Wednesday, October 17, 2007

Congressional hearing on cyber security

While today’s hearing of the House Subcommittee on Emerging Threats, Cybersecurity
and Science and Technology
was called to address the threat of cyber attacks on control systems in the electrical power generation industry, testimony of two of the witnesses briefly touched on the similar problem in control systems in the chemical industry.


Mr. Gregory C. Wilshusen, Director, Information Security Issues, GAO, briefly discussed a recent GAO investigation (GAO-07-1036) into the security of control systems. The report concluded that while multiple agencies and private entities have responsibility for cyber security, DHS has the responsibility to coordinate actions between the various parties to ensure the overall security of the United States. The GAO study faulted DHS for lacking an overall strategy for coordinating actions or sharing information.


Mr. Greg Garcia, Assistant Secretary, Office of Cyber Security and Telecommunication,
Department of Homeland Security, briefly discussed how the Department views the threat. First he stated that the primary responsibility for securing control systems rests with the private sector that owns 85% of the control systems in this country. DHS views its responsibility as providing guidance, developing and enhancing partnerships, and preparing for and responding to incidents.


As part of the providing guidance portion of the DHS responsibility Mr. Garcia reported on an evaluation tool developed by the Department that can be used to evaluate the cyber security of a control system. The Control Systems Cyber Security Self Assessment Tool (CS2SAT) will be made available by the Instrumentation, Systems and Automation Society (ISA) to their members. DHS has also provided cyber security training to over 7,000 IT and control systems professionals, including some web based training. Additionally DHS worked with NIST to produce “Guide to Industrial Control Systems (ICS) Security,” which provides an overview of control systems, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks.


Control systems are an integral part of most chemical manufacturing processes. In most facilities that will be required to perform SVA’s and SSP’s special attention will need to be shown to these systems. Section 27.230 lists “Cyber” as one of the Risk Based Performance Standards that must be addressed in Site Security Plans; and this includes the security of various control systems on site.

No comments:

/* Use this with templates/template-twocol.html */