NIST logo
*

Factory Cybersecurity

Summary:

Factory control systems need to be protected from vulnerabilities that may arise as a result of their increased connectivity, use of wireless networks and sensors, and use of widespread information technology. Scalable, multi-level cybersecurity standards are essential to realize the full potential of knowledge-based smart manufacturing, but the safety-critical and time-sensitive requirements of smart manufacturing control systems make deployment difficult. This project provides the measurement science necessary to develop standards for securing factory control systems against cyber attack, and specifies the test methods and metrics to ensure that the standards have been correctly implemented and do not negatively impact the performance of the system.

Description:

Objective:

Develop and deploy measurement science for securing factory control systems against cyber attack, delivering results to standards organizations by 2014.

What is the new technical idea?

Scalable, multi-level cybersecurity is an essential technology to realize the full potential of knowledge-based smart manufacturing systems.  Early deployment of traditional IT security into factory control systems interfered with safety and time-critical operations and led to the recognition that the solution required adaptation of these techniques. This project will perform measurement science research to develop methods and standards to measure the quantitative impacts of cybersecurity when deployed in factory control systems.  The project also introduces the technical idea of Security Levels (SLs) that define the optimal protection factor needed to ensure the security of a factory control system. These SLs will use the lessons learned from the development of Safety Integrity Levels (SILs), which safety systems have used for almost two decades, to provide measurable requirements that fulfill industry needs to reduce the risk and accelerate the deployment of safe and secure smart manufacturing control systems. This project will develop measurement science associated with these SLs, developing and evaluating methods to measure the quantitative impacts of cybersecurity on real-time performance, resource use, reliability and safety. This project work provides the foundation to secure the information used to automate the optimization in the Smart Manufacturing and Construction Control Systems Program.

What is the research plan?

The project work will take place in three phases: assessment, test development, and standardization. In the assessment phase, NIST will host a security metrics workshop to determine the real-time measurements required to quantitatively determine the impact of cybersecurity on real-time performance, resource use, reliability and safety of factory control systems. Questions to be answered include “what does impact mean? How is it measured? How can it be analyzed? How can trade-offs be compared?” The workshop report will drive the research in the second phase, test development. Two research challenges will be addressed in this phase. The first challenge is the development of comprehensive requirements and use cases that represent practical, interoperable cybersecurity approaches for real world needs of complex factory control systems. The second challenge is the development of a suite of specific tests that measure the impact of cybersecurity technology when fulfilling these requirements. The project will leverage the NIST Factory Equipment Network Testbed (FENT) to implement the test suite, and analyze the performance impact (e.g. latency, jitter) and operational impacts (e.g. efficiency, productivity) of the cybersecurity safeguards and countermeasures. NIST will develop a technical report based on the analysis of the results from testing the use cases in the FENT. During the standardization phase, NIST will work with standards development organizations (e.g., the International Society of Automation (ISA), and the International Electrotechnical Commission (IEC)), to develop new guidelines and standards to facilitate the implementation of cybersecurity requirements in factory control systems that do not negatively impact the performance of the system. NIST contributions will ensure that the standards are written so that compliance can be measured, and that performance (e.g., safety, reliability, real-time communication) can be measured and assured at target levels of acceptability. NIST will work with ISA’s Security Compliance Institute (ISCI), which develops certification specifications for industrial automation suppliers and operational sites, to develop certification specifications and test methods for factory control systems. Working through ISCI ensures that ultimately the project’s outcomes will be immediately useable by the championing industries.

Recent Results:
  • Outcome: ANSI/ISA-99.02.01-2009 Security for Industrial Automation and Control Systems: Establishing and Industrial Automation and Control Systems Security Program provides comprehensive guidance on developing an industrial control system security program. NIST was the technical editor for ANSI/ISA-99.02.01 [2009].
  • Outcome: NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems and Organizations, Revision 3 standardizes the security controls for federally owned/operated industrial control systems [2010].
  • Outcome: NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security provides guidance on how to secure manufacturing and industrial control systems while addressing their unique performance, reliability, and safety requirements [2011].
  • Output: ISA-99.03.03 System Security Requirements and Security Assurance Levels scalable, multi-level cybersecurity Draft standard submitted for vote. NIST provided a majority of the technical requirements for this standard [2012].
  • Output:NIST SP 800-82, Revision 1 draft for subject matter expert review that includes new material specific to factory control systems, addition of control system material removed from NIST SP 800-53 Recommended Security Controls for Federal Information Systems, and new material to address additional threats such as Stuxnet [2012].
Standards and Codes:

The project’s technical results will contribute to factory control system cybersecurity standards to be developed within ISA and IEC, targeting the ISA/IEC 62443 suite of standards, and cybersecurity standards and guidelines being developed within the federal government, specifically NIST SP 800-82, Revision 1.