This is part of a continuing look at the responses that the
National Institute of Standards and Technology (NIST) has received in response
to its request
for information (RFI) in support of the development of the Framework for Reducing Cyber Risks to
Critical Infrastructure as outlined in President Obama’s Executive Order on
critical infrastructure cybersecurity (EO 13636).
The earlier post in the series is:
Topics Discussed
This last week there were 19 new comments left on the NIST
web site (though 6 of those were essentially transmission documents not actual
comments). Six of those took the form of short answers to the list of actual
questions in the RFI (One,
two,
three,
four,
five,
and six).
Others covered a particular topic about cybersecurity in some depth. Those
topics included:
Interesting Comments
There is a lot of good information provided in the documents
listed above, but there were a couple of comments that jumped out of the pages
at me. The
first comes from Larry Marks at IBM Security and Privacy Services and deals
with the idea of requiring certification for people that have a level of access
to a system that allows them to make some changes to the actual system:
“The ISC2 CISSP Common Body of
Knowledge (CBK) has been carefully mapped to the DoD
8570.1 [link added] directive, which requires every
full-and part-time military service member, defense contractor, civilian and
foreign employee with privileged access to a DoD system, regardless of job
series or occupational specialty, to obtain a commercial
certification credential [link added] that has been accredited by the
American National Standards Institute (ANSI).”
The
second comes from Doug Stoneman at Velocity Partners and is a look at the
scope and basis of the current problem:
“In a landscape of breached
security and defeated encryption the typical reactive technological security
infrastructure response is that more technology is the answer to threats and
that one more layer of security technology will solve the security issue. It is
that very nature of the reactive security industry and the focus on technology
that is the scale and scope of the problem.”
Control System
Security
Only two of the comments posted this week specifically deal
with control system security issues. The first was from Mike Swearingen at
Tri-County Electric Cooperative. His was the piece that looked at situational
awareness that I listed above.
Last week I complained about the missing input from well-known
names in the ICS security world. The second
ICS related comment comes from one of those names, Chris Blask, Chair of
the Industrial Control System Information Sharing and Analysis Center
(ICS-ISAC). As one would expect from Chris this is a thoughtful and cogent
response to the RFI. Interestingly it provides more of a theoretical background
to the comments made by Swearingen.
The entirety of Chris’ response is well worth reading, but
perhaps his most important point is made in his opening remarks about the
complexity of the ICS security problem and the limits of vulnerability
reduction:
“Given realistic resources,
vulnerability reduction alone cannot reduce aggregate risk to an acceptable
level at any point in the foreseeable future
o “Based on the vulnerability
research to date which is available in the public domain it is reasonable to
assume that virtually every deployed Industrial Control System device or piece
of software contains exploitable vulnerabilities
o “The trained workforce of
researchers necessary to identify a majority of vulnerabilities in all deployed
ICS cyber devices in a reasonable and prudent period of time for these purposes
does not exist
o “The necessity to “touch” every
individual control system device found throughout every critical infrastructure
facility in the nation in order to apply remediation to known vulnerabilities
would mandate a workforce which is not available nor will be available under
the most optimistic conditions for many years
o “It is unrealistic to assume
that a single remediation of each ICS cyber device would be adequate to ensure
all knowable vulnerabilities have been addressed in all deployed devices”
There have been public discussions around this topic for
some time now, but this is the first time I have seen such a cogent and
succinct expression of the totality of the problem. Fortunately, Chris goes on
to give an overview of how the use of situational awareness and information
sharing can be used to overcome this problem.
In a mere 9 pages, Chris isn’t able to provide a clear
blueprint for the implementation of this solution and its scope is certainly
beyond the reach of a single person or organization. Having said that, I hope that
the folks at NIST responsible for developing the Cybersecurity Framework pay
close attention to Chris’ remarks when the begin to look at the control system
aspects of their program.
Posts
No comments:
Post a Comment