SCADA Security Legislation

Last week President Obama provided a legislative proposal on cybersecurity with a potentially large impact on the ICS community. Actually it is a number of legislative proposals in a single document. A portion of it covers government “evaluation” of critical infrastructure security and new criminal penalties for SCADA hacking. There is a fact sheet, proposed legislative language, and a section by section analysis by the White House. Here are the ICS related highlights.

Cybersecurity Regulatory Framework for Covered Critical Infrastructure Act

Pay attention to this part of the proposal. It is the plan for DHS to regulate critical infrastructure cybersecurity across all sectors.

Companies responsible for critical infrastructure ICS would be put into “Risk-Based Tiers”. If your company is in one of the higher, as yet undefined, risk-based tier, a cybersecurity plan must be developed, signed by a corporate officer and “be available for review, inspection, and evaluation by an evaluator pursuant to section 6, the Secretary, or a agency with responsibility for regulating the entity.”

DHS then sets up third party evaluators, like FERC did in selecting NERC, to consider if the cybersecurity plan is sufficient. Evaluations must occur annually.

To give this a SOX feel, the corporate officer must include in SEC reporting that the cybersecurity plan exists, is sufficient and has been evaluated. Finally, the legislation would require owner / operators to report any significant cyber security incidents to DHS.

This proposed Act would be serious regulation of the ICS community, except for one thing. The language specifically excludes fines, penalties or shutdown orders. Even without the stick it would cause a major impact to ICS security, both good and bad.

§ 1030A.  Aggravated Damage to a Critical Infrastructure Computer

The proposed sentence for “the substantial impairment—(A) of the operation of the critical infrastructure computer; or (B) of the critical infrastructure associated with such computer” is three years. This is a step forward in identifying the impact of a DCS or SCADA attack. It is not the theft of money, intellectual property, personal information, … It is affecting the process or the computer systems that monitor or control the process. I’ll leave it up to the loyal reader to determine if the sentence is appropriate.

The proposal also defines what a “critical infrastructure computer” is:

the term “critical infrastructure computer” means a computer that manages or controls systems or assets vital to national defense, national security, national economic security, public health or safety, or any combination of those matters, whether publicly or privately owned or operated, including gas and oil production, storage, and delivery systems; water supply systems; telecommunication networks; electrical power delivery systems; finance and banking systems; emergency services; transportation systems and services; and government operations that provide essential services to the public.

DHS Cybersecurity Authority and Information Sharing Act of 2011

Most of this is soft activities that quite frankly DHS is already trying to do. Efforts to promote information sharing, developing security technologies and tools, disseminating threat and vuln information, education, outreach conducting cyber exercises … it sounds like ongoing programs. Perhaps it is just putting more emphasis, and maybe money, on these tasks.

It is not all soft activities though. DHS shall also

develop and conduct risk assessments for federal systems and, upon request, critical information infrastructure in consultation with the heads of other agencies or governmental and private entities that own and operate such systems and infrastructure, that may include threat, vulnerability, and impact assessments and penetration testing.

This would be an expansion of the DHS flyaway teams, and it is unclear what consultation means. Would DHS have to be invited in or could they choose who they want to assess?

It will be interesting to see what, if any, of this proposal gets considered by Congress.

Image by Muhammad