Matt Olney from Sourcefire has a lengthy editorial on the Lieberman-Collins Protecting Cyberspace As A National Asset Act. I haven’t read the 197 page bill cover-to-cover, but did glance at the sections that Matt highlighted in his editorial. What was a bit jarring was the idea that this legislation suggests DHS get into the control system security consulting business.
That may be a bit of hyberbole but it could be read that way. From Matt’s editorial [Note the first paragraph quotes come from Section 242 S on page 40, also see Section 244 I on page 50 for related tasks by US-CERT]:
From the perspective of incident response, there is another important new service provided by the DHS. ”The DHS will, at the request of critical infrastructure operators and provided the DHS has sufficient resources, to both assist the operator in complying with mandatory security and emergency measures” (yes, we’ll get to this…) as well as, through the US CERT “respond to assistance requests from…owners or operators of the national information infrastructure to…isolate, mitigate or remediate incidents”. …
Then you look at Section 248: “Cyber Vulnerabilities to Covered Critical Infrastructure”. Between this and Section 250: “Enforcement” the DHS is granted near unlimited authority to deliver requirements to critical infrastructure providers on handling security threats. In short, DHS can deliver a mandate that a certain security issue be addressed, and a set of mitigations to be used.
Maybe it is too early to get excited as bills go through many revisions and edits before they are passed, and most bills die in committee. But I do have some concerns:
1. Are we really proposing that DHS set the regulations, be in position to issue fines, and help owner/operators comply with regulations, and be brought in for remediation? So then they could be regulating the security controls they recommended, designed and maybe helped implement? Sounds like the days of the accounting companies providing services to companies they audited.
2. What evidence do we have that DHS or any other government agency is going to be good or even adequate at providing control system security services? [Fighting urge to rant more on this]
3. If DHS was going to offer services they would need a large increase in staffing of those with skills and experience. Where would they get them? From the critical infrastructure companies that they would then help? How many would they need to support even one sector?
I have no idea what DHS thinks of this idea. Many times Congress pushes Departments in directions they don’t necessarily agree is the best way to travel. This is also only one aspect of a long and interesting bill. There are also mandatory reporting of cyber incident clauses [page 63], evaluation of owner/operator security [pages 72, 75, 76], enforcement [beginning on page 91], … You will see this in a massive and difficult scope of work for the proposed National Center for Cybersecurity and Communications.
There are some general cyber security research initiatives that would be apply to control systems and some specific candy for control system security research in Section 502:
(5) assist the development and support of technologies to reduce vulnerabilities in process control systems;
We will keep an eye on this proposed legislation.