Security Standards for ICS & SCADA: Types & Overview

Instructor: Amy Clayborn

Amy has a Master's degree in CIS specializing in Information Security and is currently working on her PhD in Technology and Innovation Management in CIS

ICS and SCADA systems require higher security standards than traditional ones. In addition, electric services, oil and gas pipelines, the chemical sector and water works have additional guidelines they need to follow. In this lesson, we will present an overview of these guidelines and standards.

Control System Security and Risk

Organizations are responsible for developing the level of risk they are willing to accept, which allows the information security officer to decide what risk mitigation steps should be taken. In industrial environments, risk management is critical. It identifies procedures that will avoid and minimize the impact of particular events. To reduce risk, industrial systems such as ICS and SCADA (a subset of ICS) will be discussed in the following sections along with the security standards they require.

ICS Security

Industrial control systems (ICS) are used to operate and automate industrial processes. Security is important as many operate critical equipment that performs vital services. Within ICS, the following security standards and controls must be followed:

  • Define ICS-specific security policies/procedures.
  • Deploy a risk management framework.
  • Define, inventory and categorize networks, applications and systems.
  • Document and inventory systems that use routable protocols.
  • Document selected and implemented security controls.
  • Implement boundary protection (i.e. routers, gateways, firewalls, intrusion detection systems).

When designing an ICS network, it is usually best to separate it from the corporate network. The ICS network traffic will be more secure if it does not cross corporate network boundaries in any way. Networks can be separated in 3 ways:

  1. Physical network separation using separate hardware
  2. Logical network separation utilizing encryption
  3. Filtered network separation based on traffic type

SCADA Security

Supervisory control and data acquisition (SCADA) systems provide access to control functions. Ideally, SCADA systems should also be separated from the business network/internet as well. SCADA systems should also be separated from each other. With the invent of the Internet of Things (IoT), however, connecting SCADA systems to the internet has become more prevalent. SCADA standards include:

  • Asset management: Identify and classify SCADA assets/cyber assets.
  • Identity and access management: Authentication and authorization administration, password management and role-based access of accounts.
  • Availability management: Managing availability requirements, performance requirements, OS vulnerabilities and bandwidth issues.
  • SCADA network security controls: Protecting these controls from other networks, including the organizational network.
  • Physical security: Ensuring the lockdown of physical assets, a unique challenge because systems are often connected and spread across wide geographical areas.

Specific Organizational Standards

In the ICS and SCADA arena, there are four specific organizational groups that have additional standards which are required for compliance. They are in the electrical, oil & gas, chemical and waterworks areas. We will introduce and discuss each in the sections below.

Electrical Grid Standards

The North American Electric Reliability Council CIP Series was created to establish reliability standards and distribution adequacy for electric power. The standards to control and protect these systems are as follows:

  • Cyber system categorization: Identify systems that are cyber assets and apply security requirements.
  • Security management control: Establish consistent security controls that institute responsibility.
  • Personnel training: Minimize risk against compromise by requiring an appropriate level of training and security awareness.
  • Electronic security perimeter: Manage electronic access to bulk electric systems (BES) utilizing a controlled electric security perimeter.
  • Physical security of BES cyber systems: Manage physical access to cyber systems with a security plan.
  • System security management: Specify technical, operational and procedural requirements to protect systems.
  • Incident reporting and response planning: Specify incident response requirements to mitigate risk.
  • Recovery plans for BES cyber systems: Specify recovery plan requirements for continued operability.
  • Configuration change management: Specify vulnerability assessment requirements to prevent unauthorized changes.
  • Information protection: Specify information protection requirements to prevent unauthorized access.
  • Physical security: Protect transmission facilities operated at 500 kV or higher or that have a nuclear interface.

American Petroleum Institute (API)

SCADA security standards provide guidance for operators of oil and gas pipelines to help manage SCADA system integrity and security. API 1164 is the voluntary security standard for the petroleum industry and includes the following requirements:

To unlock this lesson you must be a Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use

Become a member and start learning now.
Become a Member  Back
What teachers are saying about
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account