I was talking with Holly Beum of Interface Technologies about the Control Center Protection Profile, and she raised a simple question. Do all process control industries require this high-level of security? The short answer is of course not. Here is Holly’s attempt at starting a security level matrix.

High:

Product Controlled: Critical Infrastructure, Hazardous Materials, Ingested Products

Industry Examples: Utilities, PetroChemical, Food & Beverage, Pharmaceutical

Security Concerns: Protecting human life, Ensuring basic social services

Medium:

Product Controlled: Some hazardous products and/or steps during production, High amount of proprietary information

Industry Examples: Automotive Metal Industries, Pulp & Paper, Semi-conductors

Security Concerns: Protecting people, trade secrets, capital investment, ensuring uptime

Low:

Product Controlled: Non hazardous materials or products, Non-ingested consumer products

Industry Examples: Plastic Injection Molding, Warehouse Applications

Security Concerns: Protecting people, Capital investment, Ensuring uptime

A good start. Mail me, peterson@digitalbond.com, your comments or changes.

I envision two or three versions of a Protection Profile, or other standards. You can see this approach already implemented for firewalls, tokens, and other security products.