OMB Approves TSA Pipeline CSR ICR Extension – SCADA Included

Yesterday the Office of Management and Budget announced the approval of the TSA’s information collection request (ICR) renewal for the questionnaire used in their Pipeline Corporate Security Review (CSR) program. The 60-day request notice was published in February and the 30-day request notice in May.

The ICR

TSA and OMB both reported that the renewal request was made ‘without change’, but as I noted I my post on the 60-day request there were two changes; an increase in the number of annual reviews from 12 to 15 and a change in the annual cost burden from $11,076 to $0. The ICR request clearly identified the change in reviews but did not explain the cost change. The OMB notice explains the reason for the cost change:

“TSA's 2011 submission to OMB erroneously listed the cost of hour burden to industry in Question 13 of the supporting statement. That cost has been removed from the current submission resulting in a decrease of $11,076.48 in cost burden.”

Too bad we don’t get to see the ‘supporting statement’ to see exactly how question 13 is worded. It might explain why there are no costs to the public from most of these federal collection efforts. I’ll look into that.

Pipeline SCADA Security

One of the interesting things that we only get to see once the ICR is approved is a copy of the form that the agency provided to OMB for approval. It sure would be nice if that was publicly available during the comment process. In this case there appears to be some interesting differences between the previous form and the new form.

I don’t recall looking at the old form before today, but I took a good look at both and was both pleased and disappointed at the control system security coverage on the questionnaire. Keeping in mind that the TSA Ground Security Inspector is almost certainly not acquainted with ICS use, much less a cybersecurity expert, the questions in the SCADA section of the questionnaire provide a pretty good overview of the cybersecurity situation for the pipeline SCADA systems.

There are two questions that were added to the new questionnaire:

6. Does your corporation have a backup control center?

8. Do you restrict any remote operation of your SCADA system from portable electronic devices other than the pipeline control center?

Actually question 8 was re-worded to reflect that by definition SCADA systems are remotely operated. I guess the TSA folks got tired of the strange looks they got when they asked the old question; “Can your corporation’s SCADA system be controlled remotely?”

The most technical question is #15; “Which of the following features does your corporation use to secure your SCADA system(s)?” It then list the following possible security features:

• Locked facilities

• Strong passwords

• Communication gateways

• Access-control lists

• Authenticators

• Separation of duties

• Invocation of least privilege—only able to access information and resources that are necessary

• Keycards

• Access lists

• Entry logs

• Firewalls

• Demilitarized zone (DMZ)

• Intrusion-detection system

• Intrusion-prevention system

• Maintain patches

Admittedly it would take a cybersecurity specialist to review the actual implementation of these ‘features’ to ensure that they were effective, but I think most folks would agree that organizations that had all of these in place would be well on their way to having a fairly secure control system. And remember, there is no such thing as a ‘secure control system’ or a ‘secure’ anything for that matter. What one expert can secure another expert, given the time and resources, can bypass.

No Reference to ICS-CERT

The disturbing thing about this questionnaire is that there is no reference to ICS-CERT anywhere in the document. Now I understand that TSA and NPPD (the parent organization for CERT in general) are not in the same agency (Okay, if you call DHS an agency….) but there are a number of places where the questionnaire ask for other agencies that are contacted or coordinated with and even local law enforcement is included, but not ICS-CERT.

In my opinion ICS-CERT should have been included in the possible responses to the following questions:

• Does your corporation have an ongoing relationship with the following entities/departments/ agencies/organizations?

• From whom does your corporation receive threat information to assist in your SVA?

• Which of the following external agencies/organizations is on the corporation security incident, threat or suspicious activity notification list?

• Which organizations does your corporation work with during a security incident?

Oh well, maybe next time.