Dale Peterson of DigitalBond repute (high repute in my mind, but Dale does have his detractors) left a comment on today’s post about the ICS-CERT Monthly Report. As is usual when he comments here, he has a very interesting point made in few words. He notes (among other things) that:
“The on-site assessments, like the training, violate national labs rules. INL is not allowed to compete with industry, but continues to do so. In fact they are stepping up their competitive offerings. Maybe it is sour grapes as a competitor, but free and promoted by DHS are two awfully big competitive advantages.”
My initial knee-jerk reaction is ‘Come on now, there has to be more business than Dale and his not too numerous competitors can handle.’ After all there are way more ICS systems deployed than all of the researchers (blackhat and whitehat alike) could ever get to in reasonable amount of time. A little more thought, however, makes it clear that that is a specious argument at best; not every ICS owner is going to get his system evaluated for security problems. The reason is that there have been so few attacks to date (dare someone to name off six deliberate hacks of an operating control system in the wild) that most owners still don’t believe (and many with good reason) that they will ever be the subject of a real attack.
Still, even with the limited number of owners actually caring enough to get their systems evaluated, there should be enough work for Dale and his for profit compatriots and still leave enough for ICS-CERT to give away system reviews. But that will still contribute to fixing the continuing problem of not enough ICS security researchers/fixers. We need lots of competition to convince young’uns to take the hard courses in school to be able to fill the need slots in government and private industry to deal with the security of control systems. There aren’t many that will do that the hard work to just work for the guvmint. They might be more interested if they made the big money like Dale and got to travel the world. So let’s keep ICS-CERT from competing with industry.
On the other hand…
I really do want the folks at ICS-CERT frequently getting out into the real world and seeing what kinds of screwed up ICS systems are actually deployed. It isn’t a Siemens/ABB/Schneider world out here. Actually it isn’t an anything world out here, it’s an everything world; all sorts of bits and pieces of multigenerational hardware and software cobbled together in a ‘whatever it takes as long as it doesn’t cost too much’ world. The smaller and older the operation the more cobbled it is.
Okay, let’s have the ICS-CERT guys start to work with the other parts of DHS that deal with private sector security issues like CFATS, MTSA, TSA, whatever. Let’s have them do control system security evaluations for entities that are regulated under these programs as part of the regulation process. These agencies don’t have the ICS security expertise to handle this job in the first place, so they need the help. That’s an inherently governmental function not one that takes work away from the private sector. And it would give the ICS-CERT people the hands on experience with the various lash-ups found in the real world. And maybe they can train the other security inspectors in some basics of control system security.
BTW: Full Disclosure – I have written some blog posts for Dale on cybersecurity legislation from time to time.