Protection of American Industrial Control System

The post was written due to the appearance of yesterday's news about the spy virus (for example, here ). oddly enough, but the problem of protecting industrial facilities in the Russian Federation is not as acute as it should be ... very often you can hear about personal data laws in the media, but it seems that nobody really dealt with the protection of automated process control systems (process control systems) (protection of critical objects is regulated by the FSTEC documents, but they are stamped and not accessible to mere mortals). For those companies that did not fall into the list of these “critically important”, there is only the Gazprom standard ... and that’s all, there are no more documents and recommendations in the field of protection of the automated control systems for TP.

In the US, the situation is fundamentally the opposite, and the US US CERT puts in free access its recommendations on the protection of automated process control systems. Those wishing to familiarize please under the cat.

US CERT is actively involved in information security of the process control system, conducts training on safety among employees, as well as in raising awareness of companies using the process control system.

On the US CERT page, you can find a plan for investigating incidents, a guide for placing firewalls in the process control system, recommendations for managing patches in technology segments, a guide for using Wi-Fi, etc.

In particular, on the site were published:

Intruder model for process control system ;

Information flow model ;

Documents on the protection of automated process control systems ;

Security Assessment Tool (free);

As well as links to other sources and documents on similar topics.

I hope that the information will be useful for you.