This is part of a continuing series of blog posts about the latest DHS-IdeaScale project to open a public dialog about homeland security topics. This dialog addresses the DHS Integrated Task Force project to help advance the DHS implementation of the President’s Cybersecurity Framework outlined in EO 13636. The earlier post in this series was:
This weekend I posted my fourth ‘idea’ to the ITFCCP site (NOTE: It did not make it live to the site until this morning, the moderators appear to work government hours). Readers of this blog probably saw this one coming, I would like to see vendors ‘register’ their systems, particularly their software and firmware, with an organization like ICS-CERT. To encourage vendor participation DHS could give them liability protection under the SAFETY Act. In turn they would agree to
• Provide DHS with a list of third-party components of their registered systems;
• Notify DHS when they identified, or were notified of the discovery, of a zero-day vulnerability;
• Allow DHS to notify registered high-risk critical infrastructure facilities of the zero-day vulnerabilities; and
• Work with DHS to minimize the vulnerabilities of each component of their registered system.
This proposal would allow vendors to become an integral part of the protecting critical infrastructure from cyber attacks.
As I have mentioned before, participating in this forum may be the easiest way that vendors, owners and researchers in the control system community may have a direct impact on the implementation of the President’s Cybersecurity Executive Order (EO 13636). So visit, read, comment, vote, and most of all suggest.