Wednesday, February 15, 2012

Cybersecurity Act of 2012 and ICS Security

Tuesday Sen. Lieberman (I,CT) {along with co-sponsors Collins (R,ME), Rockefeller (D,WV) and Feinstein (D,CA)} introduced S 2105, the Cybersecurity Act of 2012; the long awaited and much anticipated comprehensive cybersecurity bill. In no surprise to anyone that has been paying attention; the bill never mentions industrial control systems or any of their components. There are provisions, however, that may have an impact on how the Federal government deals with control system security issues.

Large portions of this bill specifically deal with security of governmental information systems, principally Federal information systems. While these efforts are certainly important in the grand scheme of things, I am going to ignore them for all intents and purposes. There are two titles of this bill that will be of specific interest to the control system security and the chemical-facility security communities. They are: Title I, Protecting Critical Infrastructure, and Title VII, Information Sharing. In this posting I will look at the Title I provisions.

To Cover or Not To Cover?

Again there is no specific mention of control systems or their components in this bill. In fact the definition of ‘cyber risk’ in the list of opening definitions would seem to specifically exclude control systems from consideration in this bill. That definition {§101(a)(1)} reads:

“The term ‘‘cyber risk’’ means any risk to information infrastructure [emphasis added], including physical or personnel risks and security vulnerabilities, that, if exploited or not mitigated, could pose a significant risk of disruption to the operation of information infrastructure [emphasis added] essential to the reliable operation of covered critical infrastructure.”

While that definition is relatively restrictive the requirements in the next section of Title I seem to be much more expansive in what would be considered when the Secretary of DHS completes his initial cybersecurity risk assessment. That assessment, to be conducted within the first 90 days after the Act is passed (a time limit that is sure to be missed) will be “a top-level assessment of the cybersecurity threats, vulnerabilities, risks, and probability of a catastrophic incident across all critical infrastructure sectors to determine which sectors pose the greatest immediate risk” {§102(a)(1)}. The inclusion of the undefined term ‘catastrophic incident’ would seem to be included specifically to address systems with effects in the physical realm; a realm much more in keeping with control systems than with information systems.

Later in the same section the bill lists those items that the Secretary is to consider in making this initial threat assessment. It specifically includes the consideration of “the extent and likelihood of death, injury, or serious adverse effects to human health and safety caused by damage or unauthorized access to critical infrastructure” {§102(a)(2)(C)(ii)}; again a specific reference to operations in the physical realm.

Having apparently expanded the area of concern into the physical realm the next paragraph again specifically limits this assessment to information systems. In discussing the methodologies to be employed in making the required assessment the Secretary is specifically directed to “develop repeatable, qualitative, and quantitative methodologies for assessing information security risk [emphasis added]” {§102(c)(1). No other type of security risk is mentioned.

Covered Critical Infrastructure

While control systems may or may not be covered in the Secretaries assessment of relative cybersecurity risk, there is no doubt that industries and facilities and even specific assets within facilities that may employ control systems will be covered by regulations called for in this bill. Section 103 of this bill requires the Secretary to establish procedures to designate ‘covered critical infrastructure’ at “the system or asset level” {§103(b)(1)(A)} with no specific definition of ‘system or asset level’.

The Secretary is only allowed to designate a covered critical infrastructure if it falls within three broad categories. The categories are operationally defined and the one of most concern to the control system community is the first; if damage or unauthorized access to that system or asset could reasonably result in the interruption of life-sustaining services sufficient to cause {§103(b)(1)(C)(i)}:

“(I) a mass casualty event that includes an extraordinary number of fatalities; or

“(II) mass evacuations with a prolonged absence;”

Again, there is some significant confusion in the wording of this section. The ‘interruption of life-sustaining services’ would seem to mean the delivery of food, water, power and medical care for instance. The interruption of those services would hardly result in ‘an extraordinary number of fatalities’ unless they were interrupted over a very wide area over an extremely long period of time. On the other hand damage or unauthorized access to a large chemical facility or nuclear power generation facility could clearly cause a ‘mass casualty event’ or prolonged ‘mass evacuations’.

Cyber Security Regulations

This title requires the Secretary to develop cybersecurity regulations within one year to “enhance the security of covered critical infrastructure against cyber risks [emphasis added]” {§105(a)}. Again, the term ‘cyber risks; only applies to information systems.

In fact, the regulations would require the implementation of ‘risk-based cybersecurity performance requirements’ outlined in §104. Actually the only positive guidance the bill provides for these ‘performance requirements’ is found in §104(b)(1): “require owners to remediate or mitigate identified cyber risks [emphasis added] and any associated consequences identified under section 102(a) or otherwise.

The other requirements for these performance requirements are all negative or restrictive. Section 104(b)(2) does not allow the government to:

• Regulate commercial information technology products;

• Require or forbid the use of commercial information technology products; or

• Regulate the design, development, manufacturing, or attributes of commercial information technology products.

So while §102 and §103 appear to equivocate on the matter of whether or not control systems might be addressed in this bill, §104 and §105 are fairly adamant in their declaration that the systems covered are information technology systems only.

No Effective Enforcement

While it is apparent that the drafters of this bill have ignored a very important part of cyber security, there is an even bigger problem with the critical infrastructure cybersecurity provisions of this bill; there is no effective enforcement mechanism provided for the required regulations. In fact, DHS is specifically prohibited from having an effective enforcement effort.

First off there is no funding for, or establishment of an agency within DHS with responsibility for enforcing the required regulations. Of course, in the current funding environment any money going to a new enforcement agency would have to come out of some other agency’s already depleted budget. The crafters of this bill, instead rely on a tried and failed method of regulatory enforcement; they provide for self-certification of compliance.

Section 105(c)(1)(A)(i) allows each covered critical facility owner to “certify, on an annual basis, in writing to the Secretary and the head of the Federal agency with responsibilities for regulating the security of the covered critical infrastructure whether the owner has developed and effectively implemented security measures sufficient to satisfy the risk-based security performance requirements established under section 104”.

Now if the owner lies, or is even just mistaken, about the adequacy of their cybersecurity efforts, the bill does make provisions for civil penalties for anyone who gets caught violating the regulations and “fails to remediate such violation in an appropriate timeframe” {§105(c)(1)(B)(ii)}. Since no right of inspection is provided for in the bill, the only way that anyone is going to get caught in a violation is if they fall victim to a cyber-attack serious enough to be reported to the Federal government. But that’s kind of too late, isn’t it?

No ICS Coverage

While there will almost certainly be a lot of consternation over various provisions of this bill, the one thing that is abundantly clear, there will be no regulation of control systems under the bill. Control systems might contribute to a facility being designated a covered critical infrastructure, but all of the regulations required by Title I of the bill are solely targeted on information technology systems.

1 comment:

Ragnar Schierholz said...

Hi PJ,

I'm not sure I can follow your logic about the exclusion of control system due to the "information technology" language.

To me, a modern control system contains a significant amount of information technology. It sure contains a lot more, but there certainly are parts of a control system which are information technology. In the IEC 62351-1 standard (Power systems management and associated information exchange - Data and communication security - Part 1: Introduction and overview), there is a nice approach to looking at this: they look at the power system infrastructure (something that I would see clearly falling under the "critical infrastructure" notion) and the identify an information infrastructure overlay over the (physical) power system infrastructure. That information infrastructure is critical to the operation of the physical infrastructure and thus the two really can't be considered in isolation. This to me is analogous to the wording from the bill you quoted: "information infrastructure essential to the reliable operation of covered critical infrastructure".

Of course, I'm reading this not with the intent to find a loop-hole allowing an ICS operator to escape the scope of this legislation, but I'm trying to read this with common sense. That may be the wrong approach to reading legislation, but it's the only one I have.

As a disclaimer: I have not read the full bill. I am not a lawyer or in other ways overly familiar with legal or legislative language. I am not an English native speaker. So, if any of that or yet other factors lead to a misunderstanding on my part, I'd be happy to receive further enlightenment.

/* Use this with templates/template-twocol.html */