ICS Security Posture

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an interesting announcement on their web page concerning an upcoming project being coordinated by the Industrial Control Systems Joint Working Group (ICSJWG). According to this announcement this project will be a ‘focused effort’ to produce a ‘cross-vendor position paper’ that “discusses the current security challenges and a path forward for a more effective industrywide approach to ICS security".

With more and more security vulnerabilities being identified in industrial control system software, it is becoming clear to anyone that is watching that there are significant shortcomings in the industry’s security posture. It is only a matter of time before someone (a terrorist, a disgruntled ex-employee, a criminal organization, or even a foreign power) takes advantage of one or more of these vulnerabilities to attack an industrial control system in the United States with ‘catastrophic consequences’ (I’m sorry; it is just too nice a phrase. I’ll try to come up with another in the near future).

It is also clear that there is no magic bullet that is going to cure the problem overnight. The responsibility for the current situation is the product of too many variables to enumerate and everyone in the business, vendors and users alike, share a fair measure of the blame for getting here.

It is also clear that the politicians have no clue about the extent of the problem and are focused on the (admittedly) larger cyber security issues of the protection of privacy, financial transactions, and intellectual property.

So, the idea of various members of the community getting together to take an organized look at the problem and come up with suggestions for its resolution is a good one. The ICSJWG is probably as good a venue for this as any. It already has a very open structure in place that can accommodate an evolving level of participation. And most of the major players already have links established to this group.

I’m not sure how detailed a proposal can come out of this group (or any group attempting this type of dialogue) because of rules concerning business competition, collusion and market manipulation. But anything that gets a positive dialogue started will be of benefit to the control system community and the country as a whole.

One warning however, the ‘Green’ community has already targeted the Critical Infrastructure Partnership Advisory Council (CIPAC; the actual parent organization for ICSJWG) as an industry lobbying organization with undue influence on DHS. While this is an exaggerated accusation (in my opinion) it is a very real problem that must be dealt with. Unless ICSJWG takes pains to ensure that this discussion is open and inclusive, the political response to the final product will be colored by these types of accusations.

The ICS-CERT announcement invites interested parties to contact them at ics-cert@dhs.gov. They stress that this includes all “ICS vendors, standards bodies, and ICS partners”. With ‘ICS partners’ obviously including owner and operators, I would like to encourage the participation of organizations like SOCMA, ACC and NPRA (to name just a few) that represent many of those owners and operators. And let’s not forget the security researcher (black, white and gray hat) community; they should be participating as well.