Thursday, January 15, 2015

HR 54 Requires Hacker Support

When I reviewed HR 54, the Frank Lautenberg Memorial Secure Chemical Facilities Act, I did not go into any great detail because the bill is dead in the water. I saw a TWEET yesterday from @5ean5ullivan that made me go back and look at one section much more closely. It seems that Rep. Jackson-Lee (D,TX) wants covered chemical facilities to employ hackers to checkout their cybersecurity.

Cybersecurity Requirements

Section 2111(b)(6) requires: “the conduct of tests of facilities should include blue hat, red hat, and white hat hackers to validate the security measures instituted to address cyber based threats”.

Interestingly this requirement does not come in the portion of the legislation that discusses site security plans or risk-based performance standards for security measures. Instead it is found in the section of the bill that deals with Methods to Reduce the Consequences of a Terrorist Attack, commonly referred to inherently safer technology (IST).

In the discussion of the required assessment of IST measures the §2111(b) describes the various things that a facility must look at in conducting their assessment. In an apparent after thought (and certainly never included in earlier versions of Democrat bills on chemical security) are two sub-paragraphs dealing with cybersecurity issues.

The first requires: the design of computing systems and development of plans, exercises, and drills to re-engage computing systems used in the processing, transport, storage of chemicals that are designed [should be ‘designated’] as a ‘‘risk’’ by the Secretary using protocols for trusted recovery under the worse case [worst case?] conditions” {§2111(b)(5)}.

This certainly sounds like a reasonable requirement, but it probably should have been included in §2103(d)(8) the discussion of deterring cyber sabotage in the risk based performance criteria that would be required by this bill.

The requirements to use hackers described above is also out of place in the discussion of IST requirements. I am not so sure, however, that this was intended to be part of the planning requirements for facility security plans. It actually looks like it should have been included in §2104, Site Inspections. If that were the case it would call for DHS to use hackers to evaluate the cybersecurity protections that are part of the site security plan. That would be a radically new type of cybersecurity requirement that I have not seen suggested in any other regulatory program.

Problems with Hacker Requirement

Now I understand how this might sound like a good idea to some congress critter. This would seem to be the only way to verify that proper protective actions have been taken. But as a practical matter, this will cause more problems than it could possible solve. Before we get into any of the technical reasons why this is not a good idea we only need to look at the lack of personnel available to be able to do this type of hack. There are probably not 100 people world-wide familiar enough with control systems to conduct such an evaluation and I would venture to guess that none of them are familiar enough with all of the different types of control systems and components to be able to do a complete evaluation.

Secondly, as many recent presentations have pointed out (see my post here and upcoming posts on from S4x15) have pointed out, it will take a team of people, various control systems experts and chemical engineers, to cause catastrophic damage at a chemical facility. This is, in many ways good news as it is unlikely that the average terrorist group (particularly home-grown terrorists) will have that level of expertise available to conduct such an attack.

Finally, no chemical facility owner/operator is going to allow any outsider to hack into a live control system involved with the handling, storage or manufacture of hazardous chemicals. The potential for problems is just too high. And taking a system down to allow for such an evaluation off-line is just too costly for most chemical facilities.

Congress and Cybersecurity

It is good to see that Congress is starting to seriously think about cyber security. But provisions like this hacker requirement shows just how far removed from reality too many of these congress critters really are. It will be interesting to see how many problems congress tries to institute as they address the complicated problem of cybersecurity.


Anonymous said...

Does section 2111 really require "red hat hackers?" I was under the impression red hat referred to a Linux operating system rather than a type of hacker.

Congressional typo?

Patrick Coyle said...

I think that they may have meant 'red team?' You never can tell.

Anonymous said...

Great blog coverage.

On the topic of limited ICS capable hackers for pen testing. I'm concerned there's a common misconception by government, industry and the public that the ICS is the vulnerability of the system. Stuxnet, the german incident, etc all entered via social engineering, over business machines likely running Windows. Those attacks pivoted to different equipment but the point of entry was basic.

I'm not sure if a pen test needs a defcon expert to walk a facility control room and ask what computers control various aspects. Ask what security features those computers have to mitigate social engineering Trojans (Updates implemented, Personal email/website restriction, usb port restriction, etc). The inspection could be handled without endangering the active systems, but could greatly benefit from onsite vision/communication.

To date I'm only familiar with two public cases that directly bypassed the business computers. One was an Australian municipal facility and they 2nd was a Russian pipeline. They appear to represent a small fraction.

/* Use this with templates/template-twocol.html */