Thursday, August 13, 2009
Weiss on Primer
Dr. Joe Weiss has a short piece at ControlGlobal.com on the DHS Primer Control Systems Cyber Security Framework and Technical Metrics report that I discussed in yesterday’s blog. While his piece is not a reply to my blog, it does make some interesting observations that bear repeating. Since he is much more knowledgeable on control systems security matters than I ever hope to be I thought that I would use the benefit of his knowledge to extend yesterday’s discussion. Accidents not Attacks First he points out that, while “most control system cyber events are incidents not attacks”, the “the Primer is focused on malicious IT-type attacks”. This is a common problem that DHS faces in many of its endeavors. Its mission is to protect the nation from ‘malicious’ attacks from within or without our borders. The fact that more people and infrastructure are damaged every year from incidents due to stupidity, poor design, inadequate attention to detail, or just plain sloppy execution than have been hurt by terrorists (foreign or domestic) in the last 10 years, has little bearing on the DHS outlook. Their job is to squish terrorists. Most industries in this country look to OSHA or EPA to regulate the prevention of ‘accidental’ injuries in the work place. Unfortunately, neither organization has done much to look at the effects of inadequate regulation of industrial control systems on personnel injury rates or unintentional environmental releases of hazardous chemicals. Given the speed (or lack thereof) with which these two organizations have responded to recommended changes in dust control or control of reactive chemistry, it will be decades before they address cyber control issues. Security Knowledge Joe then goes on to say: “There are very few people that actually understand control system cyber and most are not in the security group.” He makes a good point here. If the corporate security people have an IT background not a control system background (the normal course of events) the problems that they will project into the system by employing typical IT security procedures will be tremendous. Any high-risk chemical facility that uses an ICS must have a control systems engineer on the security team. Someone who truly understands the ins and outs of the control system will be very valuable to the security team even if that engineer has little or no IT security training. What would be even more valuable would be to have someone trained in control system security, but as Dr. Joe has mentioned in a number of his blog postings, there is no such training program yet in existence. Maybe CERT should start providing grants for a cyber security chair at Cal Tech, Ga Tech, and MIT. That would start catching industry attention. Legacy Control Systems Joe’s last point is that the Primer “does not recognize the unique issues with legacy control systems”. Control systems are expensive and have steep learning curves, so they are not replaced just to keep up with generational changes in the marketplace. Only complete system failures, new production requirements, or changing enterprise software requirements will typically lead to installation of new systems. Even then, while the computers used to host the ‘system’ are likely to be updated to handle the capabilities of new software, the outlying sensors and controls usually remain in place until they fail. The ‘legacy control systems’ issue is related to the fact that most of these older systems have only limited security capabilities. There was little need for security programming when these systems were developed because there was no intention to connect them to the Internet or to allow wireless communications connections. Joe sums up the problem by noting that “Many systems cannot take complex passwords. Many systems simply cannot be patched expeditiously, if at all.” Better than Nothing While Dr. Weiss makes many important points in this short piece, and would certainly be able to provide more examples of short comings with this Primer in a longer piece, I still think that Primer provides an important start in establishing the idea that cyber security is a process. As with any process that industry uses, it should be subject to continuous improvements and that requires a measurement system to evaluate if changes made to the system actually result in improvements. This Primer provides a start for establishing such a measurement system. As we inevitably begin to churn control system security specialists out of our educational facilities more work will be done on developing and improving the metrics for tracking system security issues. The widespread adoption of a system like that outlined in the DHS report will be an important first step in that improvement process.