This is part of an ongoing in-depth review of the provisions
of S 3414, the Cybersecurity Act of 2012, that will be of interest to the
control systems community. The first post in the series was:
In today’s posting I will look at the provisions of §103
which deal with the identification of critical cyber infrastructure. This is
important as the only private sector entities that will be directly affected by
the provisions of this bill will be those so identified.
Risk Assessments
The bill requires {§102(a)(1)(A)} that an agency from within
the members of the Council be appointed to conduct high-level risk assessments
of cyber risks to critical infrastructure. There are two separate protections
provided that ensures that private sector participation in this risk assessment
process is voluntary. First the bill states that the participation will be
voluntary {§102(a)(1)(A)} and then it specifically states that {§102(a)(1)(B)}:
“Nothing in this subsection shall
be construed to give new authority [emphasis
added] to a Federal agency to require owners or operators to provide
information to the Federal Government.”
Clearly there is a minor conflict between the two
provisions. If the Federal Government already has authority to compel the
provision of cyber security information, then that information can presumably
be used in the conduct of risk assessments. Some sectors that are already
compelled to submit cybersecurity data include the nuclear sector and CFATS covered
facilities.
It is intended that the lead agency conduct this assessment
in a cooperative fashion with other government and private sector agencies.
Some of the private sector entities specifically listed in this cooperative
requirement are {§102(a)(2)}:
• Critical Infrastructure
Partnership Advisory Council (CIPAC); and
• Information Sharing and Analysis
Organizations (ISAO)
Readers are reminded that there is an influential control
systems organization within CIPAC, the Industrial Control System Joint Working
Group (ICSJWG). They will be an invaluable resource for conducting the risk
assessment of control systems.
The agency conducting the risk assessment is required to
establish a process by which “owners and operators and other relevant private
sector experts” {§102(a)(3)(A)} can provide input into this process. Given the
tight timeline required for the initial assessment (180 days), it is unlikely
that the ‘process’ will be established soon enough for much participation in
the initial assessment, but this assessment will be updated on an “ongoing
basis” {§102(a)(2)(B)} so we would expect more input at that stage of the
process.
The completed risk assessments will be submitted to the
President, appropriate Federal agencies, and Congress. The assessment will be
submitted in both a classified and unclassified version. Since an unclassified
version is being required to be produced, it would seem to me that requiring
the public publication of that version should be required in this bill. At the
very least CIPAC, the ISAOs and the
owners and private sector entities that participated in the development of the
risk assessment should also be included in the distribution of the unclassified
version.
Identifying Critical Cyber Infrastructure
Section 102(b) requires the establishment of procedures for
the identification of categories of critical cyber infrastructure. Again it is
clearly enumerated within this bill {§§ 102(b)(1) and 102(b)(2)(B)} that the
process will be a cooperative one involving Federal agencies, CIPAC, ISAOs,
owners, private sector entities as well as State and local government agencies.
The definition of ‘critical cyber infrastructure’ is a
rather wide ranging operational definition. It is defined by the resulting damage
that can be done by damage to or unauthorized access to such critical
infrastructure. The bill limits coverage to infrastructure which could result
in {§102(b)(3)(B)}:
• The interruption of
life-sustaining services;
• Catastrophic economic damage to
the United States; or
• The severe degradation of
national security or national security capabilities.
Interestingly, most high-risk chemical facilities covered
under the CFATS program, even those where large mass casualty events could
occur, would not be able to be designated as critical cyber infrastructure under
this definition. Water treatment plants could be covered, but chlorine producers
could not. It is questionable if even a large petrochemical refinery could be
covered because of the vague definition of ‘incapacitation of or sustained
disruption of a transportation system’ {§102(b)(3)(B)(ii)(III)}. Even an
electrical transmission system entity might not fall under the ‘life-sustaining
services’ description because of a lack of ‘a mass casualty or mass evacuation’
outcome {§102(b)(3)(B)(i)}.
There is another significant limitation of critical cyber
infrastructure. In order to appease people concerned with the regulation of the
internet as an infringement of first amendment rights, the bill specifically
prohibits identification of an entity as ‘critical cyber infrastructure’:
• Infrastructure based solely on
activities protected by the first amendment {§102(b)(5)(A)};
• An information technology product
based solely on a finding that the product is capable of, or is actually, being
used in critical cyber infrastructure {§102(b)(5)(B)}; or
• A commercial item that organizes
or communicates information electronically {§102(b)(5)(C)}.
Notification
The bill provides that within 10 days of the determination
of an entity being identified as critical cyber infrastructure the Council will
notify both the owner and Congress of that determination. There is no provision
in this section for appeal by an owner of the designation, but there is 60-day
window for Congressional action on the designation before the designation takes
effect. Under our current and foreseeable situation of Congressional stalemate,
it is unlikely that either house of Congress much less both, could take action
during that time frame.
Incident Reporting Requirements
There is one paragraph in this section that does provide an
affirmative requirement for action to be taken by any entity designated as
critical cyber infrastructure. Section 102(b)(4) requires that:
“The Council shall establish
procedures under which each owner of critical cyber infrastructure shall report [emphasis added] significant
cyber incidents affecting critical cyber infrastructure.”
The definition of ‘significant cyber incident’ is provided
in §2(24) of the bill. It defines such an incident in terms of what happened or
could have happened as a result of the incident. Two such results are included:
• The exfiltration of data that is
essential to the operation of critical cyber infrastructure; or
• The defeat of an operational
control or technical control, as those terms are defined in section 708,
essential to the security or operation of critical cyber infrastructure.
Nothing in this reporting requirement requires that actual
damage of the critical cyber infrastructure takes place or that any outside
entity is damaged in any way.
Posts
No comments:
Post a Comment