I posted the following response on the Unfettered Blog site; last I saw it was awaiting moderation so it may not be up yet.
“Actually Joe, the post you quoted was one that I posted on Digital Bond's SCADA Security blog. While Larry Clinton may not know squat about ICS security (and to be fair his comments were not about ICS security) he made some very interesting points about what types of ‘entities’ would be covered by the President’s proposed legislation. I certainly don’t agree with all of his points as readers of my blog are aware (see Monday’s post), but the points that he does make need to be discussed before they get incorporated in legislative language that ends up making ICS security even more difficult.Expanded Discussion
“I certainly agree that the ICS community needs to speak for itself in this matter (and I hope my blog posts on this topic are helping to generate that discussion) but we do need to know what others are saying about cyber security issues that will certainly directly effect what we do or have done to us.”
The issue is important enough that I think it deserves more than just the response I provided on the Control Global site.
First everyone needs to understand the President’s proposals (and the critical infrastructure proposal, pages 31-37 of 52 pages, is just one of a series outlined by the Administration in a single document) do not directly address industrial control system security. They do provide for the establishment of regulations that would address cybersecurity requirements for critical infrastructure. ICS security would be a small but important sub-set of the cybersecurity that could be addressed in those regulations.
The very important issue that Mr. Clinton addressed was how DHS would determine what private sector entities would be regulated and which would not. This is an important part of the proposal; systems are not regulated, ‘entities’ are. So if a regulated entity has industrial control systems, their cybersecurity plan would have to address security issues associated with their ICS. Likewise, no matter how ‘critical’ a control system was or how vulnerable it was, if it is not owned by a regulated entity then DHS would have no say in the security of that system.
So this is yet another issue where the ICS community, the IT community and the corporate security community are all going to have to get together to adequate address. If we have to listen to an IT type explain the overall issue, so be it. Where their issues are different, we need to speak up. But we should still listen.