Thursday, June 17, 2010

DB on S 3480

Dale Peterson over at, writes in a serious control system security blog, and he has an interesting, if brief, look at S 3480, the Protecting Cyberspace as a National Asset Act of 2010, sponsored by Sen. Lieberman (I, CT) and Collins (R, ME). I’ve just downloaded a copy of that legislation, so I’ll reserve my comments on the bill. Here I’ll just look at Dale’s comments. Conflict of Interest Beyond having concerns about DHS being able to actually take on the tasks outlined in the bill due to manpower and funding constraints, Dale has concerns about the control system security set-up in the bill. He writes:
“Are we really proposing that DHS set the regulations, be in position to issue fines, and help owner/operators comply with regulations, and be brought in for remediation? So then they could be regulating the security controls they recommended, designed and maybe helped implement? Sounds like the days of the accounting companies providing services to companies they audited.”
Then he questions if this is what DHS wants or if it is completely from the minds of the Senators. I can’t answer that question any better than Dale can apparently. I would hope that if DHS was buying off on this they would point out the need for loads of additional resources. I’m not sure completely I share Dale’s concern about the internal conflicts of interest. This could be set up in such a way that separate sections of DHS-CERT have responsibility for the different parts of the system. ICS Remediation Interestingly, the Control System Security Program people at DHS-CERT did apparently volunteer to get into the remediation business for a short period of time last month. I noted in an earlier blog that they posted the following offer on their web page:
“In addition, the ICS-CERT is able to provide onsite assistance, free of charge, to organizations that require immediate investigation and resolve in responding to a cyber attack.”
The offer was missing from the revised web page just five days later. No explanation was given, but it could have been due to lack of manpower, or even complaints from the industry that this was putting CERT in direct, and unfair competition with a number of companies. I just don't know, but it is an interesting coincidence. I’ll be trying to wade through the lengthy bill to pull out the stuff of interest to the chemical security community. In the mean time, take a quick look at Dale’s post, it is an interesting read. BTW: Yesterday Rep. Harmon (D, CA) introduced another ‘comprehensive’ cyber security bill (HR 5548). It is not yet available from GPO so I have no details available yet, except that it is also a bipartisan bill, having been co-sponsored by Rep King (R, NY) the ranking member of the House Homeland Security Committee.

No comments:

/* Use this with templates/template-twocol.html */