ICS Security Legislation

Next Tuesday the US House of Representatives Committee on Homeland Security will have a hearing titled: America is Under Cyber Attack: Why Urgent Action is Needed. The panel who will provide testimony and answer questions has not been announced. If it follows typical panels it will be at least two people from the government (DHS, DoD), someone ex-government who is now in an industry organization, and a wild card. The ICS critical infrastructure will come up, but it may not be a focus.

I’m not naive enough to believe that hearings are really for gathering information. The real work happens behind the scenes, and the hearings are mostly show pieces for the legislators and opportunities for the witnesses to explain why there organization is doing a good job. But let’s imagine the real purpose of the hearing was to gather information and educate legislators about critical infrastructure ICS security in the US. Who would you like as a witness?

Here is my list of 5 dream witnesses.

  1. Disgruntled GE, Siemens or Schneider PLC security professional – Pick whoever you think is the worst ICS vendor in terms of security, and the vendor likely has a few individuals who have been fighting and losing the battle to put security into the products. It’s been true in every company we have encountered. Have him explain the reasons why even basic security controls are not in the product. Have him explain how the vendor convinces the customers that the vendor is doing a great job on security when the real goal is to avoid product changes.
  2. Anonymous engineer with security skills in typical utility – We would need to go back to the days of the anonymous speaker in a dimly lit room with the voice distorted to hide his identity, and in a perfect world anonymity for the witness and his company. Have him explain how easy it would be for an attacker to compromise his SCADA or DCS and in simple but specific terms describe the serious damage that could be done.
  3. Rubén Santamarta, Reid Wightman or Dillon Beresford – These are the three top PLC hackers that raise their heads in public. The witness would need some coaching to greatly simplify the information, but he would explain how simple it was to compromise a PLC. For example, Reid taking eight hours from recording communication to uploading his own rogue ladder logic. Get the legislators to realize it really is that bad — worse than their home computer or ATM card.
  4. A CEO or COO of a utility who gets it and has been hard driving security in his organization. I know a few names. These leaders can talk about what it takes to overcome the inertia. The time, the money and the level of personal passion from the top that is necessary. The C-level would candidly talk about failures and successes and work left to be done. Also, what remain the biggest impediments to further improvements in their ICS security posture.
  5. Me – I know, but it’s my dream. I came close to testifying once when an industry organization liked my point of view on an important issue and was asked to recommend a panelist. Additional discussions about what I would say if xxx or yyy came up in questioning quickly disqualified me.

Loyal blog readers have a good idea of what my testimony would be, but if I get ambitious I’ll write it up this weekend and post it.

What would you say to your legislators if you had the chance?

Image by USDAgov