ICS Security

A second NIST led 3-day workshop on the Cybersecurity Framework required by President Obama’s begins tomorrow in Pittsburgh. I’ve been quiet and non-participative on this effort to this point. The reason for not participating is primarily because I don’t see the final result having an impact, nor my participation having an impact on the resulting framework. There are so many opportunities to contribute to the ICS security community so why waste time on efforts you don’t believe in.

The reason for the silence is the lack of a thoughtful, intelligent and specific recommendation for the success of the Critical Infrastructure Cyber Security Framework required by President Obama’s Executive Order. Imagine you are omnipotent and have sole discretion to create the Cybersecurity Framework. What would you do?

After wrestling with that question for a several weeks now, all I am able to come up with are three guiding principles.

  1. Develop the Framework with the intention that it will be the basis, or at least foundation, for future regulation. Two reasons: First, the benefit of another guideline document would be minimal. There are numerous ICS security guideline and standards out there, and a number of them are quite good. We have ISA99/IEC 62443, SP800-82, NERC CIP, NISTIR, ACC, … just take a look at all the CSET question sources or the catalog of ICS security requirements. Perhaps there would be a marginal benefit of having this be a more authoritative document coming from an Executive Order, but this benefit would be small ball like information sharing. Second, converting documents not designed for regulation to regulatory documents is hard, ugly and often fails. Just ask most everyone involved with NERC CIP.
  2. Don’t try to create a comprehensive list of security controls for ICS (a la SP800-53). Many in the ICS community have pushed for an SP800-53 approach believing NERC CIP is light on requirements and if it is good enough for the government why should critical infrastructure ICS be held to a lower standard. The flaw in that argument is SP800-53 has been a failure. Just do it like the USG does when US agencies and departments get graded poorly year after year? The USG is looking for better solutions that SP800-53. A long list of good security practice controls is going to be impractical and inefficient. The term framework implies they will not make this mistake.
  3. Give up the myth that this is industry led or an effort to help companies. White House Cybersecurity Coordinator Michael Daniel was quoted in a Boston Globe article saying:

“The most important thing right now is making that framework truly industry-led, truly a collaborative product, and truly something that is useful to companies,’’ Daniel said.

The timetable (draft in October and finalize in February) doesn’t support an industry-led and collaborative product. Going back to the first point, start developing a framework that supports possible future regulation. Get input where it is helpful to that purpose, but don’t even try to come up with a meaningful consensus framework.

Governments could have a big impact on ICS security, and I’ve written before on what they should be doing and could be doing with the existing authority.

In the spirit of BSides of an event by an event, Jack Whitsitt is arranging some discussion of the Cybersecurity Framework outside of the official Workshop tomorrow at 2PM EDT and maybe again another time.

Image by Pyca