INL ICS Security

Let’s take a closer look at DHS since this is the week of DHS’s ICSJWG Spring Conference. Like many, I’m guilty of treating ICS-CERT as if they are THE DHS sponsored organization responsible for ICS security in the US Government. ICS-CERT is part of the DHS Control System Security Program (CSSP) and should be treated and evaluated as a CERT.

ICS-CERT does a fine job coordinating activities between researchers and companies. They are balanced and try to reach a compromise that satisfies both parties. It is a huge benefit for a researcher to be able to turn over findings to ICS-CERT and let them deal with the coordination. Just ask McCorkle and Rios who turned over a huge amount of HMI vulns. There have also been many cases where ICS-CERT knocking on a vendor’s door has gotten a response after the researcher was ignored.

While ICS-CERT has done well on coordination when the researcher and company cooperate, their products, alerts and advisories, are based and biased towards whatever the vendor has admitted or released. It’s not surprising that the vendor panel at ICSJWG had high praise for ICS-CERT. It’s also not surprising they support the vendor’s point of view since many are customers paying INL top dollar for ICS security services.

ICS-CERT has failed to use their ICS expertise or wealth of lab equipment in the ICS-CERT Alerts and Advisories. They have been a clipping service, reporting whatever information others have chose to make public and no more. The best example of this is the Beresford vulnerabilities where ICS-CERT had the Siemens equipment, must have known Dillon was right, and still went with the Siemens party line until it was no longer tenable. That ICS-CERT did not suffer a massive black eye when they completely missed the PLC attack portion of Stuxnet is still baffling. It’s so easy to get me ranting on this topic … and the point is that a CERT is just a portion of what DHS is responsible for in ICS security.

While ICS-CERT ≠ DHS CSSP, it is credible to say that ICS resources at Idaho National Labs (INL) is DHS CSSP. Marty Edwards, the DHS Director of CSSP was formerly in a similar role at INL. Marty still lives in Idaho and has his office at INL. ICS-CERT resources are from INL. The DHS CSSP program office has been staffed by INL contractors. The DHS training courses were developed and are delivered by INL. The fly away teams come from INL. It goes on and on.

PNNL and Sandia play bit roles in DHS ICS security compared with INL, and actual DHS employees unconnected to INL are anomalies and tend to only last a year or two.

A fair characterization is DHS has outsourced ICS security to INL.

Many people mistakenly believe that national labs and non-profits operate for the public good and not as businesses. Most try to maximize revenue like other companies and find ways to allocate and spend that money so it is not considered profit. The national labs are no different. In fact the rates at INL for things like training and support are much higher than commercial industry, both small and large commercial organizations, because the labs have played the game for many years and know how to establish and support huge rates without making a “profit”.

Sometime buy a manager at a national lab a beer and ask them how the operating company, Battelle Energy Alliance (BEA) for INL, makes money. You will hear a load of stories about all the tricks and restrictions preventing reasonable use of knowledge and resources available from the lab. They are a business, and the INL 10-year management contract was valued at $5B. This is not bad, but thinking of them as an altruistic organization is deeply flawed. In fact, INL has more, and gets away with more, conflicts of interest than any other organization in the ICS security space.

There is ICS security talent at INL. This is not the issue. They should be a resource available to the US Government, vendors, and owner/operators can consider to help with ICS security. INL shouldn’t be the DHS CSSP.

DHS is now almost 10 years old. Was the expectation of Congress and the various Administrations that DHS would outsource critical infrastructure ICS security? Is this going to continue? Should this continue based on the progress over the last ten years?