Dale Peterson of DigitalBond
repute (high repute in my mind, but Dale does have his detractors) left
a comment on today’s
post about the ICS-CERT Monthly Report. As is usual when he comments here,
he has a very interesting point made in few words. He notes (among other
things) that:
“The on-site assessments, like the
training, violate national labs rules. INL is not allowed to compete with
industry, but continues to do so. In fact they are stepping up their
competitive offerings. Maybe it is sour grapes as a competitor, but free and
promoted by DHS are two awfully big competitive advantages.”
My initial knee-jerk reaction is ‘Come on now, there has to
be more business than Dale and his not too numerous competitors can handle.’
After all there are way more ICS systems deployed than all of the researchers
(blackhat and whitehat alike) could ever get to in reasonable amount of time. A
little more thought, however, makes it clear that that is a specious argument at
best; not every ICS owner is going to get his system evaluated for security
problems. The reason is that there have been so few attacks to date (dare
someone to name off six deliberate hacks of an operating control system in the
wild) that most owners still don’t believe (and many with good reason) that
they will ever be the subject of a real attack.
Unfair Competition
Still, even with the limited number of owners actually
caring enough to get their systems evaluated, there should be enough work for
Dale and his for profit compatriots and still leave enough for ICS-CERT to give
away system reviews. But that will still contribute to fixing the continuing
problem of not enough ICS security researchers/fixers. We need lots of competition
to convince young’uns to take the hard courses in school to be able to fill the
need slots in government and private industry to deal with the security of
control systems. There aren’t many that will do that the hard work to just work
for the guvmint. They might be more interested if they made the big money like
Dale and got to travel the world. So let’s keep ICS-CERT from competing with
industry.
On the other hand…
I really do want the folks at ICS-CERT frequently getting
out into the real world and seeing what kinds of screwed up ICS systems are
actually deployed. It isn’t a Siemens/ABB/Schneider world out here. Actually it
isn’t an anything world out here, it’s an everything world; all sorts of bits
and pieces of multigenerational hardware and software cobbled together in a ‘whatever
it takes as long as it doesn’t cost too much’ world. The smaller and older the
operation the more cobbled it is.
Okay, let’s have the ICS-CERT guys start to work with the
other parts of DHS that deal with private sector security issues like CFATS,
MTSA, TSA, whatever. Let’s have them do control system security evaluations for
entities that are regulated under these programs as part of the regulation
process. These agencies don’t have the ICS security expertise to handle this
job in the first place, so they need the help. That’s an inherently
governmental function not one that takes work away from the private sector. And it would give the ICS-CERT people the hands on
experience with the various lash-ups found in the real world. And maybe they
can train the other security inspectors in some basics of control system
security.
BTW: Full Disclosure – I have written some blog posts for
Dale on cybersecurity legislation from time to time.
Posts
No comments:
Post a Comment