The US Department of Homeland Security (DHS) has set out security requirements for automated control systems, principally in the power industry, to protect installations against physical and cyber-attacks.

Surprisingly for a document dealing with automated systems as opposed to data networks, it includes recommendations about protection against spam and social engineering, threats not normally associated with control systems.

Security firm Verisign expressed fears in its most recent weekly iDefense security bulletin that "so many of the problems that some hoped would either never migrate from the IT world into the control system world (social engineering, spam, etc) or be so rare as to be negligible, are apparently sufficient enough threats to be viewed as issues of concern for control systems."

Many of the recommendations in the Catalog of Control System Requirements (draft) July 2007 (document is no longer available) report describe basic cyber-security measures.

These include installing antivirus software and ensuring that DNS is not used for control systems to protect against denial of service attacks.

Other recommendations include not using VoIP, IM, FTP, HTTP and file sharing on control systems.

The document also emphasises that remote updates for antivirus software are performed when the control system is offline, ie disconnected from the equipment it controls.

The draft Catalog was drawn up in consultation with the National Institute of Standards and Technology and four National Laboratories, which are effectively regional scientific arms of the US Department of Energy, often operated by private companies or major universities. These are Argonne, Idaho, Pacific Northwest and Sandia.

While the high level of cooperation is welcomed by the security sector, it highlights the growing fear that physical or cyber-attacks on the power infrastructure could cause enormous harm to the US.

Since its inception on 20 September 2001 in the wake of 9/11, the DHS has been granted enormous powers and has been growing in influence.

Although the recommendations of the draft Catalog are not intended to be legally binding, the fact that it has been issued by the DHS means that its recommendations will carry considerable weight for those responsible for the security of power generation and distribution installations.