Sunday, June 20, 2010

S 3480 – Cyber Security

Last week I took a brief look at some concerns being expressed about the new comprehensive cyber security bill coming out the offices of Sen. Lieberman (I, CT) and Sen. Collins (R, ME). At that time I hadn’t had a chance to review the text of the bill. Now that I have had a chance to do so it doesn’t seem that this bill will have serious affects on industrial control systems (ICS), but owners of conventional IT systems at chemical facilities that are considered to be critical infrastructure may be affected. ICS I have to waffle a little bit on the potential affects on ICS. I cannot find anywhere in the bill where the terms ‘industrial control system’ or ‘SCADA’ are mentioned. These are two of the most commonly used descriptors of the computer systems used to control chemical processes. In fact the word ‘industrial’ only shows up once in the legislation and that in regards to industrial espionage {§406(a)(2)(E)}. I don’t think that it is unreasonable to assume that ICS are not covered under the introduced bill. Having said that, there may be a loophole that regulators could use to attempt to regulate ICS in ‘critical industries’. In defining ‘cyberspace’ the legislators expansively state that it includes “the Internet, telecommunications networks, computer systems, and embedded processors and controllers [emphasis added] in critical industries” {§3(2)}. Since this statement is modifying ‘the interdependent network of information infrastructure’, I think that any such ICS regulations would certainly end up in lengthy court battles. Information Systems The major focus of this legislation is the protection of information systems of the Federal Government, but it does potentially apply many of the same controls to privately owned information networks. Covered critical infrastructure is defined as a system “that is on the prioritized critical infrastructure list established by the [DHS] Secretary under section 210E(a)(2)” {§241(4)(A) in §201}. Section 503 provides guidance to the Secretary about the maintenance of the ‘critical infrastructure list’. The catch all phrase “any other security related factor determined appropriate by the Secretary” could certainly be used to include high-risk chemical facilities on this list. I’ll leave the analysis of what specific affects that this bill could have on the managers of IT systems in these high-risk chemical facilities to those with more experience in IT systems; I have only been a user of such systems. Mark-up As I mentioned in a posting on Friday, this bill is currently scheduled to be marked-up in the Senate Homeland Security and Governmental Operations Committee on Thursday. There is no telling what changes will be made at that hearing. In fact, given the way that Senate committees conduct such hearings, we will have little idea of what changes have been made to the legislation until the final committee report is filed. I am certainly not going to predict when that will occur; we are still waiting on the report from this Committee on S 1649, the WMD bill that Sen. Lieberman and Collins pushed last year and upon which mark-ups were finished back in November. If and when a report on this bill is published, I will again look to see if there have been any provisions made that would specifically address ICS at high-risk chemical facilities.

No comments:

/* Use this with templates/template-twocol.html */