The DHS Office of Inspector General released the report DHS Can Make Improvements To Secure Industrial Control Systems on Valentines Day. After US Defense Secretary Leon Panetta recently focused on critical infrastructure attacks in his “Cyber Pearl Harbor” comments and DHS Secretary Janet Napolitano warned of an imminent Cyber 9/11 that could cripple the critical infrastructure, one would expect significant recommendations in improvements given the minimal progress over the last ten years of DHS’s existence.

Here are the two recommendations:

  1. Collaborate with OCIO to streamline the HSIN portal to ensure that ICS cyber information is shared effectively.
  2. Promote collaboration with Sector Specific Agencies and private sector owners/operators by communicating preliminary technical and onsite assessment results to address and mitigate potential security threats on ICS.

Ridiculous small ball with the potential tiniest of impact. No need to analyze this in detail. When the biggest voice in ICS security is playing this way it makes widespread progress on an intransigent community difficult. On Monday I’ll post on what DHS should be doing that does not require cybersecurity legislation or executive orders.

While the reports analysis and findings are easily dismissed, more noteworthy and troubling is the DHS viewpoint of the cause and solution for fragile and insecure ICS. The serious flaws started early, in the first paragraph of the Executive Summary:

Security for industrial control systems has been inherently weak because the systems were not designed to be accessible from external networks or the Internet. However, beginning in 1990, companies began to connect their industrial control systems with enterprise systems that are connected to the Internet. This transition allowed remote control of processes and exposed industrial control systems to cyber security risks that could be exploited over the Internet. … This transition allowed remote control of processes and exposed ICS to cyber security risks that could be exploited over the Internet.

So if we just remove Internet and external connections it would be ok for critical infrastructure ICS to be fragile and insecure by design? Bring back the air gap or one-way data diode and problem is solved. This is how the ICS community got into the mess in the first place, and reflects the “keep the bad guys out” approach in ICS-CERT mitigations, many vendor responses and faux defense-in-depth proponents.

Stuxnet demonstrated to the world that an Internet connection to the target is not required to launch a devastating cyber attack. Did DHS miss that? A target that is probably better defended against attacks from the Internet than most installations in US critical infrastructure got hit anyway, and it wasn’t magic. Critical infrastructure SCADA and DCS need to be robust and secure, full stop.

ICS are increasingly under attack by a variety of malicious sources. These range from hackers looking for attention and notoriety to sophisticated nation-states …

Do we have evidence of more than a handful of incidents of hackers looking for attention and notoriety attacking ICS, particularly any examples of attacks on critical infrastructure ICS? This continues another disturbing trend of falsely conflating the increase in disclosed ICS vulnerabilities and attacks on ICS.

Hackers and researchers looking for attention have focused on ICS software post Stuxnet, and this resulted in an exponential increase through 2011 in disclosed vulnerabilities. ICS software, with some notable exceptions, was developed with such poor security and software development practices that any statistics on ICS disclosed vulnerabilities can only be viewed as an indicator of the level of effort on finding them.

Two quick notes on the specific analysis in the report:

  1. It only includes a minor mention of the training. The week long advanced red/blue training course held on real systems is the crown jewel of DHS’s efforts in this space.
  2. Based only on ICS-CERT published information, the touting of the ICS-CERT Incident Response Teams (the fly away teams) is tough to analyze. These teams would be quickly overwhelmed in any serious cyber attack, most of the cyber incidents they responded to were not ICS incidents, and some of the highlighted  incidents would have little or no impact on the critical infrastructure if it was a malicious attack that succeeded. All that said, it is a positive to have this force ready and practicing on the best incidents that are available. It’s worthy of a more thorough analysis.