We have been writing, and have completed, the draft Field Device Protection Profile for PCSRF that defines the security requirements for the next generation of PLC’s, RTU’s, IED’s, etc. The full document is available to registered users at the NIST / PCSRF site.
PCSRF has really struggled with the Common Criteria and is reconsidering if it [...]

We are working on an architecture and policy project with a client that is deploying new PLC’s in a SCADA network. Communication will be all IP. So very natural questions for the PLC vendor (who is a leading vendor) are what are the security functions, what are the configurable security parameters, and what is the [...]

NIST / PCSRF is developing Common Criteria Protection Profiles to specify the functional and assurance security requirements for the next generation SCADA systems. Digital Bond was hired to write the draft Protection Profile for Field Devices (PLC’s, RTU’s, PAC’s). The first complete draft is out now at the PCSRF site.
Protection Profiles are not easy documents [...]

I’ve been a bit light on the blogging the last couple of weeks because I’ve been pushing to complete the Field Device Protection Profile (FDPP). The final steps of a Common Criteria document are a bit intense because the rationale mapping threats to objectives to requirements is very detailed, as is the audit and management [...]

The Security Objectives section of the Field Device Protection Profile is out in an email to PCSRF members. We also included a table that maps the Security Objectives to the Threats they mitigate. The table is probably the most interesting part of the document, and you do not need to be a Common Criteria guru [...]

The next draft section of the Protection Profile is out, and this is the first section where there is some meat for the community to chew on. The TOE Security Environment section addresses the assumptions, threats and organization policies for the Protection Profile. The most important are the threats because these will drive the next [...]

The first draft section in the SCADA Field Device Protection Profile we are writing for NIST/PCSRF is out. This section defines the Target of Evaluation (TOE), and it is a very simple and straightforward section.
PCSRF members can download the document here: Word Version or PDF Version. We are soliciting comments on this section and all [...]

There is a good article on the Common Criteria in Information Systems Security Association’s (ISSA) monthly newsletter. Here is the link, but it is restricted to members.
Here are a few good quotes:
“Common Criteria … provides a mechanism for evaluating and certifying IT security products, as opposed to sites.”
“Common Criteria has a built-in mechanism that enables [...]

NIST issued a RFP a few weeks ago for the development of a field device Protection Profile. Common Criteria Protection Profiles are used by industry groups to define the functional and assurance requirements. Vendors can build to these Protection Profiles and actually get their products independently tested and certified.
A field device protection profile would be [...]

If it is possible to get excited about anything related to the Common Criteria, I am. Next Thursday a PCSRF Working Group will review and refine the Control Center Protection Profile requirements in the FAU - Security Audit Class. This is one of 11 classes of requirements in the Common Criteria.
Diving into the technical details [...]