This is part of a continuing look at the responses that the National Institute of Standards and Technology (NIST) has received in response to its request for information (RFI) in support of the development of the Framework for Reducing Cyber Risks to Critical Infrastructure as outlined in President Obama’s Executive Order on critical infrastructure cybersecurity (EO 13636). The earlier post in the series is:
This last week there were 19 new comments left on the NIST web site (though 6 of those were essentially transmission documents not actual comments). Six of those took the form of short answers to the list of actual questions in the RFI (One, two, three, four, five, and six). Others covered a particular topic about cybersecurity in some depth. Those topics included:
There is a lot of good information provided in the documents listed above, but there were a couple of comments that jumped out of the pages at me. The first comes from Larry Marks at IBM Security and Privacy Services and deals with the idea of requiring certification for people that have a level of access to a system that allows them to make some changes to the actual system:
“The ISC2 CISSP Common Body of Knowledge (CBK) has been carefully mapped to the DoD 8570.1 [link added] directive, which requires every full-and part-time military service member, defense contractor, civilian and foreign employee with privileged access to a DoD system, regardless of job series or occupational specialty, to obtain a commercial certification credential [link added] that has been accredited by the American National Standards Institute (ANSI).”
The second comes from Doug Stoneman at Velocity Partners and is a look at the scope and basis of the current problem:
“In a landscape of breached security and defeated encryption the typical reactive technological security infrastructure response is that more technology is the answer to threats and that one more layer of security technology will solve the security issue. It is that very nature of the reactive security industry and the focus on technology that is the scale and scope of the problem.”
Control System Security
Only two of the comments posted this week specifically deal with control system security issues. The first was from Mike Swearingen at Tri-County Electric Cooperative. His was the piece that looked at situational awareness that I listed above.
Last week I complained about the missing input from well-known names in the ICS security world. The second ICS related comment comes from one of those names, Chris Blask, Chair of the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC). As one would expect from Chris this is a thoughtful and cogent response to the RFI. Interestingly it provides more of a theoretical background to the comments made by Swearingen.
The entirety of Chris’ response is well worth reading, but perhaps his most important point is made in his opening remarks about the complexity of the ICS security problem and the limits of vulnerability reduction:
“Given realistic resources, vulnerability reduction alone cannot reduce aggregate risk to an acceptable level at any point in the foreseeable future
o “Based on the vulnerability research to date which is available in the public domain it is reasonable to assume that virtually every deployed Industrial Control System device or piece of software contains exploitable vulnerabilities
o “The trained workforce of researchers necessary to identify a majority of vulnerabilities in all deployed ICS cyber devices in a reasonable and prudent period of time for these purposes does not exist
o “The necessity to “touch” every individual control system device found throughout every critical infrastructure facility in the nation in order to apply remediation to known vulnerabilities would mandate a workforce which is not available nor will be available under the most optimistic conditions for many years
o “It is unrealistic to assume that a single remediation of each ICS cyber device would be adequate to ensure all knowable vulnerabilities have been addressed in all deployed devices”
There have been public discussions around this topic for some time now, but this is the first time I have seen such a cogent and succinct expression of the totality of the problem. Fortunately, Chris goes on to give an overview of how the use of situational awareness and information sharing can be used to overcome this problem.
In a mere 9 pages, Chris isn’t able to provide a clear blueprint for the implementation of this solution and its scope is certainly beyond the reach of a single person or organization. Having said that, I hope that the folks at NIST responsible for developing the Cybersecurity Framework pay close attention to Chris’ remarks when the begin to look at the control system aspects of their program.