This is part of a continuing series of blog posts about the
latest DHS-IdeaScale project to open a public dialog about homeland security
topics. This dialog
addresses the DHS Integrated Task Force project to help advance the DHS
implementation of the President’s Cybersecurity Framework outlined in EO 13636.
The earlier post in this series was:
This weekend I posted my fourth ‘idea’ to the ITFCCP site
(NOTE: It did not make it live to the site until this morning, the moderators
appear to work government hours). Readers of this blog probably saw this one
coming, I would like to see vendors
‘register’ their systems, particularly their software and firmware, with an
organization like ICS-CERT. To encourage vendor participation DHS could give
them liability protection under the SAFETY Act. In
turn they would agree to
• Provide DHS with a list of
third-party components of their registered systems;
• Notify DHS when they identified,
or were notified of the discovery, of a zero-day vulnerability;
• Allow DHS to notify registered high-risk
critical infrastructure facilities of the zero-day vulnerabilities; and
• Work with DHS to minimize the
vulnerabilities of each component of their registered system.
This proposal would allow vendors to become an integral part
of the protecting critical infrastructure from cyber attacks.
As I have mentioned before, participating in this
forum may be the easiest way that vendors, owners and researchers in the
control system community may have a direct impact on the implementation of the
President’s Cybersecurity Executive Order (EO
13636). So visit, read, comment, vote, and most of all suggest.
Posts
No comments:
Post a Comment