Appendix B. Standards Organizations
Information in this Chapter:
• North American Reliability Corporation (NERC)
• The United States Nuclear Regulatory Commission (NRC)
• United States Department of Homeland Security (DHS)
• International Standards Association (ISA)
• The International Standards Organization (ISO) and International Electrotechnical Commission (IEC)
While a limited selection of regulatory standards and compliance controls have been discussed in Chapter 10, “Standards and Regulations,” there are many additional controls that are either mandated or recommended by North American Reliability Corporation (NERC), the United States Nuclear Regulatory Commission (NRC), United States Department of Homeland Security (DHS), International Standards Association (ISA), and the International Standards Organization/International Electrotechnical Commission (ISO/IEC). The following organizations provide useful resources, including access to the most recent versions of compliance standards documents.
North American Reliability Corporation (NERC)
The North American Reliability Corporation is tasked by the Federal Energy Regulatory Commission (FERC) to ensure the reliability of the bulk power system in North America. NERC enforces several reliability standards, including the reliability standard for Critical Infrastructure Protection (NERC CIP). In addition to these standards, NERC publishes information, assessments and trends concerning bulk power reliability, including research of reliability events as they occur.
The NERC CIP standards are comprised of nine standards documents, all of which are available from NERC’s website at: http://www.nerc.com/page.php?cid=2|20.
The United States Nuclear Regulatory Commission (NRC)
The United States Nuclear Regulatory Commission is responsible for the safe use of radioactive materials, including nuclear power generation and medical applications of radiation. The NRC publishes standards and guidelines for Information Security, as well as general information and resources about nuclear materials and products, nuclear waste materials, and other concerns.
NRC Title 10 CFR 73.54
NRC Title 10 of the Code of Federal Regulations, Part 73.54 regulates the “Protection of digital computer and communication systems and networks” used in member Nuclear Facilities. More information on CFR 73.54 is available from NRC’s website at: http://www.nrc.gov/reading-rm/doc-collections/cfr/part073/part073-0054.html.
NRC RG 5.71
The United States Nuclear Regulatory Commission’s Regulatory Guide 5.71 offers guidance on how to protect digital computer and communication systems and networks. RG 5.71 is not a regulatory standard but rather guidance on how to comply with the standard, which is Title 10 of the Code of Federal Regulations, Part 73.54. Information on RG 5.71 is available from NRC’s website at: http://nrc-stp.ornl.gov/slo/regguide571.pdf.
United States Department of Homeland Security (DHS)
The Department of Homeland Security’s (NHS) mission is to protect the United States from a variety of threats including (but not limited to) counter-terrorism and cyber security. One area where cyber security concerns and anti-terrorism overlap is in the protection of chemical facilities, which are regulated under the Chemical Facilities Anti-Terrorism Standards (CFATSs). CFATS includes a wide range of security controls, which can be measured against a set of Risk-Based Performance Standards (RBPSs).
Chemical Facilities Anti-Terrorism Standard
The Chemical Facility Anti-Terrorism Standards (CFATSs) are published by the United States Department of Homeland Security, and they encompass many areas of chemical manufacturing, distribution and use including cyber security concerns. More information on CFATS can be found on the DHS’s website at: http://www.dhs.gov/files/laws/gc_1166796969417.shtm.
CFATS Risk-Based Performance Standards
The United States Department of Homeland Security also publishes recommendations in the form of Risk-Based Performance Standards (RBPSs) for CFATS. These standards provide guidance for the compliance to the Chemical Facility Anti-Terrorism Standards. More information on the CFATS RBPS can be found on the DHS’s website at: http://www.dhs.gov/xlibrary/assets/chemsec_cfats_riskbased_performance_standards.pdf.
International Standards Association (ISA)
The International Standards Association (ISA) and the American National Standards Institute (ANSI) have published three documents concerning industrial network security under the umbrella of ISA-99. These documents are: ANSI/ISA-99.02.01-2009, “Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program”; ANSI/ISA-99.00.01-2007, “Security for Industrial Automation and Control Systems: Concepts, Terminology and Models”; and ANSI/ISA-TR99.00.01-2007, “Security Technologies for Manufacturing and Control Systems.”
These documents, as well as additional information and resources relevant to ISA-99 are available at the ISA website, at: http://www.isa.org/MSTemplate.cfm?MicrositeID=988&CommitteeID=6821.
The International Standards Organization (ISO) and International Electrotechnical Commission (IEC)
The International Standards Organization (ISO) and the International Electrotechnical Commission (IEC) produced the ISO/IEC 27002:2005 standard for “Information technology—Security techniques—Code of practice for information security management.” While ISO/IEC 27002:2005 does not apply exclusively to SCADA or industrial process control networks, it provides a useful basis for implementing security in industrial networks, and is also heavily referenced by a variety of international standards and guidelines.
More information on the ISO/IEC 27002:2005 can be found on the ISO website at: http://www.iso.org/iso/catalogue_detail?csnumber=50297.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.