The fact that Congress has to deal with DCS and SCADA security for the critical infrastructure is another representation of failure by all in the ICS community, but in the US Government realm primarily by DHS as the responsible government agency.
Congress can’t be an expert in all fields and certainly not in something as arcane as control system security. It’s ridiculous that Congress and their staff have to try to determine how to solve this problem by crafting legislation. They should assign this and provide money to an agency who works the issue, and there is no evidence that the problem is DHS has failed due to lack of authority. To their credit, Congress sees little progress by the responsible agency in securing critical control systems and is trying to move the situation forward.
The best way to illustrate DHS’s failure is to look at the legislation itself, starting with the most damning evidence.
Prioritization and Focus – Sector Based Risk Assessment
Section 102 requires DHS to perform a sector by sector risk assessment “to determine which sectors pose the greatest immediate risk”. Sections 102 and 103 go into how this should be repeatable and ongoing.
Has this not be done yet by DHS? Shouldn’t DHS have handed the Committee the risk assessment report they have been doing repeatedly since they were founded? Shown how it has become more sophisticated and thorough over time. Show how it has driven the DHS programs. Show how they have measured success in terms of an improved security posture.
And I would hope they have a more than just an assessment as to what sectors should be prioritized. They should have:
- a risk-based, tiered list of owner/operators in each sector (related to the crazy over reaction to a water pump in a small Illinois water utility)
- a list of the key hardware and software technologies by sector, for example refineries use primarily Honeywell, Emerson and Yokogawa DCS. (related to the prioritization of ICS-CERT resources on key systems and applications rather than spending majority time with freeware HMI)
- and possibly a list of the most important technical and administrative security controls missing in the top tier owner/operator systems
This prioritization requires making decisions such as a canal that provides the only water to a large, heavily populated region should receive a great deal of attention while a small, municipal owned water pump in Springfield, IL is handled by local authorities. It also requires the discipline to not jump on every vulnerability that can be tied to some control system function. Perhaps most of these should go through the normal US-CERT / CERT/CC process except for those in the key hardware and software list.
The main point is this prioritization is what any leader should do when given a task such as cyber security for the critical infrastructure. The fact that this has to be put in legislation is an embarrassment and failure.
The USG has been trying a variety of private/public information sharing efforts over the last decade — PCSF, ICSJWG, ISAC’s, NESCO, … and now Cybersecurity Exchanges. The legislation is evidence that none have worked, although NESCO is still in play. It is unlikely that the government and community has only lacked the appropriate structure for information sharing. The problem is the government won’t share and almost all companies see no upside in sharing.
Personally, I doubt that information sharing would have a significant impact on improving ICS security. However, it appears that the DHS and the USG believe it is important, and thus it must be considered a failure.
If DHS believed information sharing was important they should find a way to push important and useful information outside their walls (such as those vendor eyes only assessment reports and that information “senior government officials” have leaked about purported international incidents). The group that wants information sharing the most has to be first, and put the most information out there. DHS could then have some minimal reporting requirements to get the information a la the old BCIT incident database.
Admittedly there may be some small points in the legislation in terms of relieving some of the legal and regulatory risk to the disclosure.
—- Logical Segway —-
An open question for loyal blog readers – what can DHS point to as successes over the last ten years? Here is my list:
- Red / Blue ICS Security Training Class (current)
- Initial Beginner and Intermediate ICS Security Training (until 2009, now redundant and dated)
- PCSF Annual Conference (until 2008, the best information sharing effort to date)
- Co-funded SCADA and DCS security assessments at INL (This is a tough call. On one hand it is a massive failure because many of the most serious insecure by design issues have been not been addressed and NOT HIGHLIGHTED by DHS/INL — fighting Basecamp rant here. On the other hand I have vendor friends I trust who have praised the assessments and said the INL team found important vulns that they fixed. The biggest objection I have for this effort is the USG vastly underplayed their hand and got little value for the money. They allowed INL’s CREDA to rule the day even though they were providing money.)
It’s an amazingly small record for the dollars and time spent. Listen to DHS testify about the accomplishments in Congress. The accomplishments are thin and transactional. No government organization is going to win in the US being transactional without severe focus because the numbers don’t work.
How do you reward an organization that has significantly underperformed over the past ten years? Evidently, and regrettably, by giving them a lot more tasks and responsibilities.
That said Congress deserves praise for tackling this. They see very little improvement and recognize the seriousness of the problem. Legislation is their only recourse.
Enough rambling and ranting for now. Interested in hearing any comments.
Image by dbaron