With the first day of the new Congress fast approaching, it is probably a good idea to start to look at what would make good cybersecurity legislation for protecting control systems. Let’s first start by looking at an overview of what the legislation should address. In subsequent posts I’ll try to address some of the details.
IT vs ICS
The first thing we need to do is to separate the two different types of cyber systems. Even a cursory look at the debates that scuttled effective cybersecurity legislation in the 112th Congress shows that concerns with irrelevancies like personal identity protection and freedom of speech had as much to do with stopping cybersecurity legislation as did concerns about regulatory costs. If we separate the ICS security issues from the IT security issues, many of those irrelevancies will disappear and make a serious discussion easier to have.
This is going to require a legal definition of a control system. From a legislative point of view we probably need to start out with as wide a definition as possible using other concerns to narrow down the coverage of the legislation. This would make it easier to expand coverage as new cyber-threats become more apparent.
I’ll start with the following definition;
Control System – A computer system that utilizes a combination of software, processors, memory, sensors and devices to control the operations of physical processes.
This definition is wide enough to include classic industrial control systems as well as physical security systems, transportation systems and medical systems.
While it could certainly be argued that there are legitimate reasons that the security of every control system should be protected, the Federal government does not have the resources to effectively manage the security of all control systems. At the most basic level the owner of a control system has the inherent responsibility to protect that system from outside manipulation. The only time that the Federal government has a real interest in regulating the security of control systems is when unauthorized changes to a system would have a significant impact on the larger society. The term most often used to describe such facilities is ‘critical infrastructure’.
There have been a number of different definitions used over the years since the 2001 terrorist attacks on New York and Washington to describe which portions of the infrastructure of the country were so critical to the security of the homeland that they were worthy of regulation by the Federal government. All of the legislative definitions have one thing in common; they are all rather vague and provide authority to a high-level member of the executive branch, normally the DHS Secretary, to provide a more useful definition by regulation. The reason is that regulatory process is much more flexible than the legislative process in adapting to changing conditions.
Notice that I am changing Critical Infrastructure to Critical Control Systems, but keeping with that tradition we can use the following definition:
Critical Control System – Any control system that if disrupted could have a significant impact on the security of the United States, the economic stability of the country or its major subdivisions, or the continuing life and/or health of significant portions of the population.
The major difference between this definition and the ones used by other pieces of legislation is that it substitutes the term ‘control system’ for ‘facility’. The point of this is that it is not the entire facility that is being regulated but the control systems within the facility. Regulations will still have to establish what constitutes ‘significant impact’, ‘economic stability’ and ‘significant portions’.
There has been a great deal of discussion about which agency or organization within the Federal government should be given the responsibility for regulating cybersecurity. The arguments frequently revolve around who has the technical expertise to oversee the regulatory process. While the NSA certainly has more technical expertise in cyber-systems and their security than just about anyone else in the government, if that level of expertise is required for this regulatory program then we might as well give up now as there will not be enough qualified personnel in industry to implement the security measures.
Besides, NSA has no experience in writing regulations for industry, establishing regulatory regimes or conducting inspections. None of that is rocket science but it does require a certain set of skills and experience that would be in short supply in a technical organization like NSA.
No the organization that has the appropriate level of technical expertise and regulatory experience is the NPPD organization at DHS. The ICS-CERT folks reside within that organization to provide the technical expertise and there is some level of experience with setting up a regulatory agency within that Directorate.
What to Regulate
I was taught in the Army a very basic principle; the infamous KISS principle, Keep It Simple Stupid. The control system environment is too complex and too changeable to apply any other management principle to the situation. So let’s try to apply that here.
First we need to establish a requirement to fully describe the critical control system. This would be a simple list of all of the equipment, communications and software that makes up the system. This would be used by ICS-CERT to make notifications to system owners when they discover or are made aware of a vulnerability within a system.
Second there would be a requirement to list all of the available communications modes on the system and a requirement to establish some measure of control over access to those communications. As ICS-CERT became aware of undocumented communications modes they would notify system owners so that those modes could also be protected.
Third there would be a requirement for a personnel surety program. There could be different levels of background checks required for different levels of access to the system with administrator level access requiring full criminal background checks and vetting against the Terrorist Screening Database (TSDB).
Finally, owners of critical control systems need to be required to report any suspected breach of the control system with provisions made for forensics analysis support by DHS.
Other Bells and Whistles
There are a number of other things that should be covered in this legislation. Things like research programs, as well as training and certification programs. There should be some sort of incentive program for reporting vulnerabilities to ICS-CERT and some sort of vulnerability response requirements for vendors. There should also be some sort of incentive program for vendors to improve the security of existing products and to develop products that are basically more securable.