All talk, no action. The various agencies are using only a fraction of the power they have to make a difference in ICS and SCADA cybersecurity. All the potential legislation, executive orders, and political platform stances only effective purpose is to make people believe they care about critical infrastructure cybersercurity.
Since the potential executive order details leak is the latest, let’s begin with that and then move to what would be effective today that requires no new authority — just some common sense and political fortitude. (see Mark Clayton’s article for some of my comments on cybersecurity in the political platforms)
Executive Order Review
The leaked information on the Executive Order indicates that five items in Section 8 is where the supposed important changes to current policy are found.
- 8.1 asks industry to voluntarily submit cyber threat information to the government. They have been encouraging this for years and have ICS-CERT in place for this.
- 8.2 requires DHS to do a privacy assessment of the cyber threat information they receive. Since most companies are hesitant to share information this is quite easy.
- 8.3 requires another effort to define what is critical infrastructure. How is this still a question 11 years after the 9/11 attacks. Shouldn’t DHS be able to pull out and hand to the President a prioritized list along with the methodology to create it and the periodic review schedule?
- 8.4 requires the US Government to put security requirements on their own ICS purchases. This is similar to the approach Alan Paller has been pushing for years.
- 8.5 requires a report that identifies potential carrots that could be offered to industry, such as liability protection.
The most interesting item in the leaked info is a requirement for the Executive Branch to determine what agency is responsible for cybersecurity in each critical infrastructure sector.
There is nothing leaked so far that is controversial, that couldn’t be done without an executive order, or that would make a difference.
What’s Your Solution?
My claim is that no new Executive Order or Legislation is required for the US Government to help significantly improve the critical infrastructure ICS security posture.
The first thing the US Government needs to do, along with the ICS security community, is believe this problem can actually be solved. This may shock many loyal blog readers, but most people in the ICS community don’t believe even basic cybersecurity is possible. It is. I’ve seen it, but it requires will, effort and money. So here is what the US Government should be doing to solve the problem.
1. All critical infrastructure ICS should have basic cybersecurity in the next 1 to 3 years.
- Source and data authentication for any communication that could affect the reliability of the critical infrastructure process (firmware uploads, application logic uploads, write commands, selected management commands, and some read commands for critical monitoring data)
- A security perimeter for the critical infrastructure ICS that prevents all inbound access except for emergency situations
- A security patching program for all software on the critical infrastructure ICS. Any software that is not supported or cannot be patched must be replaced.
- Administrative security controls that cover people and media that have access to the critical infrastructure ICS.
This exact list of basic cybersecurity requirements may vary slightly from this (I had a detection bullet and removed it). The key is to have a list of the most important 3 to 5 items that every critical infrastructure ICS should be addressing.
Again I’m baffled that 11 years after the 9/11 attacks that we don’t have a clear, simple statement of what basic security protection is required. We have the government and many ICS security guru’s telling us how difficult this is and how we should implement all these elaborate compensating controls rather than just fixing the root problem.
2. Put the C-Level Executives On The Line
There is already a mechanism to do this — the Securities and Exchange Commission (SEC). The SEC has guidelines for cyber disclosures and material risks, and they are beginning to enforce these.
Make the SEC aware of the ICS security risks related to the lack of the basic security controls. They will require all companies with a critical infrastructure ICS report on their status and plans to meet the basic security requirements as part of their financial reporting — that is signed off by the C-level executives and board members. This will drive action.
There are a number of critical infrastructure ICS that are not owned by public companies. However if the public companies do it there will be critical mass that will force the non-public company regulators to require similar information.
3. Good Cop / Bad Cop
It’s a cliche, but it does work. DHS should be the bad cop. This is a roll they have scrupulously avoided for the last 11 years, and see how little progress has been made. DHS should be hitting hard the basic security requirements from Step 1 with a
- Major security awareness campaign on what they are and why they are needed
- Vivid and varied demonstrations on how not having these basic security requirements is a huge risk (DHS should be doing Project Basecamp type awareness activities) The attackers know all of the insecure by design issues, so there is no need to hide it from the defenders.
- Tracking security status of products and protocols. For example, lists of ICS protocols with and without source and data authentication. List of ICS products that are running only supported software that can be patched.
The other Executive Agencies would play the role of good cop. The Department of Energy is a great example where they have been working with industry on the Energy Sector Road Map, spending research dollars to achieve Road Map goals, and helping the sector reach consensus on what needs to be done. By the way, this is all independent of the NERC CIP regulatory efforts that have been a failure.
The good cop would work on the broader security program issues, guideline and good practice documents, and yes, even information sharing.
Today the energy sector is far ahead of transportation, water, chemical (from a government perspective), and other critical infrastructure sectors.