DHS-CERT CSSP Web Page Update – 01-12-10

The DHS-CERT Control System Security Program (CCSP) web page was updated on Tuesday. There was a significant re-design of the page and a link to an updated page for the Industrial Control System Joint Working Group (ICSJWG). The two new pages have a lot of information that will be valuable for the chemical security community. CCSP Page The data portion of the CCSP page is now smaller than the previous design. To provide additional room for new information there is now a three-tabbed block in the center of the page that allows the CCSP to provide new information in the same space. The current tabs are “What’s New”, “Top Ten”, and “Reporting”. The Top Ten list provides links to the top ten accessed documents on the site. Unfortunately, the link to the ‘Calendar’ page is currently not operational. The current list includes, among other things:

Catalog of Control Systems Security: Recommendations for Standards Developers (pdf), Cyber Security Procurement Language for Control Systems (pdf), Developing an Industrial Control Systems Cybersecurity Incident Response Capability (pdf), and

Secure Architecture Design.

The “Reporting” tab includes links for reporting control systems incidents (this leads to a reporting form with a cursory description of what constitutes a ‘control system incident’. Actually, this brief and very inclusive description is probably very valuable in bringing in the widest volume of incidents that affect cyber control systems. This would allow CCSP to weed out the non-cyber incidents instead of pre-empting good reports that might not fall under a more specific description. ICSJWG Page The ICSJWG page provides updated information on the Spring 2010 Conference that I had briefly reported in a previous blog. The new information includes the actual location of the conference in Austin, TX (JW Marriott San Antonio Hill Country Hotel and Conference Center), a link to a one-page brochure about the conference, and a link to the conference registration page. There is also a ‘Call for Papers’ announcement on the page, though the link for the electronic submission of proposal abstracts has not yet been established. The program committee has provided a non-exhaustive list of topics that they are looking to have covered at the conference. These include:

Workforce Development, Control Systems Security Research, International Coordination, Standards Development, Incident Handling, Vulnerability Management, Emerging Technologies, Managing Vendor Relations, Integration of Cryptographic Technologies, Security Management Metrics, Wireless Integration in ICS environments, and Coordination of Threat Reporting.

I am always amazed (not really) when there is a noticeable lack of cross fertilization of ideas and topics in the various parts of the Department. Particularly amusing here is that the one regulatory program that is actively trying to deal with industrial control system issues is not mentioned in the program committee’s list of topics. I would have liked to see CFATS cyber security issues get some prominent mention in this forum. As more information becomes available on the ICSJWG Spring Conference, it will certainly be mentioned here in this blog.