Reader Comment 04-30-10 Cyber Inspections

Last Friday Edward, who has his own security blog, commented on my recent review of an article on cyber security. His comment was lengthy and well worth reading. He makes a number of good points about conducting threat assessments and designing an appropriate response. His final point is, I think, well worth a closer look. He closed by saying:

“While I think cyber security is going to be the wave of the future in this industry, thinking that the government can regulate this requirement effectively is naive. It is up to the facility to truly understand the threat and take the appropriate actions as opposed to striving for minimal compliance.”

CFATS Cyber Inspections I don’t believe that the current staff of chemical facility inspectors is really going to be striving for detailed investigations of cyber security issues. DHS has been looking at hiring people with physical security, law enforcement, or chemical engineering type backgrounds. While these folks will certainly be given some cyber security training during their 14 week Chemical Security Academy, they will not have the necessary background to do in-depth technical reviews of cyber security processes. At least in the initial round the most effective review of cyber security efforts at a facility will be done during the SSP submission. It will only be there that there will be a reasonable probability of an actual cyber security expert having a look at the facility program. Even there it will not be possible to do the type of detailed review of the threat assessment and response that Ed describes as being necessary to truly protect facility cyber assets. While program compliance is hardly ever an adequate measure of security, the current CFATS program’s approach to cyber security will hardly touch the reality of actually protecting industrial control systems (ICS) from potential terrorist attacks. This is not a slam of the CFATS program, just a realistic appraisal of what the Infrastructure Security Compliance Division at DHS can do. To be able to do an effective evaluation of facility ICS security they will have to have a significant cadre of ICS security experts. They would need to have at least two or three cyber security experts with ICS backgrounds in each of their regional offices to have any hope of having any possiblity of being able to conduct an a reasonable review of facility cyber security programs for every covered facility. Finding, much less hiring, 20 to 30 such experts willing to work for the Feds is just not possible in the current environment. The small existing cadre will find better pay and benefits in private industry. Future CFATS Cyber Security What will probably be a more effective way of dealing with the ICS security threat is to have a two fold enforcement program. Most facilities will have to maintain a fairly basic and simple cyber security program that addresses personnel security and limits physical and electronic access to critical systems. Inspections of this level of program will be little more than the check list type inspection that Ed described in his comments. With facilities that have been identified as a specific risk of cyber attack because of the existence of a specific threat or the existence of a high-consequence potential for release via ICS manipulation an additional would face additional scrutiny of their ICS security program. This would allow for a smaller, centralized and highly trained ICS cyber security team that would focus on just the higher risk facilities. In the mean time, what is a facility to do? It depends if the facility is more concerned with CFATS compliance or providing adequate security for their ICS. A compliance focused facility should probably rely on the reading of the RBPS Guidance manual and addressing the limited cyber security issues identified there. Facilities more interested in protecting their facilities from a terrorist cyber attack will need to get appropriate experts to do the type of threat and vulnerability assessment described by Ed.