We have been writing, and have completed, the draft Field Device Protection Profile for PCSRF that defines the security requirements for the next generation of PLC’s, RTU’s, IED’s, etc. The full document is available to registered users at the NIST / PCSRF site.

PCSRF has really struggled with the Common Criteria and is reconsidering if it continues to make sense to focus on Common Criteria Protection Profiles. The Common Criteria makes sense if vendors are willing to get products certified as meeting these Protection Profiles, but there is no evidence to date that this will happen.

This does not mean the Common Criteria is not an excellent resource for security functional and assurance requirements. So the problem is how to get the value and beauty of the Common Criteria without spending weeks becoming a Common Criteria scholar? Our solution, a Plain English translation of the Field Device Protection Profile.

You can use this document to:

• Comment on the Field Device Protection Profile - If you comment on the Plain English version we will convert those comments into Common Criteria Language.

• Use some or all of the Plain English requirements in the document in your RFP. They were written as requirement statements. Many of these are not specific to field devices and could be used in many RFP’s.

• Consider these requirements in industry efforts that are trying to create a common set of procurement language or requirements. Some of these efforts have ignored the Common Criteria because of the difficult language. This document at least partially solves the problem.

I must admit that I gained an even greater appreciation for the Common Criteria in writing the Plain English version. I hope this document will be useful to the community, but there are no plans to expand this into a general set of requirements. There are already many good efforts underway to do this.