There has been a lot of attention given to my blog post on Saturday about legislation to regulate cybersecurity for industrial control systems, particularly since it was posted on the weekend. What has been odd has been the relative lack of comments. In fact, the only comments that I have seen have been brief statements that perhaps insurance would be a better way to regulate ICS security.
Developing ICS Security Legislation
First off, let me remind my readers that the post was written in response to a specific question publicly posted on TWITTER®. Since I follow CFATS, control system security, and legislation in general I figured that I had a pretty unique position to put together a first draft of a regulatory program that might have some sort of chance of being put into place. It couldn’t be overly prescriptive, it had to be limited in scope, it had to be able to handle a wide variety of current and future control system security issues, and it had to be risk-based.
Any ICS security legislation will have to take those constraints into account if there is to be any chance of it being able to be passed by Congress. So I took an existing cybersecurity regulatory process, filed off the serial numbers, and expanded the risk-based screening process beyond chemical manufacturing.
If I do say so myself (and I am well known NOT for my humble appreciation for my own skills) I thought that the proposed program turned out pretty well, especially since it was written at a single setting of about four hours. Are there things I would change about it? Certainly; there is no mention of vendor responsibilities. Are there things that industry would object to? Probably; they don’t generally appreciate government regulation. Is there anything that would absolutely prevent a bill based on this outline from passing? Probably not at some point in time; just not now as there is no real perceived need.
But remember, except in emergency situations, this is not the way legislation is written. A single person does not create a bill out of whole cloth in four hours time; at least not a bill that anyone expects to be passed. Bills such as the one described would be the work of multiple organizations over a great deal of time. There would be a number of opposing points of view heard and there would be a good deal of give and take as various concerned parties outlined their specific concerns.
No Political Will
There is currently no political will driving the crafting of ICS security legislation. There have been no publicly identified breaches in the United States of control systems that have had a physical or economic impact that is generally recognized by the political class or the public.
IT breaches have been escalating in number and severity for a number of years now. Even in that environment there have been only limited and ineffectual breach notification laws passed; none at the national level. We are just starting to see serious consideration of breach notification laws and none to date have really identified fixing the underlying security problems as part of the legislative matrix.
We are just now starting to see legislative awareness of the potential harm that could come from a successful attack on industrial control systems. That awareness is a long way from forming the political will necessary to do the hard work of crafting effective legislation. We will not see that political impetus form until there have been a number of control system attacks that have had consequences that are generally and widely decried by the public.
What we do have, however, is a unique chance for a potentially regulated community to get out ahead of the legislative process and to begin discussing how the inevitable future regulation of the risk-space should proceed. This could be a valuable time for us to determine how minimalist effective regulation should proceed in a way that will benefit the regulated community as well as out potentially affected neighbors.
Insurance as an alternative to regulation is a long way out in the control system environment. Insurance quantifies risk based upon actuarial statistics and that depends on statistically significant number of incidents to properly calculate the cost of risk. Since we have no incident history there is no legitimate way to quantify the risk.
Nor is there a significant body of institutional knowledge within the insurance industry to quantify the level of risk reduction associated with the various defensive measures that a control system owner can take to protect their systems. We don’t have enough control system security experts to staff the government and security companies, much less professionals to oversee security systems within the production environment. We certainly don’t need to loose further expertise to the insurance industry while they try to figure out how to quantify risk.
Besides, the insurance industry has done an exceeding poor job of risk reduction in industrial environments. One just has to look at the chemical process industry to see how little insurance has done to reduce process safety incidents.
Unfortunately, effective regulation is going to be the only way that we as a society are going to be able to ensure that process control attacks don’t harm our facility neighbors. To be effective there is going to have to be a risk-based regulatory scheme that targets effective enforcement activities on the facilities that pose the highest risk to off-site entities. We do not have enough trained people, nor could we afford to employ enough trained people, to be able to inspect the security installations of every control system deployed in the United States. Effective regulation is going to have to be specifically targeted at the highest-risk facilities.
Again, the time to start talking about this is now, before actual attacks start energizing knee-jerk reactions in Congress.