Monday, July 23, 2012

Analysis of S 3414 – Critical Cyber Infrastructure


This is part of an ongoing in-depth review of the provisions of S 3414, the Cybersecurity Act of 2012, that will be of interest to the control systems community. The first post in the series was:


In today’s posting I will look at the provisions of §103 which deal with the identification of critical cyber infrastructure. This is important as the only private sector entities that will be directly affected by the provisions of this bill will be those so identified.

Risk Assessments


The bill requires {§102(a)(1)(A)} that an agency from within the members of the Council be appointed to conduct high-level risk assessments of cyber risks to critical infrastructure. There are two separate protections provided that ensures that private sector participation in this risk assessment process is voluntary. First the bill states that the participation will be voluntary {§102(a)(1)(A)} and then it specifically states that {§102(a)(1)(B)}:

“Nothing in this subsection shall be construed to give new authority [emphasis added] to a Federal agency to require owners or operators to provide information to the Federal Government.”

Clearly there is a minor conflict between the two provisions. If the Federal Government already has authority to compel the provision of cyber security information, then that information can presumably be used in the conduct of risk assessments. Some sectors that are already compelled to submit cybersecurity data include the nuclear sector and CFATS covered facilities.

It is intended that the lead agency conduct this assessment in a cooperative fashion with other government and private sector agencies. Some of the private sector entities specifically listed in this cooperative requirement are {§102(a)(2)}:

• Critical Infrastructure Partnership Advisory Council (CIPAC); and

• Information Sharing and Analysis Organizations (ISAO)

Readers are reminded that there is an influential control systems organization within CIPAC, the Industrial Control System Joint Working Group (ICSJWG). They will be an invaluable resource for conducting the risk assessment of control systems.

The agency conducting the risk assessment is required to establish a process by which “owners and operators and other relevant private sector experts” {§102(a)(3)(A)} can provide input into this process. Given the tight timeline required for the initial assessment (180 days), it is unlikely that the ‘process’ will be established soon enough for much participation in the initial assessment, but this assessment will be updated on an “ongoing basis” {§102(a)(2)(B)} so we would expect more input at that stage of the process.

The completed risk assessments will be submitted to the President, appropriate Federal agencies, and Congress. The assessment will be submitted in both a classified and unclassified version. Since an unclassified version is being required to be produced, it would seem to me that requiring the public publication of that version should be required in this bill. At the very least  CIPAC, the ISAOs and the owners and private sector entities that participated in the development of the risk assessment should also be included in the distribution of the unclassified version.

Identifying Critical Cyber Infrastructure


Section 102(b) requires the establishment of procedures for the identification of categories of critical cyber infrastructure. Again it is clearly enumerated within this bill {§§ 102(b)(1) and 102(b)(2)(B)} that the process will be a cooperative one involving Federal agencies, CIPAC, ISAOs, owners, private sector entities as well as State and local government agencies.

The definition of ‘critical cyber infrastructure’ is a rather wide ranging operational definition. It is defined by the resulting damage that can be done by damage to or unauthorized access to such critical infrastructure. The bill limits coverage to infrastructure which could result in {§102(b)(3)(B)}:

• The interruption of life-sustaining services;

• Catastrophic economic damage to the United States; or

• The severe degradation of national security or national security capabilities.

Interestingly, most high-risk chemical facilities covered under the CFATS program, even those where large mass casualty events could occur, would not be able to be designated as critical cyber infrastructure under this definition. Water treatment plants could be covered, but chlorine producers could not. It is questionable if even a large petrochemical refinery could be covered because of the vague definition of ‘incapacitation of or sustained disruption of a transportation system’ {§102(b)(3)(B)(ii)(III)}. Even an electrical transmission system entity might not fall under the ‘life-sustaining services’ description because of a lack of ‘a mass casualty or mass evacuation’ outcome {§102(b)(3)(B)(i)}.

There is another significant limitation of critical cyber infrastructure. In order to appease people concerned with the regulation of the internet as an infringement of first amendment rights, the bill specifically prohibits identification of an entity as ‘critical cyber infrastructure’:

• Infrastructure based solely on activities protected by the first amendment {§102(b)(5)(A)};

• An information technology product based solely on a finding that the product is capable of, or is actually, being used in critical cyber infrastructure {§102(b)(5)(B)}; or

• A commercial item that organizes or communicates information electronically {§102(b)(5)(C)}.

Notification


The bill provides that within 10 days of the determination of an entity being identified as critical cyber infrastructure the Council will notify both the owner and Congress of that determination. There is no provision in this section for appeal by an owner of the designation, but there is 60-day window for Congressional action on the designation before the designation takes effect. Under our current and foreseeable situation of Congressional stalemate, it is unlikely that either house of Congress much less both, could take action during that time frame.

Incident Reporting Requirements


There is one paragraph in this section that does provide an affirmative requirement for action to be taken by any entity designated as critical cyber infrastructure. Section 102(b)(4) requires that:

“The Council shall establish procedures under which each owner of critical cyber infrastructure shall report [emphasis added] significant cyber incidents affecting critical cyber infrastructure.”

The definition of ‘significant cyber incident’ is provided in §2(24) of the bill. It defines such an incident in terms of what happened or could have happened as a result of the incident. Two such results are included:

• The exfiltration of data that is essential to the operation of critical cyber infrastructure; or

• The defeat of an operational control or technical control, as those terms are defined in section 708, essential to the security or operation of critical cyber infrastructure.

Nothing in this reporting requirement requires that actual damage of the critical cyber infrastructure takes place or that any outside entity is damaged in any way.

No comments:

 
/* Use this with templates/template-twocol.html */