Vetting Security Contractors

Ralph Langner, of Stuxnet decoding fame, has an interesting blog post over at Langner.com about the recent ‘revelations’ in David Sanger’s book, Confront and Conceal, that Siemens was complicit in setting up the Natanz control system in Iran and subsequently acted as the Stuxnet transmission agency for the attack on that system. Now I haven’t read that book and Ralph doesn’t actually quote (I think; at least there are no quote marks) from the book and the book is apparently based upon info from politicians not technicians, so I don’t know how accurate the claim actually is.

Quis custodiet ipsos custodes? [Who guards the guardians?]

Having said that, Ralph extrapolates that claim to a very interesting point at the end of his posting:

“So it turns out that Confront and Conceal has an important real-life implication for ICS security and critical infrastructure protection: Asset owners/operators who still favor a policy of unverified trust in the cyber security posture of their contractors and vendors, no matter how large or well-reputed they might be, will from now on have to be regarded as negligent. On the plant floor, the biggest cyber security risk is associated with contractors with legitimate access to a facility’s most sensitive systems. There is absolutely no reason to assume that any specific contractor could be trusted without verification just because they say so, because they enjoy a big market share, or because they pursue a media strategy claiming that they had cyber security gotten straight – quod erat demonstrandum [QED, or end of proof].”

This has always been one of the sore points about hiring security specialists; they are given the keys to the kingdom, but there is little one can do to control their concealed actions. Owner operators need to take great care in selecting any agency to work on the facility security programs, physical and/or cyber. How one prevents the subornation of a major firm like Siemens is almost certainly beyond the control of most facilities, but facility security managers and cybersecurity managers have to take great care in selecting and vetting anyone that works on their security systems.

TSDB Checks

Typical background checks, specifically criminal background checks have to be an important part of the security vetting process. Unfortunately, those checks will be of little use when one is trying to eliminate people with terrorist ties or working for foreign intelligence services. DHS does provide a service for vetting people against the terrorist screening database (TSDB), but that is only available through TSA for transportation related personnel. CFATS covered facilities may, sooner or later, get access to that vetting process, but no other critical infrastructure organizations have, or apparently will have, that vetting option. Of course there is no FIS database.

This is one of the many shortcomings of the various cybersecurity bills; none of them make provisions for personnel surety. There are no requirements that personnel with the cyber-equivalent of ‘unaccompanied access’ have to undergo any sort of background check at critical infrastructure facilities. One would like to think that such checks were being done as a matter of course for business reasons, but it is unlikely that everyone is doing even the criminal background checks. No one is doing terrorist screening, since without a congressionally authorized DHS program for TSDB vetting the Department has no authority to conduct such terrorist background checks.