SCADA Security Legislation

The Senate Committee on Homeland Security & Government Affairs held a hearing on the recent White House legislative proposal on Cybersecurity. Pay attention to this as it would have a big impact on the most critical infrastructure, and there have been efforts to coordinate this with legislators and past legislative proposals. A video archive of the hearing is available. Our listening recommendation to the ICS security community is to jump straight to minute 99.

At minute 99 Philip Reitinger of DHS gives a good overview of the Cybersecurity Regulatory Framework for Covered Critical Infrastructure Act. The goal was to “find a way to set requirements in a way that will reward private sector companies that are doing the right thing” Prioritization would be key, and only the most critical of critical infrastructure would be “Covered Critical Infrastructure”.

DHS would identify a set of risks that must be mitigated, but not provide requirements on how to address the risks. My Reitinger stressed “the biggest leverage is transparency” to drive market activity — or as some called it “name and shame”. The evaluation results would be published, and considered as part of any USG procurement advantages or disadvantages.

There are some differences with the previous Lieberman / Collins bill that were discussed. For example, the Senate bill had DHS perform the evaluations while the Obama administration would have accredited third parties perform them. The Senate bill had a White House Cybersecurity Office to coordinate all the activities with an official that would be confirmed by the Senate. The idea of congressional oversight was stressed a few times as needed in the Obama proposed legislation.

If you have a bit more time listen to the very start for Senator Lieberman’s opening statement. He said “DHS will be the new sheriff in town” to protect the .gov as well as the .com related to the critical infrastructures. As evidence of the DHS competence, Senator Lieberman pointed to DHS recently convincing Dillon Beresford to cancel his Siemens vulnerability presentation at a conference. Hopefully there are better examples than that. (BTW … Dillon wrote about his experience with ICS-CERT and Siemens as well as the release of a vulnerability update ICS-VU-353799 on SCADASEC.)

Senator Lieberman seems to get it, but I remain baffled by Senator Collins. As in past hearings she seems new to the issue after being involved for years now. Sen. Collins was quite worried that the evaluations would tell our potential enemies what company’s ran the US’s most critical infrastructure. Even after the panel gently tried to inform her she didn’t get that this information is really not difficult to determine.

This panel will be testifying before five more committees in the near future. Again, keep an eye on this effort. It is the first one in years that seems to have a good chance of passing in a modified form.