There was a very nice comment from hdk posted to my post from earlier today about the DHS water facility inspection. It’s a lengthy and detailed alternative explanation that makes more sense than the newspaper account; it describes a little known DHS program, the Protective Security Advisor program in NPPD.
Protective Security Advisors
The PSA program is another undermanned and underfunded program that receives little attention. I’ve briefly mentioned them twice here in this blog (April 2010 and December 2010), but they don’t receive much press (which is probably a good thing given the way government agencies usually get noticed).
The comment by hdk notes that PSA’s routinely work with water treatment facilities in their area of operations, doing vulnerability assessments, information sharing and just plain establishing contacts with operators.
A facility of this size is probably not one that the regional PSA team would initiate contact with, but if the facility had requested a vulnerability assessment, it almost certainly would have been worked into the schedule. While this facility hardly counts as critical infrastructure on the national scale, it is certainly important to their local community. If the regional PSA team could find the time to do the review, it was a good thing for the facility, the region and DHS.
There is only one thing that hdk points out that I take objection to. First off it is obvious that hdk knows a lot more about the PSA program than I do (not that hard, but I suspect that hdk is directly associated with the program). So I believe him when hdk says:
“While your comment on the size of the Athens facility would place it below the radar of DHS, it's not outside of the realm of possibility that the PSA may have offered up ICS CERT monitoring capabilities.”
ICS-CERT is even smaller than the PSA program and their expertise is even in shorter supply than the general security knowledge of the PSA team. Having them babysit a new control system implementation to verify that it is working properly is a misapplication of that resource. If there had been an attack on the system it would be a valuable deployment of ICS-CERT resources as it could be a potential trial run of later attacks on larger systems. But to just sit and watch a system to ensure that it is secure, no that would be a gross misuse of a scarce and valuable resource.
I’m not even sure that having a PSA member monitoring this deployment would be a legitimate use of limited resources. There could, of course, be some political reason why such a move might be an appropriate expenditure of time and personnel for the PSA Regional Commander.
Of course hdk doesn’t actually say that ICS-CERT did (or more appropriately will) take part in this cyber-system evaluation. It is much more likely, in my mind, that it would be a PSA follow-up operation.
DHS vs EPA and Water Systems
One final point; if the PSA teams from DHS are making it a routine point to help water systems with their security assessments it is only because the EPA water facility security program, as mandated by Congress, is a completely ineffective security program. That isn’t really the EPA’s fault; Congress made EPA responsible for the security program but did not give them any real authority to enforce any security measures.
That DHS has an underfunded program that is able to step up and actually help small water systems evaluate their security programs and make suggestions for improving that security is sufficient reason, in my mind, to encourage Congress to make the security of water treatment systems part of the responsibility of NPPD and DHS instead of the EPA. DHS has got to be more effective.