S 3454 and Cybersecurity

At the end of last month I discussed the possibility of Congress attaching cybersecurity language to the DOD budget bill. I thought of that today when I noted that yesterday the Senate started work on passing S 3454, the FY 2011 DOD authorization bill. This isn’t the same legislation I addressed in that earlier blog, but it is a large bill that is likely to pass and subject to having lots of pet projects attached to it. So I checked to see what cybersecurity provisions were included. Sure enough, there are a couple of obscure provisions that might be of peripheral interest to the industrial control system community.

Pilot Projects on Cyber Security

Section 215 requires the Secretary of Defense to support or conduct four specific cybersecurity pilot projects. As with most of the cybersecurity programs being discussed in the Federal Government these deal mainly with IT systems not control systems and are focused mainly on government systems.

One of the mandated pilots, however, is focused on non-government systems in the ‘defense industrial base’. Under §215(b)(3) the Secretary of Defense would be required to “assess the feasibility [sic] and advisability of utilizing managed security services to improve the cybersecurity capabilities of elements of the defense industrial base”. Nothing in the language describing this system identifies control systems nor does it limit it to IT systems. This pilot would be done in coordination with DHS.

Another of the pilots, described in §215(b)(4), would look at encouraging the private sector to develop cybersecurity tools “to permit the Department of Defense to address threats, problems, vulnerabilities, or opportunities in cybersecurity”. The pilot would focus on the “identification and procurement of cybersecurity capabilities applicable to both Government and private-sector needs”.

Annual Progress Report

Starting March 15, 2011, the Secretary would be required {by §935(a)} to submit an annual report to Congress “on the progress of the Department of Defense in defending the Department and the defense industrial base [emphasis added] from cyber events (such as attacks, intrusions, and theft)”. Again this doesn’t specifically include industrial control systems, but it doesn’t limit the report to IT systems either.

With the recent discussion on the possibility of the Stuxnet worm being developed to ‘attack’ Iranian nuclear production facilities via their Siemens control system, I think it is reasonable to assume that anyone looking at preventing cyber attacks on the defense industrial base will certainly want to consider control system attacks.

Moving Forward

Next Tuesday, the Senate will vote on closing debate on this bill. If there are 61 votes (possible) in favor of that cloture motion then the Senate will begin their debate Tuesday afternoon and a vote on the bill could come this week. There are other issues in this bill that could prolong the debate, but nothing that is likely to affect these provisions.