Monday, June 3, 2013

Reader Comment – 6-3-13 – IT-Centric

There was an interesting comment posted by Sintixerr (Jack Whitsitt) to my weekend post on the 2nd NIST Framework Workshop. Jack challenged some of the assumptions that I enunciated in that post and that is always a good thing. So, I’ll take the opportunity to explain some of the reasoning further.

Of course the NISTCSF will deal with control systems issues.

This is the statement that starts off the comment and one that I would like to be able to endorse completely. Unfortunately, Washington has a long history of grossly misunderstanding the differences between IT and industrial control system (ICS) security, so I am always skeptical of the intentions of politicians in this regard.

To be fair to the President, there is a phrase in the Executive Order (EO 13636) that can clearly be interpreted to mean that ICS are included:

“Sec. 2. Critical Infrastructure. As used in this order, the term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

On the other hand the argument could be made that the only control system that could have a “debilitating impact on security, national economic security, national public health or safety [emphasis added]” would the national electrical grid. Since even that is not a single entity the failure of any given component would probably not give rise to a national affect.

This dichotomy is the reason that I would have been much more comfortable with the ICS coverage of the EO if it had been clearly stated that control systems were to be addressed by the Cybersecurity Framework.

Why Wouldn’t Control Systems be Covered?

The universe of critical infrastructure IT systems that are capable of having a ‘debilitating impact’ on the economy if successfully attacked is probably much larger than the universe of critical infrastructure vulnerable control systems of comparable scope. Because these IT systems clearly must be secured NIST is going to have to expend considerable effort to overcome the potential complaints/objections about the compromise of individual privacy as well as concerns about the stifling of constitutionally protected free speech.

With the need to accommodate these political issues combined with the tight time frame required by the EO for the publication of the initial Cybersecurity Framework it would be easy to see a policy decision being made that security of control systems will just have to wait for another day; especially since it can be argued that the compromise of any given control system would not produce national scale effects.

IT-Centric EO

While there is no specific language in the EO that unambiguously refers to control systems there are a number of places where IT systems are clearly identified. For example, §5 deals with “Privacy and Civil Liberties”; terms that only have meaning when associated with information technology systems. In the §7(b) discussion of the Cybersecurity Framework, the opening sentence states “including information security measures and controls” in describing the scope of the Framework. §7(c) seeks to limit the impacts of the Cybersecurity Framework “and associated information security measure or control on business confidentiality, and to protect individual privacy and civil liberties”.

EO is a Higher Level in the Security Stack

Jack’s final comment is:

“The level in the security stack at which both the EO and the CSF operate at is higher than the level at which the distinctions between IT/ICS happen and so are inclusive of both without the need to distinguish between the two in policy statements. “

If the Cybersecurity Framework is so broadly crafted that it is not necessary to distinguish between IT and ICS systems, I find it hard to believe that it will include any provisions that will address the critical vulnerabilities in control systems. While there are some cybersecurity techniques that will effectively operate on both systems, a good many of the IT security processes are actually detrimental to many ICS.

Now the folks at NIST are certainly technologically savvy enough to understand the above. That combined with the fact that the Cybersecurity Framework is supposed to be a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” {§7(b)} to cybersecurity “that is technology neutral”, so I suppose that smarter minds than mine might be able to craft something that will be general enough to cover both IT and ICS, but still provide enough information to critical infrastructure owners (owners that for the most part have not been able to apply effective cybersecurity or there would be no need for the EO) that will allow them to effectively implement the recommendations. I won’t hold my breath, but I’ll allow that it could be possible.

No comments:

/* Use this with templates/template-twocol.html */