Thursday, May 19, 2011

More President’s Cyber Security Legislation

Okay, I finally got around to reading the President’s proposed language for cyber security legislation. While there is nothing in the proposal that specifically addresses control system security measures, there are enough ambiguities in the proposed language that regulations developed under these provisions could be used to regulate control system security.

No ‘Stuxnet’ Coverage

A couple of security researchers have taken objection to the wording of the change to §1030A of 18 USC that describes what would be included in the offense, ‘Aggravated Damage to a Critical Infrastructure Computer’. They note that the wording of §1030A(a)(1)(A) would limit that offense to actions that resulted in the substantial impairment “of the operation of the critical infrastructure computer”. They note that attacks like Stuxnet do not actually target these computers but the linked control devices. They then reason that a Stuxnet like attack would not fall under the definition of this offense.

Someone with a control systems background would certainly have included a listing of specific control systems devices in this definition. The problem with that approach would be that when a new class of control devices is developed a change in legislation would be required to include that in the definition of ‘Aggravated Damage’.

The crafters of this document took a different approach. In §1030A(a)(1)(B) it includes the impairment “of the critical infrastructure associated with such computer”. This should address the concern about whether or not a Stuxnet type attack would fall under this offense.

Critical Infrastructure Cyber Security Regulations

One area of this proposed legislation that could allow for the regulation of some industrial control systems can be found on page 20 in the addition of Subtitle E to Title II of the Homeland Security Act of 2002. The coverage by this section of control systems rests on a broad definition of ‘critical information infrastructure’ found in §242(5) that includes any “physical or virtual information system that controls, processes, transmits, receives or stores electronic information in any form including data, voice or video” if it is “vital to the functioning of critical infrastructure” {§242(5)(A)}.

An argument could certainly be made that any computer is an ‘information system’ and that ‘electronic information’ is used to control physical processes that are vital to the functioning of critical infrastructure. If I were writing the supporting regulations, I would use this interpretation to establish ICS security regulations. I doubt, however, that DHS will take that approach. They are going to have enough problems dealing with the regulation of information systems without taking on the additional problems involved in control system security regulation.

ICS Regulation

For arguments sake, let’s assume that I am wrong about the DHS interest in regulating control systems in critical infrastructure. With that assumption made what affect might this proposed regulatory language have on industrial control system security?

Information protection: Section 245 provides that any cyber security information voluntarily provided to DHS will be protected against disclosure under the Freedom of Information Act. This is significantly less protection against disclosure provided by other security programs like CFATS (CVI) or MTSA (SSI). The wording would not provide protection from disclosure of any information required to be submitted to DHS by subsequent regulations. Section 246 weakens that protection further by prohibiting prosecution of non-Federal government employees for disclosure of the information voluntarily provided to DHS. There is no provision for protecting sensitive business information. Personal information is provided significant protections.

Response to cyber incident: Section 249 provides the Secretary of DHS with the authority to order a wide range of responding actions, but is provided that authority only with respect to Federal information systems. There is no mention in this section of authority to order private sector entities to do anything.

Covered Critical Infrastructure

Starting on page 32 we see another piece of legislative language, the “Cybersecurity Regulatory Framework for Covered Critical Infrastructure Act”, that could effect industrial control system security. Section 3 of this language would require the DHS Secretary to write regulations to designate ‘covered critical infrastructure’. There are a number of restrictions on this authority constraining what can be designated. The two main ones are that:

● A successful attack could result in “a debilitating impact on national security, national economic security, national public health or safety; and” {§3(b)(1)(A)}

● The designated entity “is dependent upon information infrastructure to operate” {§3(b)(1)(A)}.
For high-risk chemical facilities, the failure to modify the word ‘safety’ by preceding it with ‘national’ may allow an aggressive DHS to include CFATS facilities under any regulations developed under this section. This is not significantly impacted by the second requirement as the term ‘information infrastructure’ is not specifically defined in this ‘act’. This means that the presence of an industrial control system could be argued to be, de facto, part of an information infrastructure.

Again, I doubt that DHS would expansively interpret this rule to cover high-risk chemical facilities, but pipelines and elements of the electrical grid would certainly fall under the descriptions in this section.

Covered Infrastructure Requirements

Section 4 of this ‘act’ would require the Secretary to establish a ‘process’ to determine which cyber security risks would have to be ‘mitigated’. A list of ‘covered’ risks would be published and periodically updated. The Secretary would also be required to ‘consult’ with standards setting organizations and ‘private sector representatives’ to determine an appropriate ‘framework’ to enhance security practices.

Taking a page from the CFATS authorization this legislative language would maintain that such frameworks “shall not require the use of a particular measure, but shall leave the choice of particular measures to an entity to which the framework applies” {§4(b)(5)}. This has worked out so well for CFATS (SARCASM Alert) that we might as well try it on cyber security as well.

Covered critical infrastructure organizations (and it is not clear at what level; corporate, business group, individual facility) will be required to develop a ‘cybersecurity plan’ on one of those ‘applicable frameworks’ I discussed above. The plan would have to be signed by someone of authority in the organization.

Annual certification of the existence of an updated plan would have to be made to the SEC (or DHS if privately held) and a ‘high-level summary’ would have to be publicly disclosed. Detailed ‘security and vulnerability-related information’ would be protected against disclosure under the Freedom of Information Act.

The DHS Secretary is given limited authority to enforce regulations under this ‘act’. Specifically the Secretary shall not “issue a shutdown order, require use of a particular measure, or impose fines, civil penalties, or monetary liabilities on the owner or operator of the covered critical infrastructure” {§8(a)(1)(C)}. With no teeth to this regulation some companies will comply, others won’t, and most will fall somewhere in the middle.

Finally, the Secretary, in consultation with the Director of the OMB, may exempt individual critical infrastructure, in whole or part, from provisions of this ‘act’, if “Secretary determines that a sector-specific regulatory agency has sufficient specific requirements in place to effectively mitigate identified cybersecurity risks.”

Missing from Proposal

There is nothing in this proposal that identifies any kind of vender responsibility for providing secure software, firmware or hardware to critical infrastructure or the government. Neither is there any mention of dealing with reports of vulnerabilities in such ‘ware by independent security researchers. Nor are there any provisions to protect whistleblowers in either the private or public sector from retaliation for reporting cybersecurity problems.

The biggest problem, other than specifically and unequivocally addressing control system security, is the lack of protection provided to security information and protected business information in the system.

Oh well, it is a step forward in the discussion, and there is certainly a level of detail missing from previous recommendations made by the administration. Lots of work will need to be done before this sees the first committee vote, much less gets to the floor of the House or Senate.

No comments:

/* Use this with templates/template-twocol.html */