Friday, September 28, 2007

Threat communication

By now, just about everyone has seen the video of simulated hackers destroying an electrical generator or read the news reports about the video. Now, according to an Associated Press article yesterday, that video, the “Aurora Generator Test”, was shown to people at a trade convention in Atlanta last March, shortly after it was made, without proper authorization to disclose the classified, “For Official Use Only (FOUO)”, information. The government had to go back and notify the people that were shown the film that it was classified. Apparently, the unnamed DHS employee that showed the film to a select group of industry researchers felt that they needed to understand the vulnerability that the electrical grid could face in order to be able to develop appropriate countermeasures. Nothing has been publicly said about whether the employee was punished for this “Leak”.

 

This goes hand in hand with my earlier blog, “How do we know we are protected?”, in examining the bounds of the conflicting demands between information security and the dissemination of information required for development of adequate physical security measures. This is an issue that will come up again and again in communicating threat assessment information to chemical facilities. If too much threat intelligence is communicated to the multitude of chemical facilities that might have to respond to the potential threat, some of that information is going to make it into the press. On one hand that may help to prevent attacks; as terrorists realize that their potential operation is compromised, but it will also allow the terrorists to realize that their security has been breached and take appropriate corrective measures.

 

While section 27.215 of 6 CFR requires each covered facility to make a threat assessment as part of their Security Vulnerability Assessment, most organizations are ill prepared to do so. While the Exxons and Dow Chemicals may have intelligence gathering and assessment capabilities, most organizations do not. Chemical facilities are going to have to rely on government agencies, local, state and national, to supply that expertise. Most of the detailed information will be classified at a much higher level than CVI (Chemical Vulnerability Information) or even FOUO and will thus be unavailable to most chemical facilities.

 

Perhaps DHS should modify their CVI information protection system to include threat assessment information disseminated by DHS. Appropriate intelligence information could be cleaned up so as to avoid the most egregious disclosures of collection means and methods (what intelligence agencies want most protected) and then sent out to the applicable facilities. The person responsible for the CVI program at each facility would then become a CVI Security Officer instead of just a point of contact, since they would then also be responsible for the security of information provided by the government rather than just the information provided to the government. The disclosure of CVI at the facility level would have to be more formally controlled than currently planned, but would still not require the level of controls necessary for Classified Documents.

 

Intelligence information is going to have to flow from DHS to chemical facilities if the security at those facilities is going to be adequately maintained. Proper protection of facilities from terrorist attacks will require some level of knowledge of terrorist interests and capabilities. The mechanism for this intelligence transfer need to be established now, as chemical facilities are starting to work on their SVA’s and well before they start developing their Site Security Plans.

No comments:

 
/* Use this with templates/template-twocol.html */