Today the Department of Homeland Security published a guidance notice in the Federal Register (81 FR 8214) providing a link to their Automated Information Sharing (AIS) web site. This web site provides the interim guidance on the sharing of information about cyber threat indicators between the Federal Government and the private sector required under §103 and §105 of the Cybersecurity Information Sharing Act (CISA) of 2015 that was passed as Division N of the Consolidated Appropriations Act, 2016 (PL 114-113, not yet published).
The AIS web site contains links to four guidance documents:
The site also contains a link to the on-line form that allows submission of information on threat indicators to the automated information sharing system.
A quick review of these complex documents did not show anything specific to the sharing of information about sharing information about cyber threat indicators specifically related to industrial control systems. Section 102(9)(B) of CISA Act of 2015 did, however, specifically include in the definition of information system “industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers”.
I’ll probably have a more detailed look at these documents in a later blog post.