UL SUBJECT 2900-2-2

Abstract

Scope: This security evaluation outline applies to the evaluation of industrial control systems components. It applies to, but is not limited to, the following products: a) Programmable Logic Controllers (PLC); b) Distributed Control Systems (DCS); c) Process control systems; d) Data acquistion systems; e) Historians, data loggers and data storage systems; f) Control servers; g) SCADA servers; h) Remote Terminal Units (RTU); i) Intelligent Electronic Devices (IED); j) Human-Machine Interfaces (HMI); k) Input/Output (IO) servers; l) Fieldbuses; m) Networking equipment for ICS systems; n) Data radios; o) Smart sensors; p) Controllers; and q) Embedded system/controllers. This outline does not contain any requirements regarding functional testing of products unless where expressly specified. This outline also describes requirements for the product risk management process carried out by the vendor of the product, including a list of security controls that the product (or the vendor, as applicable) shall comply with unless a risk assessment done by the vendor shows that the risk of not implementing one of these security controls is acceptable.