A reader, Ragnar Schierholz, posted an interesting comment to today’s post about S 2150. He wondered if my detailed language analysis was really necessary to understand the intent of this bill. And he made a very good point that any real serious control system relies on a certain amount of information infrastructure to be effective. In short his entire comment is thoughtful and well worth reading
That being said, I still stand by my comments that, as currently written, the bill does not cover industrial control system security. A point that I did not make clearly in my earlier post was that many facilities and even whole industries will be covered by this legislation due to their potential physical effects on the surrounding community. Unfortunately, it will be their IT systems not their control systems that will have to be protected.
Unnecessary Cost Avoidance
The reason that language is important is that many (probably most) industrial control system owners still do not really believe that their systems are vulnerable to cyber-attack. Thus, in their view, any substantial amounts of money that they would have to spend to comply with this regulation would be money wasted. In current economic environment sending money down a regulatory hole without expectation of positive return appears to be a sure route to economic suicide.
Even in good economic times, the cost of setting up the necessary protocols to document compliance with a brand new Federal regulatory scheme can be high enough to have a negative impact on growth. Especially when the regulations will not be allowed to specify how compliance will be achieved; the learning curve for both the regulators and the regulated community is quite steep.
Given that, companies will find any legitimate way that they can avoid being covered by the regulations. One of the easiest ways is to object that the regulatory agency is overstepping their legislative mandate. In this particular case, since control systems are never specifically mentioned in the bill and the language that might indicate an unstated intention to regulate control systems is so wishy-washy, it will not be hard to convince either the folks at OMB or a federal judge that DHS has no legal justification to regulate the security of privately owned control systems.
Supposed to Cover Control Systems
Now, I am hearing that the crafters of this bill did really intend to include industrial control systems in covered critical infrastructure requirements of this bill. Basically I think that that would probably be a good thing, though I do have some minor reservations that I’ll discuss in a later blog.
If I were to revise the current language so that it unequivocally addressed control systems in covered critical infrastructure I would probably make three basic changes. First I would rewrite the definition of ‘cyber risk’ in §101(a)(1) to include risk to industrial control systems (and I would take out the second reference to ‘information infrastructure’.
Second I would make a change to §102(a)(2)(C) in sub-paragraphs ii, iii, and iv. In each instance I would change ‘access to critical infrastructure’ to read ‘access to critical infrastructure industrial control systems’.
Finally I would modify the language in §103(b)(1)(C) outlining the guidelines for designating critical infrastructure. I would combine §103(b)(1)(C)(i) and §103(b)(1)(C)(i)(II) into a single comment. Then I would promote §103(b)(1)(C)(i)(I) to §103(b)(1)(C)(ii) and add ‘, or serious injuries’ after the word ‘fatalities’.
Those three minor changes should suffice to make it abundantly clear that the bill would authorize the Secretary to develop regulations concerning the security of control systems in covered critical infrastructure.