PCSF Historical Archives

PCSF Groups

(All documents are in PDF format.)

Antivirus Software on Control Systems Interest Group

This group will focus on increasing communication between antivirus vendors, control vendors, and end-users, with the aim of increasing the benefits and reducing the risk of deploying host based antivirus on control systems.

Chair: David Teumin
Editor: William Gell
Product: Using Host-Based Antivirus Software on Industrial Control Systems (393KB), NIST SP 1058

Business Case Development Interest Group

The protection of control systems from cyber security threats requires resources and personnel to plan, develop and implement needed security measures. This group will focus on developing the business rationale for justifying that investment.

Chair: Ernest Rakaczky

Control System Technical Security Metrics Interest Group

This group will focus on advancing the state of the art and the state of the practice in security metrics for control systems. With limited success, the research community has spent a significant amount of time and effort trying to measure system and component security. A good understanding of security measurement and effective ways for determining mitigations would be useful to everyone. Generally, industry has responded to demands for improvement in software security by increasing their efforts in creating 'more secure' products and services. But how can it be determined that the work toward security has been effective in making any system or component more secure? Can it be determined if this effort is paying off? Can the results be quantified? Are updated systems more secure than earlier versions? Approaches and techniques for answering these, and similar, questions were addressed by this interest group.

Chair: Miles McQueen
Editor: Miles McQueen

Control Systems Research Interest Group

This group is concerned with both basic and applied research in security methodologies and technologies related to control systems, including Supervisory, Control, and Data Acquisition (SCADA) systems and Critical Infrastructures. We span the full spectrum of security, including reliability, safety, dependability, and trustworthiness. As control systems are increasingly networked to other systems, their role in such network-centric systems or (system of systems) is critical. The increase in the number, sophistication, and speed of computer network attacks is an indication of the importance of the Process Control Systems Forum in general and in this Interest Group in particular. Thus, new approaches to vulnerability assessments, real-time monitoring, survivability and denial, and consequence management are sought. Further, the relatively new field of information forensics, or "inforensics", of control systems is another area of interest. Lastly, the complexity of critical infrastructures yields inter-dependencies between component systems. Improved modeling and assessment of these inter-dependencies might yield new approaches to the prevention of cascading failures.

Chair: Dr. Ann Miller
Admins: Krishna Mohan - Moleyar Simrit Singh

Education and Training Interest Group

This group will gather, develop, and publicize education & training materials and curricula related to control systems security.

1. Critical Infrastructure and Control Systems Security Curriculum Version 1.0 (354KB)
2. Education and Training Interest Group Objectives (48KB)

Lemnos Interoperable Security Project Interest Group

The goal of the interest group is to promote interoperable vendor security solutions for control system communications over IP. It is part of the industry outreach effort of the Lemnos Interoperable Security Project, which is sponsored by the US Department of Energy's National SCADA Test Bed.

Chair: David Teurmin

Responsible Vulnerability Disclosure Interest Group

Although only a small number of SCADA and Control Systems product vulnerabilities have been publically disclosed, this is likely to change as these applications are connected with more accessible networks and come under increased scrutiny from security researchers. Control systems vendors, asset owners, and government-sponsored vulnerability coordination centers all have an interest in ensuring that vulnerabilities are properly and efficiently handled, regardless of how they are discovered or who discovers them.

Chair: Zach Tudor
Product: Information Sharing (15KB)

IAM (Identity and Access Management) SCADA Interest Group

NERC CIP regulations indirectly call for identity and access management from identity roles, privileges, logical and physical access rights and termination processes. Deployment of CIP requires involvement of departments who own the identities. This will include HR, Purchasing, Finance and other departments whom SCADA asset owners might not be thinking about when they consider CIP. Further, as organizations begin to become CIP complaint they will, like with Sarbannes Oxley, have trouble maintaining their processes. This will lead to developing attestation processes such that a manager can ascertain on a monthly or quarterly basis what access rights their workers require and automating portions of the process to reduce cost and administrative overhead. Our group will address the underlying technical architecture required to accomplish this securely as well as educate asset owners about the identity business processes required. Security is a process and not a technological solution.

1. Educate SCADA asset owners and vendors about identity and access management.
2. Develop target architectures for the following four areas.
   1. There will have to be communication between the corporate networks enterprise LDAP directory which holds enterprise identity information with a SCADA version. This is essential in letting the SCADA system know when an identity had been created, or it's role changed or terminated. How will this be secured?
   2. Smart meters in the utility space: This requires an architecture that also involves authenticating each smart meter device (which is an identity). Further, the smart meters must also be secure in order to prevent attacks against the SCADA and corporate networks
   3. Monitoring: In order to prevent cyber attacks which can change every 30-60 seconds, this means that enterprises need to have integrated ops-security command consoles. This must cover everything from SCADA systems, IT systems and physical security systems. This console offers an enterprise view of attacks as they are developing. However, putting this into reality is going to be very difficult since it means that monitoring data needs to flow across the firewalls separating the corporate network and the SCADA one.
   4. Integrated logical and physical security- What is the architecture to allow this to happen in the SCADA and the corporate network environment?

Control System Security Event Monitoring Working Group

Detecting attacks on control systems is critical because many of the applications and protocols have inherent vulnerabilities. Security Event Management (SEM) products and Managed Security Services collect and correlate data from traditional IT sources. The working group will look to leverage the existing solutions and find ways to augment these solutions with control system detection sources and correlation intelligence. Good practices, information sharing, product and service solutions, and case studies will help asset owners detect cyber attacks on the critical infrastructure.

SCADA Cyber Self-Assessment Working Group (SCySAg)

The driver behind this Working Group and this effort is the fact that existing self assessment methodologies aimed at traditional IT environments do not adequately meet the needs of the SCADA environment. The SCADA community is interested in creating and owning the part of this process that is unique to their environment. In recognition of this fact, SCADA specific elements have been added within broader self-assessment methods, and efforts for development of SCADA-specific tools are starting to emerge in the community (Example: SCADA security elements in the "NRECA IT Recovery Plan for Electric Cooperatives" https://crn.cooperative.com/Resources/SoftwareDownloads/ITRecoveryPlanning.htm). This group intends to serve as both an information resource to encourage and serve such efforts and a vehicle via which their results can reach the SCADA community.

Chair: Brian Isle
Admins: Dr. Carol Muehrcke
Charter: The charter/goal of SCySAg is to enable the development and use of the best possible next generation of self administered tools and methodologies for the assessment of the cyber security readiness of the process control systems. These systems are used in manufacturing, industrial, energy, and utilities. Specifically, SCySAG will publish and publicize methodology and tool requirements information, as well as objective data about available tools and methodologies. The adoption of the results will be voluntary. The results of this effort can be used by: Tool and methodology vendors to develop, deploy, and maintain an assessment solution; SCADA system vendors to create more secure systems; Owner/operators developing their internal policies and procedures.

Technical Approach: The team will first identify in-progress initiatives and available tools and methodologies for SCADA cyber self-assessment. The output of this activity serves two purposes: to provide resource information for SCADA operators wishing to embark on a self assessment program; to allow the working group to identify gaps in available requirements information in order to effectively focus its requirements work.

If gaps in self assessment requirements are identified, the team will work to fill these gaps and publish and publicize its results. This work will be phased by addressing identified gaps incrementally. This overall plan keeps the team motivated by structuring smaller focused deliverables. Identification and formation of effective relationships with the target audience for the group's work are part of this effort.

The group is made up of experts in the domain and has the relationships necessary to reach into the SCADA vendor and relevant organizations to gather requirements information. A broad perspective is assured by incorporating team members representing the following constituencies and areas of expertise: SCADA operations for manufacturing and the energy and utility infrastructure; Cyber security; SCADA operators; Government labs; Consultants.

The following key elements characterize the proposed approach to developing the SCADA self-assessment requirements

1. Leverage existing knowledge: The approach is based on leveraging the insights embodied in the many existing generic as well as IT-specific methodologies and tools for risk assessment and self-assessment, as well as early efforts in the SCADA cyber self-assessment arena.
2. Focus on SCADA: The group adds to this existing body of knowledge by focusing its effort on aspects unique to the SCADA environment that have not been addressed.
3. Addresses Methodology and Tools: The effort considers both requirements on methodology and requirements on tools, but clearly separates these.
4. Generic and Sector Specific: The effort considers generic SCADA self assessment requirements that are applicable to all sectors, but includes a strategy for supporting sector specific enhancements.

1. Identify existing SCADA self-assessment efforts/resources;
2. Publish existing efforts/resources,
3. SCADA environment unique characteristics;
4. Gap analysis;
5. Re-evaluate charter and approach for delivery of requirements results;
6. Generate and deliver requirements in focused areas

Standards Awareness Working Group (Congress of Chairs)

This Working Group will provide a venue for the chairs of standards groups to coordinate the work of their groups, thus avoiding duplication of efforts, eliminating inconsistent standards, and assuring development of all required standards. In addition to standards chairs, full membership in the group is open to the person with primary responsibility to develop recommended practices in an industry, as well as to people who regularly attend standards meetings of groups not represented on the Standards Awareness Working Group. Adjunct membership is open to people who wish to improve their awareness of activities and work-in-progress in all working groups participating in the Standards Awareness WG. Funding agencies wishing to assess the status of the standards activities throughout the world are encouraged to join as adjunct members.

• Cyber Security Combined Glossary Project (725KB)
• Cyber Security Combined Glossary Project Duplicate Terms (230KB)