Yesterday the Homeland Security Subcommittee of the House Appropriations Committee held an oversight hearing looking at ‘Cybersecurity and Critical Infrastructure’. The hearing was closed to the public because intelligence information was going to be discussed at the Top Secret/SCI level. We do, however, have access to the opening statement from Under Secretary Beers.
Beers testified on the broadest application of the title of the hearing and took some time to address the CFATS program. He took some time to update the Subcommittee on the improvements made to the CFATS program. This is not unreasonable since the Subcommittee wanted to reduce the CFATS funding by half last year because, at least in part, of the problems the program was having with their site security plan authorization program.
Beers provided an interesting tidbit of information yesterday that was overlooked in the CFATS hearing last week. According to yesterday’s written testimony noted that as of March 5th, “397 ASPs [Alternative Security Plan] have been submitted in lieu of SSPs” (pg 6). These were almost certainly submitted using the American Chemistry Council’s (ACC) ASP format. He made these comments about the importance of the development of ASPs:
“Additionally, DHS has been in discussion with other industry stakeholders, including the Agricultural Retailers Association and the Society of Chemical Manufacturers Affiliates, about developing templates specific to their members. DHS has also been engaging industry partners on the development of “corporate” ASPs. For industry partners that own several regulated facilities, the corporation can develop a single ASP template, which can be easily leveraged by all of its facilities. ASPs submitted by facilities using an industry-developed or proprietary template would be reviewed under the same standards that ICSD currently reviews SSPs. The potential for these ASPs to serve as a force multiplier is tremendous as DHS continues to authorize and approve SSPs and ASPs.”
Unfortunately, in a hearing that was predominantly supposed to be about cybersecurity, Beers made no comments about that topic in his discussion of the CFATS program. This is especially surprising and disappointing in light of the comments and questions he heard from his congressional questioners at last week’s hearing.
Control System Security
The written testimony provided yesterday has a pretty good discussion of control system security for coming from someone outside of the ICS security community. There was nothing new presented, but the fact that ICS security received this much separate attention was encouraging.
While the cybersecurity executive order was mentioned early on in the testimony it was probably the least informative aspect of the testimony. We have plenty of catch phrases like “encourage enhanced security and resiliency” and “enhanced information sharing programs”, but there was no substance mentioned.
Beers was obviously proud of the fact that “DHS has already formed a task force to coordinate implementation of PPD-21 and EO 13636” (pg 2), but that is hardly an accomplishment since the Administration had been working on the EO since last summer and early drafts that had been circulated show little difference from what we got last month. But, then again, Beers has always been proud of mediocre performance and missed time limits at NPPD.
The meat of the hearing yesterday was going to be the intelligence information that supported the cyber-threat analysis. We are unlikely to hear anything directly about that intel any time soon. I would like to think that DHS had the capability to sanitize the intelligence reports to the extent that they could provide a report to industry of at least the same level of detail as the recent Mandiant report on Chinese involvement in cyber espionage.
I’m not going to hold my breath about that happening any time soon, but if I were a CEO of a chemical company that had multiple high-risk chemical facilities, I would like to hear the following information from DHS in general and ISCD in particular:
• Have any chemical facilities had their computer systems hacked by the Chinese (or Iranians, or North Korean, let’s make it easy a new cyber-intel acronym ‘CINK’)?
• If so, were any control systems breached by CINK hackers?
• Is there any indication that information about control systems was accessed by CINK hackers?
• Is there any indication that there were attempts made by CINK hackers to establish backdoors into corporate or control system networks?
• What indications are available for determining if a corporate network or control system has been hacked by the CINK hackers?
I doubt that we will ever see official public-responses to questions such as these, but hopefully this type of information is being provided to corporate leaders and security personnel. If not, then DHS needs to pack up its tent and steal away quietly into the night in disgrace. If they can’t provide this type of information to critical infrastructure owners then they are about useless and the President’s cybersecurity order is just a pretty piece of paper.