Dale Peterson, over at DigitalBond, has an interesting blog post on Monday’s Senate Homeland Security and Governmental Affairs hearing on the President’s recently released proposal for cyber security legislation. I still haven’t had a chance to view the entire hearing, but I certainly echo his recommendation to view the part of the hearing starting at about minute 99 of the recording. This provides an interesting conversation about the ‘critical infrastructure’ provisions of the bill.
I remain convinced that the vast majority of industrial control systems in the United States will not be covered by the proposed legislative language and I heard nothing in the discussion that would indicate otherwise. The main exception to that would be electrical utilities, they were mentioned a number of times. Even for utilities, however, the coverage would appear to be relatively sparse. Interestingly I heard no mention of chemical facilities as areas of potential concern; a very unusual oversight.
Having said that, even the relatively light coverage of the legislation could have a serious impact on ICS security in all industries. Making the cyber security status of a company public knowledge provides a great incentive for a proactive security program and opens up the whole topic for wider public discussion. Just look at how effective the environmental program in this country is. (I’m sorry, sarcasm just comes too easy.)
Vendor Responsibilities Ignored
One major security issue that is not discussed in the legislative proposal at all is the topic of vendor responsibility for providing vulnerability free systems. Now I know enough programming to know that writing error free code is nearly impossible, but provisions need to be made for identifying and correcting vulnerabilities in the complex control software. ICS-CERT is managing this now (without any legal mandate or authority) and no one is satisfied with how they are doing. This part of the problem needs serious legal attention.
There is another aspect of this that everyone is tending to gloss over and that is enforcement. For the most part critical infrastructure ‘entities’ will certify to the SEC or DHS that they have acceptable plans in place and are being properly implemented. There will be technical reviews of the plans by outside certified organizations. For the IT style plans, there are probably enough people out there with adequate credentials to set up such organizations. I’m not so sure about how this will work for industrial control systems.
It seems to me that there are few enough people with an understanding of industrial control systems and their security to go around as it is. You could double the size of ICS-CERT and it would still be shorthanded. Industry, if this passes, is going to be looking for people to take care of their in-house planning and implement process. The consulting type cyber security firms should see their business increase servicing businesses that aren’t big/rich enough to have dedicated ICS-Security staffs.
Where are the experts going to come from that will do the plan reviews/certifications? And who is going to establish the standards for those reviews, the training of the reviewers, and certify the reviewing organizations?
While the politicians closed the hearing pledging fast action on the proposal, the disheartening fact is that this was the first of five congressional appearances scheduled for this panel from the administration. Too many folks have their political fingers in the cybersecurity pie for this to move quickly by any human standards.