There was a very
nice comment from hdk posted to my
post from earlier today about the DHS water facility inspection. It’s a lengthy and detailed alternative
explanation that makes more sense than the newspaper account; it describes a
little known DHS program, the Protective
Security Advisor program in NPPD.
Protective Security Advisors
The PSA program is another undermanned and underfunded
program that receives little attention. I’ve briefly mentioned them twice here
in this blog (April
2010 and December
2010), but they don’t receive much
press (which is probably a good thing given the way government agencies usually
get noticed).
The comment by hdk notes that PSA’s routinely work with
water treatment facilities in their area of operations, doing vulnerability
assessments, information sharing and just plain establishing contacts with
operators.
A facility of this size is probably not one that the
regional PSA team would initiate contact with, but if the facility had
requested a vulnerability assessment, it almost certainly would have been
worked into the schedule. While this facility hardly counts as critical
infrastructure on the national scale, it is certainly important to their local
community. If the regional PSA team could find the time to do the review, it
was a good thing for the facility, the region and DHS.
ICS-CERT Involvement
There is only one thing that hdk points out that I take
objection to. First off it is obvious that hdk knows a lot more about the PSA
program than I do (not that hard, but I suspect that hdk is directly associated
with the program). So I believe him when hdk says:
“While your comment on the size of
the Athens facility would place it below the radar of DHS, it's not outside of
the realm of possibility that the PSA may have offered up ICS CERT monitoring
capabilities.”
ICS-CERT is even smaller than the PSA program and their
expertise is even in shorter supply than the general security knowledge of the
PSA team. Having them babysit a new control system implementation to verify
that it is working properly is a misapplication of that resource. If there had
been an attack on the system it would be a valuable deployment of ICS-CERT
resources as it could be a potential trial run of later attacks on larger
systems. But to just sit and watch a system to ensure that it is secure, no
that would be a gross misuse of a scarce and valuable resource.
I’m not even sure that having a PSA member monitoring this
deployment would be a legitimate use of limited resources. There could, of
course, be some political reason why such a move might be an appropriate
expenditure of time and personnel for the PSA Regional Commander.
Of course hdk doesn’t actually say that ICS-CERT did (or more
appropriately will) take part in this cyber-system evaluation. It is much more
likely, in my mind, that it would be a PSA follow-up operation.
DHS vs EPA and Water Systems
One final point; if the PSA teams from DHS are making it a
routine point to help water systems with their security assessments it is only
because the EPA water facility security program, as mandated by Congress, is a
completely ineffective security program. That isn’t really the EPA’s fault;
Congress made EPA responsible for the security program but did not give them
any real authority to enforce any security measures.
That DHS has an underfunded program that is able to step up
and actually help small water systems evaluate their security programs and make
suggestions for improving that security is sufficient reason, in my mind, to
encourage Congress to make the security of water treatment systems part of the
responsibility of NPPD and DHS instead of the EPA. DHS has got to be more
effective.
Posts
No comments:
Post a Comment