIST SP: 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS)
- Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
Additional Information
- Wooldridge, S. "SCADA/Business Network Separation: Securing an Integrated System," 2005.
- Ashier, J. and Weiss, J. "Securing your Control System," 2004.
- Network Monitoring System Designed to Detect Unwanted Wireless Networks, September 14, 2005.
- Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center, ICS-CERT.
- Control Systems Cyber Security: Defense in Depth Strategies, September 2016, U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center, ICS-CERT.
- Mitigations for Security Vulnerabilities Found in Control System Networks, June 2006, U.S. Department of Homeland Security National Cybersecurity and Communication Integration Center, ICS-CERT.
.
Authentication, Authorization, and Access Control For Direct and Remote Connectivity
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- NIST SP: 800-73-2, Interfaces for Personal Identity Verification (4 parts), September 2008.
- NIST SP 800-76-1, Biometric Data Specification for Personal Identity Verification, 2007.
- Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
- Baker, Elaine, et al, NIST SP: 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised), March 2007.
- NIST SP 800-53 Rev 4, Recommended Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.
- NIST SP: 800-57 Recommendation for Key Management, March 2007
- NIST SP 800-82 Rev 2, Guide to Industrial Control Systems (ICS) Security, May 2015.
- NIST SP 800-85A-4, PIV Card Application and Middleware Interface Test Guidelines, April 2016.
- ANSI/ISA-62443-2-1 (99.02.01)-2009 - Security for Industrial Automation and Control Systems:
Establishing an Industrial Automation and Control Systems Security Program (www.isa.org/standards).
Additional Information
- Wooldridge, S. "SCADA/Business Network Separation: Securing an Integrated System," 2005.
- Ashier, J. and Weiss, J. "Securing your Control System," 2004.
- Schwaiger, C. and Treytl, A. "Smart Card Based Security for Fieldbus Systems," 2003, Austria Card, Vienna, Austria.
- Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cybersecurity and Communication Integration Center, ICS-CERT.
.
Securing Wireless Connections
- NIST SP: 800-48 Revision 1, Guide to Securing Legacy IEEE 802.11 Wireless Networks, July 2008.
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- ISA-TR100.14.01-Part 1-2011, Trustworthiness in Wireless Industrial Automation:
Part 1, Information for End Users and Regulators (www.isa.org/standards).
Additional Information
- Pescatore, J. "Keep your Wireless Business Secure," August 21, 2005.
- Network Monitoring System Designed to Detect Unwanted Wireless Networks, September 14, 2005.
- Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland SecurityNational Cybersecurity and Communication Integration Center, ICS-CERT.
Use of VPNs and Encryption in Securing Communications
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- NIST SP: 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised), March 2007.
- SP 800-56 B, Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography, August 2009
- NIST SP: 800-57 Recommendation for Key Management, March 2007
Additional Information
- Peterson, D. "Protocol for SCADA Field Communications," July 12, 2005.
- Cohen, B. "VPN Gateway Appliances-Access Remote Data like the Big Guys," April 28, 2005.
- Catalog of Control Systems Security: Recommendations for Standards Developers, April 2011, U.S. Department of Homeland Security National Cybersecurity and Communication Integration Center, ICS-CERT.
Establishing a Secure Topology and Architecture
- NIST SP: 800-12, An Introduction to Computer Security: The NIST Handbook.
- Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, EPRI, 2003.
- NIST SP 800-82 Rev 2, Guide to Industrial Control Systems (ICS) Security, May 2015.
- NIST SP 800-125B, Secure Virtual Network Configuration for Virtual Machine (VM) Protection, March 2016.
Additional Information
- "Study Suggest Increased Concerns with Cyber Security and SCADA System Reliability," June 14, 2005.
- Berg, M. and Stamp, J. "A Reference Model for Control and Automation Systems in Electric Power," Sandia Corporation. 2005.
- Control Systems Cyber Security: Defense in Depth Strategies, September 2016, U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center, ICS-CERT.
- Curtis, Ian, ABB. "Security against cyber attack," July 19, 2010.
- Invensys Operations Management (Australia) Pty Ltd. "Integrating control and safety -- where to draw the line," Jan 20, 2009.
Applying and Complying with Security Standards
- TSA Pipeline Security Guidelines, Transportation Security Administration, April 2011.
- INGAA Control Systems Cyber Security Guidelines for the Natural Gas Pipeline Industry,
Interstate Natural Gas Association of America (INGAA), April 2011. - ANSI/ISA-62443-2-1 (99.02.01)-2009 - Security for Industrial Automation and Control Systems:
Establishing an Industrial Automation and Control Systems Security Program (www.isa.org/standards).
Additional Information
- Peterson, D. and Howard, D. "Cyber Security for the Electric Sector," September 12, 2005.
- Berg, M. and Stamp, J. "A Reference Model for Control and Automation Systems in Electric Power," Sandia Corporation. 2005.
Ensuring Security when Modernizing and Upgrading
- ANSI/ISA-62443-2-1 (99.02.01)-2009 - Security for Industrial Automation and Control Systems:
Establishing an Industrial Automation and Control Systems Security Program (www.isa.org/standards). - Cyber Security Procurement Language for Control Systems, September 2009, U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center, ICS-CERT.
Additional Information
- NIST SP 800-183, Network of 'Things', July 2016.
- Ladd, E. "Dispelling the myths of HART-enabled devices," April 18, 2005.
- Verhappen, I. "What makes a fieldbus go?" April 27, 2005.
- Verhappen, I., "On the bus: Design hurdles to fieldbus technology," Control Global, 2005.
- NIST SP 800-64 Revision 2, Security Considerations in the System Development Life Cycle, October 2008
- "Supervisory Control and Data Acquisition (SCADA)," Data Comm. for Business, Inc., Oct 1999.
- Digital Bond, British Columbia Institute of Technology, and Byres Research.
"OPC Security White Paper #1: Understanding OPC and How it is Deployed," July 27, 2007. - Digital Bond, British Columbia Institute of Technology, and Byres Research.
"OPC Security White Paper #2: OPC Exposed," November 13, 2007. - Digital Bond, British Columbia Institute of Technology, and Byres Research.
"OPC Security White Paper #3: Hardening Guidelines for OPC Hosts," November 13, 2007.