Two weeks ago I was fortunate, along with about one hundred others, to be invited to an initial planning meeting of DHS’s Industrial Control System Joint Working Group [ICSJWG]. Here are some thoughts after a few weeks to ponder what happened there.
- ICSJWG is going to be all about sharing information between the US Government and Private Industry. This is very different than what PCSF evolved into. PCSF was the entire community, vendor, asset owner, government, academia, … all sharing information with each other. Government was actually a relatively minor player in PCSF most years, except for the funding. I’m not saying this new ICSJWG approach is wrong, just different, and we still need that community event that was the PCSF annual meeting.
- Someone on one of the panels, and it escapes who it was, stressed that this information sharing only works if it is two-way. That the government should lead by sharing useful, actionable information. Those of you old timers will remember InfraGard originally was billed as two-way information sharing and got a huge response. It faded as little or no USG info was made available even to vetted members. InfraGard still exists but it is very different in practice than the original mission.
- DHS stressed working groups with deliverables and deadlines. It is interesting, because the working groups were mostly a failure at PCSF despite a number of different attempts and approaches – – including working groups I chaired. There were good intentions at the annual meeting but then life and work intervened. How will these be different? This is important to answer, and just working harder or with more attention does not seem to be answer. What will spur private industry to devote time to the working groups? What is in it for the participants?
- I’m a strong believer in early wins for any new group. Pick an easily achievable goal and make it happen fast and then declare victory. After a few victories move on to something harder. I look at things like ISA’s SCI that missed a chance for early wins and now is bogged down. My suggestion for an early win was to have the reconstituted vendor forum complete the vendor vulnerability handling procedure, based on the FIRST guidelines. And then have the ICSJWG actually test this procedure by sending in fictitious vulns without warning to see if the vendors respond appropriately. Most vendors fail the first time this vulnerability handling happens so this would be a mock first contact and hopefully work out the kinks in the process.
And of course ICSJWG is just a terrible name, but that is a minor issue.