This is part of a continuing series of blog posts about the
latest DHS-IdeaScale project to open a public dialog about homeland security
topics. This dialog
addresses the DHS Integrated Task Force project to help advance the DHS
implementation of the President’s Cybersecurity Framework outlined in EO 13636.
The earlier post in this series was:
Yesterday I posted a new ‘idea’
for discussion on the DHS/IdeaScale Integrated Task Force Collaboration
Community (ITFCC). This idea is actually a two parter:
• Identifying high risk control
systems; and
• Registering high-risk control
system with ICS-CERT to get earlier warnings of zero day vulnerabilities
High-Risk Cyber Systems
I’m going to ignore information systems here; those can be
dealt with by different controls and procedures. I’m going to concentrate on control
systems because it is only throught their unauthorized manipulation that a
cyber-attacker can cause widespread physical damage to society. This
high-consequence risk provides a legitimate societal concern with the security
of such systems.
Even at a high-risk, high-consequence facility, not all
control systems or even their components have an equal potential to cause
catastrophic off-site consequences. It is only those portions of the cyber-systems
controlling physical processes that could cause off-site catastrophic
consequences that society has a legitimate interest in seeing that the systems
are adequate secured. Identifying and perhaps isolating those high-consequence
components will help to prioritizes where to spend the time, money and manpower
to ensure that the systems are adequately secured against attack or
unintentional failure. Of course, any other components of the overall
cyber-system that allow for access to those critical components become critical
in their own right.
A prime prerequisite of any serious cybersecurity program
must be to identify these components that provide a determined attacker the
capability to cause widespread physical harm via computer controlled system.
Zero-Day
Vulnerability Warnings
If society has a strong interest in the prevention of
attacks on high-consequence control systems, they also have a concomitant
obligation to provide assistance to the owners of such systems in the protection
of those systems. One such critical form of assistance is the notification of
system owners when a zero-day vulnerability (ZDV) is discovered in their protected
system.
There is a legitimate argument to be made that the wide
spread dissemination of information about ZDVs increases the risk to cyber-systems
because it is generally easier to exploit a ZDV than to mitigate one,
particularly since the skill sets necessary to develop a mitigation strategy
are frequently not found in-house at critical infrastructure facilities.
A targeted distribution of ZDV knowledge to high-consequence
installations using the vulnerable systems avoids a certain amount of the
danger associated with providing ZDV information to various adversaries. But to
accomplish this the ZDV information distribution agency must know what
facilities have what control system components deployed in critical installations.
This requires the registration (voluntary or otherwise) of those components
with an organization like ICS-CERT.
If ICS-CERT were to have this information, when they were
contacted with information about an ICS ZDV they could (immediately after
notifying the vendor of the vulnerability if the information comes from a
researcher) notify those facilities deploying the vulnerable system in a
high-consequence application. For those facilities without in-house or contract
control system security capabilities, ICS could provide assistance in setting
up interim security processes while waiting for the vendor to rectify the
vulnerability.
Public Participation
A quick reminder here that the whole ITFCC program requires
public participation in the suggestion, discussion, selection and
implementation process. The ITFCC
web site is a forum for suggesting and discussing ideas that could become
parts of the process for the security of critical infrastructure cyber-systems.
Failing to participate in that process makes it less likely that you will be satisfied
with the products of that process; products that you may be compelled to
employ.
Take a couple of minutes and look at my latest idea and the
other ideas currently under discussion at the site. Provide comments where you
feel appropriate; become part of the discussion. Vote up or down on all of the
ideas that you feel you can or cannot live with. And more importantly, provide
your own ideas on how we as a society can increase the security of the
cyber-systems that are an integral part of our everyday lives.
Posts
No comments:
Post a Comment