photo © 2008 Purple Slog | more info (via: Wylio)
The US Department of Homeland Security Control System Security Program (DHS CSSP) is probably the USG’s biggest effort to improve ICS security across the critical infrastructure sectors. But the question was always how big?
We just received the numbers, $22.5M in FY 2009 and $27.5M in 2010. An average of $25M over the past two years. The information did not include a breakout of that gross numbers, but it did say there were 5 full time personnel in 2009 and 12 in 2010. It is a good guess that the budget number includes the cost for ICS-CERT and some costs for the national lab support.
$25M is a very small number compared to the DHS budget or overall USG budget, and one hand it seems way to small for something as important as helping improve the admittedly sub-standard security posture of a large number of DCS and SCADA system deployments. Very small.
On the other hand, would a loyal blog reader who is active in the ICS security space feel good about spending another $25M to get twice the benefit from what was received last year from the DHS CSSP? Probably not. Maybe we need to see a 5x or 10x increase in output or benefit from the DHS CSSP before putting more money there.