This is part of a continuing series of blog posts about the latest DHS-IdeaScale project to open a public dialog about homeland security topics. This dialog addresses the DHS Integrated Task Force project to help advance the DHS implementation of the President’s Cybersecurity Framework outlined in EO 13636. The earlier post in this series was:
Yesterday I posted a new ‘idea’ for discussion on the DHS/IdeaScale Integrated Task Force Collaboration Community (ITFCC). This idea is actually a two parter:
• Identifying high risk control systems; and
• Registering high-risk control system with ICS-CERT to get earlier warnings of zero day vulnerabilities
High-Risk Cyber Systems
I’m going to ignore information systems here; those can be dealt with by different controls and procedures. I’m going to concentrate on control systems because it is only throught their unauthorized manipulation that a cyber-attacker can cause widespread physical damage to society. This high-consequence risk provides a legitimate societal concern with the security of such systems.
Even at a high-risk, high-consequence facility, not all control systems or even their components have an equal potential to cause catastrophic off-site consequences. It is only those portions of the cyber-systems controlling physical processes that could cause off-site catastrophic consequences that society has a legitimate interest in seeing that the systems are adequate secured. Identifying and perhaps isolating those high-consequence components will help to prioritizes where to spend the time, money and manpower to ensure that the systems are adequately secured against attack or unintentional failure. Of course, any other components of the overall cyber-system that allow for access to those critical components become critical in their own right.
A prime prerequisite of any serious cybersecurity program must be to identify these components that provide a determined attacker the capability to cause widespread physical harm via computer controlled system.
Zero-Day Vulnerability Warnings
If society has a strong interest in the prevention of attacks on high-consequence control systems, they also have a concomitant obligation to provide assistance to the owners of such systems in the protection of those systems. One such critical form of assistance is the notification of system owners when a zero-day vulnerability (ZDV) is discovered in their protected system.
There is a legitimate argument to be made that the wide spread dissemination of information about ZDVs increases the risk to cyber-systems because it is generally easier to exploit a ZDV than to mitigate one, particularly since the skill sets necessary to develop a mitigation strategy are frequently not found in-house at critical infrastructure facilities.
A targeted distribution of ZDV knowledge to high-consequence installations using the vulnerable systems avoids a certain amount of the danger associated with providing ZDV information to various adversaries. But to accomplish this the ZDV information distribution agency must know what facilities have what control system components deployed in critical installations. This requires the registration (voluntary or otherwise) of those components with an organization like ICS-CERT.
If ICS-CERT were to have this information, when they were contacted with information about an ICS ZDV they could (immediately after notifying the vendor of the vulnerability if the information comes from a researcher) notify those facilities deploying the vulnerable system in a high-consequence application. For those facilities without in-house or contract control system security capabilities, ICS could provide assistance in setting up interim security processes while waiting for the vendor to rectify the vulnerability.
A quick reminder here that the whole ITFCC program requires public participation in the suggestion, discussion, selection and implementation process. The ITFCC web site is a forum for suggesting and discussing ideas that could become parts of the process for the security of critical infrastructure cyber-systems. Failing to participate in that process makes it less likely that you will be satisfied with the products of that process; products that you may be compelled to employ.
Take a couple of minutes and look at my latest idea and the other ideas currently under discussion at the site. Provide comments where you feel appropriate; become part of the discussion. Vote up or down on all of the ideas that you feel you can or cannot live with. And more importantly, provide your own ideas on how we as a society can increase the security of the cyber-systems that are an integral part of our everyday lives.