Yesterday the Homeland Security Subcommittee of the House
Appropriations Committee held an oversight hearing looking at ‘Cybersecurity
and Critical Infrastructure’. The hearing was closed to the public because
intelligence information was going to be discussed at the Top Secret/SCI level.
We do, however, have access to the opening
statement from Under Secretary Beers.
CFATS Mentioned
Beers testified on the broadest application of the title of
the hearing and took some time to address the CFATS program. He took some time
to update the Subcommittee on the improvements made to the CFATS program. This
is not unreasonable since the Subcommittee wanted to reduce the CFATS funding
by half last year because, at least in part, of the problems the program was
having with their site security plan authorization program.
Beers provided an interesting tidbit of information
yesterday that was overlooked in the CFATS hearing
last week. According to yesterday’s written testimony noted that as of
March 5th, “397 ASPs [Alternative Security Plan] have been submitted
in lieu of SSPs” (pg 6). These were almost certainly submitted using the American
Chemistry Council’s (ACC) ASP format. He made these comments about the
importance of the development of ASPs:
“Additionally, DHS has been in
discussion with other industry stakeholders, including the Agricultural
Retailers Association and the Society of Chemical Manufacturers Affiliates,
about developing templates specific to their members. DHS has also been engaging
industry partners on the development of “corporate” ASPs. For industry partners
that own several regulated facilities, the corporation can develop a single ASP
template, which can be easily leveraged by all of its facilities. ASPs
submitted by facilities using an industry-developed or proprietary template
would be reviewed under the same standards that ICSD currently reviews SSPs.
The potential for these ASPs to serve as a force multiplier is tremendous as
DHS continues to authorize and approve SSPs and ASPs.”
Unfortunately, in a hearing that was predominantly supposed
to be about cybersecurity, Beers made no comments about that topic in his
discussion of the CFATS program. This is especially surprising and
disappointing in light of the comments and questions he heard from his congressional
questioners at last week’s hearing.
Control System
Security
The written testimony provided yesterday has a pretty good
discussion of control system security for coming from someone outside of the
ICS security community. There was nothing new presented, but the fact that ICS
security received this much separate attention was encouraging.
Cybersecurity EO
While the cybersecurity executive order was mentioned early
on in the testimony it was probably the least informative aspect of the
testimony. We have plenty of catch phrases like “encourage enhanced security
and resiliency” and “enhanced information sharing programs”, but there was no
substance mentioned.
Beers was obviously proud of the fact that “DHS has already
formed a task force to coordinate implementation of PPD-21 and EO 13636” (pg
2), but that is hardly an accomplishment since the Administration had been
working on the EO since last summer and early drafts that had been circulated
show little difference from what we got last month. But, then again, Beers has
always been proud of mediocre performance and missed time limits at NPPD.
Intelligence
Information
The meat of the hearing yesterday was going to be the
intelligence information that supported the cyber-threat analysis. We are
unlikely to hear anything directly about that intel any time soon. I would like
to think that DHS had the capability to sanitize the intelligence reports to
the extent that they could provide a report to industry of at least the same
level of detail as the recent Mandiant report on Chinese involvement in cyber
espionage.
I’m not going to hold my breath about that happening any
time soon, but if I were a CEO of a chemical company that had multiple
high-risk chemical facilities, I would like to hear the following information
from DHS in general and ISCD in particular:
• Have any chemical facilities had
their computer systems hacked by the Chinese (or Iranians, or North Korean, let’s
make it easy a new cyber-intel acronym ‘CINK’)?
• If so, were any control systems
breached by CINK hackers?
• Is there any indication that
information about control systems was accessed by CINK hackers?
• Is there any indication that
there were attempts made by CINK hackers to establish backdoors into corporate
or control system networks?
• What indications are available
for determining if a corporate network or control system has been hacked by the
CINK hackers?
I doubt that we will ever see official public-responses to
questions such as these, but hopefully this type of information is being
provided to corporate leaders and security personnel. If not, then DHS needs to
pack up its tent and steal away quietly into the night in disgrace. If they can’t
provide this type of information to critical infrastructure owners then they
are about useless and the President’s cybersecurity order is just a pretty
piece of paper.
Posts
No comments:
Post a Comment