Thursday, February 24, 2011

S 413 – Risk Based Security Measures

As I noted in my initial blog posting on the recently introduced S 413, the Cybersecurity and Internet Freedom Act of 2011, would require to establish regulations to require security protections for industrial control systems in certain critical infrastructure facilities. Today I would like to take a look at the requirements for those regulations outlined in this bill.

Risk Assessment

Section 248(a) of the bill would require the Director of the National Center for Cybersecurity and Communications (NCCC), in conjunction with appropriate governmental regulating agencies, to conduct a cyber risk assessment “on a continuous and sector-by-sector basis [emphasis added], [to] identify and evaluate the cyber risks to covered critical infrastructure” {§248(a)(1)}. The risk assessment would look both at the potential for attack and the consequences of a potential attack.

The first such report would be due within 180 days of the passage of this legislation. There is also a requirement for annual updates of these reports. The reports would be submitted to Congress, but to aid in the widest possible dissemination of the information, the reports are required to be unclassified. To allow Congress to be informed of risks based upon classified information, the Director may include a classified annex to the report.

An interesting component of this risk assessment is the requirement for the Director to establish “process under which owners and operators of covered critical infrastructure may provide input on the findings of the reports” {§248(a)(3)(B)}. A potential method that could be used to fulfill this responsibility would be to establish a cyber security fusion center.

Risk-Based Security Performance Measures

After the first risk assessments are required to be completed the Director would have an additional 90 days to publish, again in ‘coordination’ with the appropriate federal regulating authorities, “interim final regulations establishing risk-based security performance requirements to secure covered critical infrastructure against cyber risks through the adoption of security measures that satisfy the security performance requirements identified by the Director” {§248(b)(1)}. The phrase ‘interim final regulations’ is important because it allows (but does not require) the director to skip the requirement for publishing a notice of proposed regulation, shortening the regulation development process.

These regulations would provide for notification of owners and operators of ‘covered critical infrastructure’ of the cyber risks identified by the Director, security performance requirements and identified best practices to remediate or mitigate those risks. The regulations would provide for owner/operators to select appropriate security measures and/or best practices to deal with those risks and report that selection to the Director. The regulations would also prescribe a process that the Director would use to “determine whether the proposed security measures satisfy the security performance requirements established by the Director” {§248(b)(2)(D)(ii)}.

The regulations would allow facilities to develop their own ‘best practices or security measures’ and report those to the Director. These reports would be protected by “applicable law relating to the protection of trade secrets” {§248(b)(2)(E)(iii)} not the stronger protections provided for security measures afforded to facilities under other federal security rules like CFATS or MTSA.

This section includes language similar to that found in the §550 authorization for the CFATS program, stating that “the Director may not disapprove under this section any proposed security measures, or combination thereof, based on the presence or absence of any particular security measure if the proposed security measures, or combination thereof, satisfy the security performance requirements established by the Director” {§248(b)(4)(C)(i)}.

As we have seen during the implementation of the CFATS process, this complicates the regulatory process, but does provide the maximum flexibility for owners/operators to design their security processes. The drafters of this legislation have attempted to decrease those potential complications by specifically allowing the Director to ‘recommend’ (but not require) specific security measures “that will satisfy the security performance requirements established by the Director” {§248(b)(4)(C)(ii)}.

International Cooperation

There is an interesting component of this section that I have never seen before. Section 248(b)(3) provides authority for the Director to inform the owner/operator of facilities outside of the United States of cyber risks to those facilities as long as the ‘disruption’ of the facility “could result in national or regional catastrophic damage in the United States” {§248(b)(3)(i)}. The awkwardly worded paragraph also allows the Director to make such a notification to the foreign government involved.

Surprisingly this is the only portion of §248 that specifically refers to ‘information infrastructure’ so it would not apply to industrial control systems outside of the United States.

No comments:

/* Use this with templates/template-twocol.html */