“While I'm getting things off my chest, this process looks like its developers never actually saw especially small facilities with relatively limited resources. The SSP tries too much to be all things to all facilities with little concern for their size, function, location, etc. Perhaps it would have been better if there had been separate SSP's based, in addition to Tier level, upon the size of facility or type (i.e. chemical, educational, manufacturing, paper, water treatment, etc.)”Now, I know that DHS developed all of their tools with the intention that any covered facility, regardless of size or type, could provide information about their security efforts. This means that there are many questions that will be answered “No” or “N/A” by many facilities; especially smaller facilities. I’m not sure, however, that DHS has communicated adequately that they are not expecting that facilities should be using these questions as security guidelines that must/should be followed by every facility. Part of the problem is, of course, caused by the Congressional restriction that DHS could not require specific security measures as a pre-requisite for SSP approval. I understand, and agree with, the underlying reason, but it does make it more difficult for DHS to communicate what is expected of facilities. Another problem was the short amount of time that DHS had to get this stuff all put together. There simply wasn’t time to develop separate SSP’s for each industrial sector that might have covered chemicals on-site. Though, to be fair, DHS has addressed a number of individual chemical communities with the suggestion that they develop an Alternative Security Plan process for their specific situations. Most have declined, allowing the burden to remain at the doorstep of DHS. Some individuals at ISCD have been particularly upset with the academic community in this respect. SSP Misnomer Dick Sem also points out a problem with terminology, writing about the Site Security Plan process that “And once you're done, you have a completed checklist with planned and proposed measures but no actual plan.” A number of writers (myself included) have pointed out this particular problem, but none of us have yet come up with a good solution. It certainly wouldn’t be practical for each facility to submit a compilation of all of the security procedures that are in use at a facility. For a larger facility this could easily run to a couple hundred pages of densely written pages explicating who does what to whom. Evaluating such documents at DHS would certainly be unmanageable with twice their current staff. Now, those procedures are actually more important than the SSP submission checklist when it comes to actually protecting the facility. But there is another problem with the submission of full procedures; DHS has taken the stance that the approved SSP is, in fact, an enforceable contract between DHS and the facility. Once the SSP is submitted and approved, DHS can require the facility to properly employ, train and maintain they system outlined in their SSP. Failure to do so, could result in $25,000/day fines. Now everyone knows that effective procedures must be living documents; constantly being updated and revised to reflect their operation in the real world. As long as such changes do not change the answers to the SSP questionnaire, facilities would have more leeway to make these modifications. If the actual procedures were submitted and approved, DHS would have to buy off on even the smallest procedural changes. Process Discussion One thing that we have seen is that DHS realizes that their process must also grow and evolve as lessons are learned. Comments like Dick Sem’s are an important part of the process of making the CFATS program more effective. I know that I have a significant readership at ISCD; so DHS is seeing this discussion. I would like to solicit comments from anyone that has been involved in the implementation process. Comments from security professionals are important, but so are comments from security managers of facilities that are going it alone, without advice from security professionals. System integrators and vendors will also have valuable inputs to this discussion. We do have to worry about CVI issues in this discussion. While I have decried the overuse of ‘Anonymous’ in posted comments, I would much rather have that than names that can be linked back to a single facility. And please, let’s keep the discussion generic so that no facility’s security is compromised.
Cyber Espionage Campaign Hits Energy Companies
3 weeks ago