Appendix B. Standards Organizations
Information in this Chapter:
• North American Reliability Corporation (NERC)
• The United States Nuclear Regulatory Commission (NRC)
• United States Department of Homeland Security (DHS)
• International Standards Association (ISA)
• The International Standards Organization (ISO) and International Electrotechnical Commission (IEC)
While a limited selection of regulatory standards and compliance controls have been discussed in
Chapter 10, “Standards and Regulations,” there are many additional controls that are either mandated or recommended by North American Reliability Corporation (NERC), the United States Nuclear Regulatory Commission (NRC), United States Department of Homeland Security (DHS), International Standards Association (ISA), and the International Standards Organization/International Electrotechnical Commission (ISO/IEC). The following organizations provide useful resources, including access to the most recent versions of compliance standards documents.
North American Reliability Corporation (NERC)
The North American Reliability Corporation is tasked by the Federal Energy Regulatory Commission (FERC) to ensure the reliability of the bulk power system in North America. NERC enforces several reliability standards, including the reliability standard for Critical Infrastructure Protection (NERC CIP). In addition to these standards, NERC publishes information, assessments and trends concerning bulk power reliability, including research of reliability events as they occur.
The United States Nuclear Regulatory Commission (NRC)
The United States Nuclear Regulatory Commission is responsible for the safe use of radioactive materials, including nuclear power generation and medical applications
of radiation. The NRC publishes standards and guidelines for Information Security, as well as general information and resources about nuclear materials and products, nuclear waste materials, and other concerns.
NRC RG 5.71
The United States Nuclear Regulatory Commission’s Regulatory Guide 5.71 offers guidance on how to protect digital computer and communication systems and networks. RG 5.71 is not a regulatory standard but rather guidance on how to comply with the standard, which is Title 10 of the Code of Federal Regulations, Part 73.54. Information on RG 5.71 is available from NRC’s website at:
http://nrc-stp.ornl.gov/slo/regguide571.pdf.
United States Department of Homeland Security (DHS)
The Department of Homeland Security’s (NHS) mission is to protect the United States from a variety of threats including (but not limited to) counter-terrorism and cyber security. One area where cyber security concerns and anti-terrorism overlap is in the protection of chemical facilities, which are regulated under the Chemical Facilities Anti-Terrorism Standards (CFATSs). CFATS includes a wide range of security controls, which can be measured against a set of Risk-Based Performance Standards (RBPSs).
Chemical Facilities Anti-Terrorism Standard
The Chemical Facility Anti-Terrorism Standards (CFATSs) are published by the United States Department of Homeland Security, and they encompass many areas of chemical manufacturing, distribution and use including cyber security concerns. More information on CFATS can be found on the DHS’s website at:
http://www.dhs.gov/files/laws/gc_1166796969417.shtm.
CFATS Risk-Based Performance Standards
International Standards Association (ISA)
The International Standards Association (ISA) and the American National Standards Institute (ANSI) have published three documents concerning industrial network security under the umbrella of ISA-99. These documents are: ANSI/ISA-99.02.01-2009, “Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program”; ANSI/ISA-99.00.01-2007, “Security for Industrial Automation and Control Systems: Concepts, Terminology and Models”; and ANSI/ISA-TR99.00.01-2007, “Security Technologies for Manufacturing and Control Systems.”
The International Standards Organization (ISO) and International Electrotechnical Commission (IEC)
The International Standards Organization (ISO) and the International Electrotechnical Commission (IEC) produced the ISO/IEC 27002:2005 standard for “Information technology—Security techniques—Code of practice for information security management.” While ISO/IEC 27002:2005 does not apply exclusively to SCADA or industrial process control networks, it provides a useful basis for implementing security in industrial networks, and is also heavily referenced by a variety of international standards and guidelines.