Yesterday evening in an interesting Twitversation @digitalbond (Dale Peterson) asked a very important question in response to an article on TGDaily.com; “We need strong cybersecurity legislation NOW!” Dale asked:
“If it were only that easy. Imagine you were all powerful. What effective legislation would you write for CI ICS?”
Since I recently looked at a DHS effort to do just this for an important subsector of critical infrastructure (high-risk chemical facilities), I have seriously been thinking about this for a little over a week now. The more I think about it, the more I think that the folks at the Infrastructure Security Compliance Division (ISCD) have done a pretty good first pass at establishing a good, general purpose regulatory scheme for critical infrastructure control system security. With that as a starting point here is the legislation (in plain English not legislatese) I would craft to regulate the security of critical infrastructure industrial control systems.
Covered Control Systems
The first thing that we have to establish is which industrial control systems would be covered by the regulations. We could just regulate all control systems, but then we would have a problem with having any sort of practical compliance process with any reasonably sized inspection force. And without an inspection force there is no effective regulation. So we need to come up with some reasonable sub-set of industrial control systems to regulate.
We’ll start by scraping the term ‘critical infrastructure’ as in common usage this includes too many entities that have no real industrial control systems to regulate. Instead we will concentrate on critical industrial control systems (CICS). We will define a CICS as any control system that operates a process that, if completely owned by an attacker, could be used to have a serious direct kinetic, chemical or energy impact on more than 100 people off of the site where the process is located; this will be known as a potential critical attack (PCA).
We would also establish within the Office of Cybersecurity and Communication in DHS an organization called the Critical Control System Compliance Division (CCSCD) which would include ICS-CERT. It would have primary responsibility for writing control system regulations and enforcing such regulations at facilities not regulated by other Federal agencies. Those Federal agencies with primary regulatory responsibility for CICS facilities would be responsible for enforcing CICS regulations at those regulated facilities with the assistance as necessary of CCSCD.
Facility Control System Security Program
Each facility that has an industrial control system control room would be required to have a written facility control system security plan (FCSSP) that covers all systems controlled or monitored out of that control room. Where multiple control rooms monitor or control a system, a master control room will be designated to provide FCSSP coverage for that system with priority given to the control room with primary control responsibility.
The FCSSP will:
∙ Define the responsibilities of the Cyber Security Officer (CSO) with primary responsibility for maintaining and implementing the FCSSP;
∙ Define the elements of the CISC that if owned by an attacker could be used to conduct a PCA. These elements will be known as critical cyber systems (CCS);
∙ Identify safety systems that mitigate the potential effects of a PCA, including safety instrumented systems and automatic mechanical shutdown systems;
∙ Document the business need and network/system architecture for all cyber assets (systems, applications, services, and external connections) connected to CCS;
∙ Integrate cyber security into the system lifecycle for all CCS;
∙ Identify and document CCS boundaries and implement security controls to limit access across those boundaries;
∙ Define responsibilities for identifying critical CCS patches and updates and providing for timely testing, application and documentation of those critical patches and updates;
∙ Define the incident response system, including reporting requirements, for cyber incidents involving CCS;
∙ Include continuity of operations plans, IT contingency plans, and/or disaster recovery plans; and
∙ Include a personnel surety program (PSP) for all personnel with physical or virtual access to CCS elements. The PSP will include periodic vetting against the Terrorist Screening Database through the CCSCD or other Federal agency.
The FCSSP will also document the security procedures, techniques and equipment used to protect CCS from unauthorized access. These will include:
∙ Physical security measures to limit access to CCS components including systems to monitor physical access to those components;
∙ Intrusion detection systems to detect electronic access to CCS components;
∙ Logs of all communications to and from CCS components with an active program to monitor those logs for indications of unauthorized communications inbound or outbound; and
∙ Periodic checks of device (PLCs, RTUs and communications modules for example) programming to ensure that unauthorized changes had not been made to that programming
The Regulatory Program
Each industrial control system owner/operator would be required to determine if there is a potential off-site consequence associated with their control systems. Any owner of a control system with a potential off-site consequence would be required to electronically file a control system screening report (CSSR) with CCSCD. This report would be patterned on the CFATS Top Screen process. The CSSR would be a simplified online report describing the potential off-site consequences of a successful attack on the control system in question as well as the current safety systems in place to mitigate those consequences.
All information reported to CCSCD or a Federal agency with primary regulatory authority under this program would automatically be considered to be protected critical infrastructure information (PCII) without out the need for making the standard PCII declaration.
CCSCD would evaluate CSSR to determine the number of off-site people that would potentially be affected by a successful attack on a control system taking into account the mitigation measures in place. If the analysis indicates that a PCA would have an effect on less than 100 people, the facility would be notified that it is not a covered facility. Control systems having a PCA potentially affecting more than 100 people would be notified that they were covered facilities and would be tiered according to the following standards
Tier 1 – Facilities having a single PCA that could affect more than 5,000 people;
Tier 2 – Facilities having a single PCA that could affect between 2,000 and 5,000 people;
Tier 3 – Facilities having a single PCA that could affect between 500 and 2,000 people; and
Tier 4 – Facilities having a single PCA that could affect between 100 and 500 people.
Tier 4 facilities would have to certify on-line that they had an FCSSP that met the standards described above with a check off for each of the requirements listed. Tier 3 facilities would have to complete an on-line form explaining how they met each of the requirements listed above and certify on-line annually that those were actually in place. Tier 2 facilities would be required to complete an on-line form explaining how they met each of those requirements and would be required to conduct an annual self-audit using an updated CSET tool designed by ICS-CERT. Tier 1 facilities would be required to complete a more detailed form outlining how they met the above requirements and would be required to undergo an on-line annual audit with ICS-CERT conducting the audit every other year using an updated CSET tool designed by ICS-CERT. The ICS-CERT audit would also include a Design Architecture Review.
Audit findings would be reported to CCSCD or the primary Federal regulatory agency via an on-line tool. Facilities would be given 90 days to report corrective actions (including on-going corrective actions) on all audit findings. Repeat audit findings on two consecutive audits would require a compliance inspection by CCSCD or the primary Federal regulatory agency
Random compliance inspections would be conducted by CCSCD or the primary Federal regulatory agency per the following schedule:
Tier 1 facilities – 30% each year;
Tier 2 facilities – 10% each year;
Tier 3 facilities – 5% each year;
Tier 4 facilities – 1% each year.
Any covered facility that had a cyber-related incident with an off-site consequence would receive a compliance inspection within 30 days of the incident being reported. Violations found during any compliance inspections would be subject to civil penalties.
Covered facilities (including those regulated by another Federal agency with primary regulatory responsibility) would be required to report cyber incidents to CCSCD. Reports would be submitted via an on-line form according to the following schedule:
∙ Any cyber related incident with an off-site consequence would be reported within 1 hour;
∙ Any cyber related incident that resulted in the unscheduled shutdown of a CCS without an off-site consequence would be reported within 6 hours;
∙ Any scan or intrusion detected within the CCS boundary that affected CCS operations but did not result in a CCS shutdown or off-site consequence would be reported within 24 hours;
∙ Any scan or intrusion detected within the CCS boundary that did not affect CCS operations would be reported weekly; and
∙ Any scan or intrusion detected at the CCS boundary that did not penetrate the boundary would be reported monthly.
All reports of scans or intrusions that did not affect CCS operations would be reported in a summary report that would include source IP addresses where available.
All reports received of cyber related incidents that affected CCS operations would be immediately reviewed by a CCSCD action officer. In the event the cause was unknown (for incidents with off-site consequences) or the information reported seemed to indicate a deliberate attack, ICS-CERT would be notified and further actions or investigations would be initiated as necessary. Any time that an attack clearly seemed to be indicated, the FBI would be notified.
By the 10th of each month CCSCD would compile an unclassified summary report of all cyber related incidents from the previous month. Copies would be distributed to the CSO of each covered facility, the FBI and the head of each Federal agency with primary regulatory authority over any covered facility.
A formal incident report would be completed by CCSCD on each cyber related incident that resulted in an effect on a CCS. Unclassified versions of those reports would be made available to CSOs of covered facilities. Classified (when required) versions of reports of those incidents would be made available to the FBI and the head of each Federal agency with primary regulatory authority over any covered facility. Copies of reports would also be made available to appropriate fusion centers, ISACs and ISAOs. All unclassified reports would be considered to be PCII.
Readers of this blog will immediately recognize that I stole large portions of this proposed program from the CFATS program model. I have long been a fan of the on-line reporting tools and the automated evaluation possibilities associated with those tools. I would certainly hope, however, that more work would be put into making the completion of the data as simple as possible and organized in a way that could be easily followed by mere humans; the CFATS SSP tool is way too convoluted, repetitive and unusable. We need to avoid replicating that.
I do not expect that Congress will make any effort to regulate the security of industrial control systems to anywhere near this extent any time in the near future. Industry resistance will be just too high. As we start to see attacks with off-site consequences, however, there will be increasing calls for even more regulation than this.
Hopefully, industry can get behind some sort of meaningful control system security legislation before we end up with a catastrophic attack on a control system. Congress tends to get knee-jerk over-reactions to situations of that sort and it can take a very long time to back off from those over-reactions.