There was an interesting
comment posted by Sintixerr
(Jack Whitsitt) to my weekend
post on the 2nd NIST Framework Workshop. Jack challenged some of
the assumptions that I enunciated in that post and that is always a good thing.
So, I’ll take the opportunity to explain some of the reasoning further.
Of course the NISTCSF
will deal with control systems issues.
This is the statement that starts off the comment and one
that I would like to be able to endorse completely. Unfortunately, Washington
has a long history of grossly misunderstanding the differences between IT and
industrial control system (ICS) security, so I am always skeptical of the
intentions of politicians in this regard.
To be fair to the President, there is a phrase in the
Executive Order (EO 13636)
that can clearly be interpreted to mean that ICS are included:
“Sec. 2. Critical Infrastructure.
As used in this order, the term critical infrastructure means systems and
assets, whether physical or virtual, so vital to the United States that the
incapacity or destruction of such systems and assets would have a debilitating
impact on security, national economic security, national public health or
safety, or any combination of those matters.”
On the other hand the argument could be made that the only
control system that could have a “debilitating impact on security, national
economic security, national public health or safety [emphasis added]” would the
national electrical grid. Since even that is not a single entity the failure of
any given component would probably not give rise to a national affect.
This dichotomy is the reason that I would have been much
more comfortable with the ICS coverage of the EO if it had been clearly stated
that control systems were to be addressed by the Cybersecurity Framework.
Why Wouldn’t Control
Systems be Covered?
The universe of critical infrastructure IT systems that are
capable of having a ‘debilitating impact’ on the economy if successfully
attacked is probably much larger than the universe of critical infrastructure
vulnerable control systems of comparable scope. Because these IT systems
clearly must be secured NIST is going to have to expend considerable effort to
overcome the potential complaints/objections about the compromise of individual
privacy as well as concerns about the stifling of constitutionally protected
free speech.
With the need to accommodate these political issues combined
with the tight time frame required by the EO for the publication of the initial
Cybersecurity Framework it would be easy to see a policy decision being made
that security of control systems will just have to wait for another day;
especially since it can be argued that the compromise of any given control
system would not produce national scale effects.
IT-Centric EO
While there is no specific language in the EO that unambiguously
refers to control systems there are a number of places where IT systems are
clearly identified. For example, §5 deals with “Privacy and Civil Liberties”;
terms that only have meaning when associated with information technology
systems. In the §7(b) discussion of the Cybersecurity Framework, the opening sentence
states “including information security measures and controls” in describing the
scope of the Framework. §7(c) seeks to limit the impacts of the Cybersecurity
Framework “and associated information security measure or control on business confidentiality,
and to protect individual privacy and civil liberties”.
EO is a Higher Level
in the Security Stack
Jack’s final comment is:
“The level in the security stack at
which both the EO and the CSF operate at is higher than the level at which the
distinctions between IT/ICS happen and so are inclusive of both without the
need to distinguish between the two in policy statements. “
If the Cybersecurity Framework is so broadly crafted that it
is not necessary to distinguish between IT and ICS systems, I find it hard to
believe that it will include any provisions that will address the critical
vulnerabilities in control systems. While there are some cybersecurity techniques
that will effectively operate on both systems, a good many of the IT security
processes are actually detrimental to many ICS.
Now the folks at NIST are certainly technologically savvy
enough to understand the above. That combined with the fact that the
Cybersecurity Framework is supposed to be a “prioritized, flexible, repeatable,
performance-based, and cost-effective approach” {§7(b)} to cybersecurity “that
is technology neutral”, so I suppose that smarter minds than mine might be able
to craft something that will be general enough to cover both IT and ICS, but
still provide enough information to critical infrastructure owners (owners that
for the most part have not been able to apply effective cybersecurity or there
would be no need for the EO) that will allow them to effectively implement the
recommendations. I won’t hold my breath, but I’ll allow that it could be
possible.
Posts
No comments:
Post a Comment