For those that don’t follow me on Twitter® (@pjcoyle) there were some interesting conversations and pointings at some interesting articles; including (see links at my tag):
@pjcoyle @PatrickCMiller1 Five Protocols That Should Be Closely Watched (Dark Reading) http://j.mp/1c5EZGY
@pjcoyle @EmeregncyMgmt The enemy of my enemy is my friend - http://tinyurl.com/qczgl7g - Middle East Law
@pjcoyle @PatrickCMiller Good thing no one in ICS is still using Windows XP or reads PDF files (SARCASM)
@pjcoyle @MichaelSlawski Unintended consequences? What could go wrong? Perfect physical security, of course
@pjcoyle @ICS_SCADA Why detect? All that's needed (grin) is a properly grounded Faraday Cage around all electronics.
@pjcoyle @PatrickCMiller Cute phase at end "stopping the attackers before their electrons reach our shore" Would that it were that easy.
NPPD Publishes S&T R&D Questions
On Thursday the DHS National Protection and Programs Directorate published a notice in the Federal Register (78 FR 73202-73203) seeking public input on the development of a DHS S&T National Critical Infrastructure Security and Resilience Research and Development Plan (NCISR R&D Plan). It is kind of odd that NPPD is asking for input for an S&T R&D plan but I guess since they have the lead on CI protection is makes some sort of bureaucratic sense.
The list of potential topics to be covered is kind of lengthy and obviously intends to touch all bases; probably too many bases to be effective. It is good to see that they have included “Cyber-Physical Systems” but there is nothing specifically about chemical security.
NPPD is seeking public input including answers to three specific questions. They have given an unusually short time frame for this response (January 6th, 2014), which is particularly bad given the holiday season, so I don’t expect that they’ll get much feedback. Comments may be submitted via the Federal eRulemaking portal (www.Regulations.gov; Docket # DHS-2013-0074).
Symantec had an brief, but interesting note about a Linux worm that might have an effect on control systems. It seems that there are a number of imbedded devices and periperials that use the Linux operating system that may be vulnerable to attack by the Linux Darlloz worm. This type of attack may then give attackers access to linked systems. Nothing yet from ICS-CERT. Symantec does provide a nice list security mitigation steps.
Markey the Cybersecurity Senator
It looks like Sen. Markey (D,MA) is trying to carve out cybersecurity as one of his particular areas of legislative interest. He sent letters to all of the major car manufacturers asking pointed questions about cybersecurity issues with the on-board computer systems in their vehicles. While control system security questions were included, it seems that the largest focus of his interest is with the privacy aspects of the potential problem. I expect that we might hear something about a hearing next year.
The President’s Council of Advisors on Science and Technology (PCAST) published a report last month that I just noticed on strengthening cybersecurity. It outlines some things that the Administration might be able to accomplish without additional legislation. It makes two very interesting general observations:
• The Federal Government rarely follows accepted best practices. It needs to lead by example and accelerate its efforts to make routine cyberattacks more difficult by implementing best practices for its own systems.
• Many private-sector entities come under some form of Federal regulation for reasons not directly related to national security. In many such cases there is opportunity, fully consistent with the intent of the existing enabling legislation, for promoting and achieving best practices in cybersecurity.
Since this is just advisors talking possible strategies, I’m not holding my breath waiting to see anything concrete come out of this. This Administration is long on ideas and short on execution.