ICS Legislation

Dave McGurdy, President & CEO of the American Gas Association (AGA), will testify before the US House Committee on Energy and Commerce. He has published his testimony (ht: patrick coyle). After singing the praises of their industries efforts on ICS security and the current public/private partnership, Mr. McGurdy takes potential US Government regulation head on:

In the recent past, concerns over increasing cyberattacks on critical infrastructure have led to legislative efforts to create a set of top-down cybersecurity regulations. AGA remains concerned that prescriptive cybersecurity regulations will have little practical impact on cybersecurity and, in fact, will hinder implementation of robust cybersecurity programs.

First and foremost, prescriptive cybersecurity regulations would fundamentally transform the productive cybersecurity relationship natural gas utilities have with the TSA Pipeline Security Division from a successful partnership to a more standard regulator-regulated mode, forcing companies to focus more resources on compliance activities than on cybersecurity itself. Also, from a practical perspective, it is unlikely that any set of cybersecurity regulations will be dynamic enough to help companies fight constantly changing and increasingly sophisticated threats.

I sympathize with AGA and other organizations trying to avoid regulation. NERC CIP actually harmed the cyber security posture of companies that were actively trying and succeeding in improving their ICS security. The gas sector, broadly viewed, has been one of the most proactive sectors, along with petrochem, in addressing ICS cyber security.

AGA membership is primarily natural gas distribution companies, but it also includes transmission companies, storage, and others involved in the industry. Some of these members are Digital Bond clients, and some have been actively working on SCADA security for over five years and are making great progress. Regulation would likely do little to improve their security posture.

The problem is the majority still have very poor SCADA security programs, and just like the electric sector will not spend money or resources on this until forced to by regulation or after something very bad happens. NERC CIP has at least forced some utilities to harden their security perimeters, employ user management controls, etc.

Two other points:

  1. I’m not sure if fracking falls under AGA, but those plant and field systems are being put up so fast because every day delay can be measured in dollars. Cyber security, while desired, is often pushed aside to get the operation running.
  2. Insecure by design – even those owner/operators who care and are actively working on security are stuck with a keep the bad guys out philosophy given the protocols and PLC/RTU available today. The defense-in-depth is really defense-in-security-perimeters.

I’m increasingly sympathetic to the contention that government or industry regulation is required. Developing effective and efficient regulation or certification programs is difficult, and I don’t have the answer, or strongly felt concepts, on how to do it. However, the lack of discussion and experimentation on what type of regulation or certification would be effective is disappointing.

Image by earthwatch