Yesterday the Senate Homeland Security and Government Affairs Committee held a hearing on Securing The Critical Infrastructure in the Age of Stuxnet. There were four panelists and here were my notes:

Sean McGurk – DHS Acting Director, National Cybersecurity and Communications Integration Sector

Sean formerly was responsible for control system security at DHS NCSD, so his background was perfect for this meeting. The Stuxnet portion of his prepared testimony on Stuxnet was clear, effective and understandable for a Congressional audience. One of the best, short explanations I’ve heard on what it is and why it matters.

I was a bit baffled by his comment that in Stuxnet they [DHS] were able to “configure the actual manufacture equipment … dissect the code to determine what is capable of doing … impact on a physical infrastructure.” If I was next on the panel I would have asked if you had that equipment and knowledge, why didn’t DHS share the simple way an asset owner with PLC’s could know if their system would be affected? Why was all the useful information coming out of Symantec or Langner communications. This is one of many reasons I’m never on these panels.

Sen. Lieberman then commends ICS-CERT on their work on Stuxnet – – and then Sean highlights vendors involvement in the analysis at ICS-CERT. The vendor was a German company, this particular vendor … are we afraid to say Siemens?

Then he ducks who wrote Stuxnet, “attribution and intent are other” organizations mission.

Mike Assante – CEO of the National Board of Information Security Examiners

Mike was recently Chief Security Officer at NERC and ex-INL, so he has the knowledge and is less burdened now by political issues. His prepared remarks were solid, but nothing too interesting for regular blog readers. He did focus a bit, but not too much, on training which is not surprising given his new company’s training and certification focus. His more interesting contributions were in the Q&A.

Nicely spun off a bad question to bring up the history of simple, non-directed attacks as compared to Stuxnet, and the issues with safety and control system integration.

Interesting that he said legislation needs to be done smartly, but came out in favor for more DHS authority.

Dean Turner – Symantec

Gave an overview of their Stuxnet analysis, their paper and blog entries are a better source. “What should we be doing, first deploy up to date malware security”. Hmmm . . . maybe after the fact protection assuming the malware has not been altered.

Symantec commends DHS for partnering with industry. Participated in Cyberstorm 3 … Cozying up with DHS. How is Stuxnet a good example of public/private partnership?

Symantec has identified 50 Stuxnet infections on networks that had affected control system components from Siemens. Interesting that Siemens only has admitted to 15.

Mark Gandy – Dow Corning Corporation

Speaking on behalf of the American Chemistry Council [ACC], his prepared remarks focused on what chem manufacturers have been doing on control system security for the last nine years. Basic tenor of formal remarks and answers are that the chem sector has it under control system security in hand with continuous increases in security and resilience. Read this as “we do not need regulation”.

Notes on the Senators

Sen Lieberman was very competent in questions and comments.

Sen Collins questions were weak. How vulnerable is the critical infrastructure to cyber attack? How prepared is industry? I thought we were past such general questions, especially from a cyber security bill co-sponsor.

Sen Coons focuses on the intellectual property ramifications of Stuxnet. Seems like an unnecessary diversion from the impact on the critical infrastructure.