NIST novel on ICS security
This recently updated, 247-page opus, "Guide to industrial control systems (ICS) security," was written by Keith Stouffer and his colleagues at the National Institute of Standards and Technology (NIST), and provides a comprehensive overview of cybersecurity as it affects supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS) and programmable logic controllers (PLC).
NIST / www.nist.gov
The great ICEweb repository of process control and automation resources has an especially good subsection on cybersecurity with dozens of useful articles and links.
ICEweb / www.iceweb.com.au
Security 101 video
This 43-minute video, "Introduction to Process Control Cybersecurity," is based on a webinar presented by exida LLC. It provides an introduction to control system cybersecurity and the security lifecycle for managers and engineers involved in operating, maintaining and integrating industrial automation and control systems. While the course follows the security level lifecycle from ANSI/ISA-99.01.01 and ANSI/ISA-99.02.01, it also references other relevant industry standards and industry best practices, in particular, drawing parallels to the well established functional safety lifecycle from ANSI/ISA-84.00.01-2004 Part 1 (IEC 61511-1 Mod).
EXIDA / www.exida.com
This classic, 16-page article, "Bound to fail: Why cybersecurity risk cannot simply be 'managed' away," was written by legendary security gurus Ralph Langner and Perry Pederson, who report that, "Both government and business approaches to ICS cybersecurity of critical infrastructure assets over the last 10 years are systemically flawed and doomed to failure." Instead of the usual business logic-based risk management rationale, they suggest a policy-based approach that sets clear guidelines for asset owners, starting with regulations for new critical infrastructure facilities.
Control / www.controlglobal.com
Risk management practices
This 15-page white paper, "Industrial Cyber Security Risk Management Best Practices," from Honeywell Process Solutions and presented by ISA, provides a good rundown about when and where to act on security risks that have been identified, determining risk tolerances and appetites, device and zone consequences, and minimizing vulnerabilities.
ISA / www.isa.org
All about trustworthiness
The 175-page document, "Industrial Internet of Things, Volume G4, Security Framework," by the Industrial Internet Consortium explains the basic aspects of overall trustworthiness as it relates to cybersecurity, and shows how to establish it for application in the Industrial Internet of Things (IIoT).
Industrial Internet Consortium / www.iiconsortium.org
Weiss lecture at Stanford
Control's "Unfettered" cybersecurity blogger Joe Weiss wrote the book, "Protecting Industrial Control Systems from Electronic Threats," and delivers a thorough, 84-minute presentation, "Cyber Security of Industrial Control Systems," at Stanford University. In the video of the lecture, Weiss discusses the state of the cybersecurity of industrial control systems, such as those in power plants and water pumping facilities. He examines the shortcomings of current protocols and regulation in the post-Stuxnet era.
Stanford University / www.stanford.edu
Some cybersecurity history
This 32-page document, "An Abbreviated History of Automation and Industrial Controls Systems and Cybersecurity," was authored by Ernie Hayden, Michael Assante and Tim Conway and presented by SANS, and it puts cybersecurity in context with controls theory and closed-loop control.
SANS / www.sans.org