There is an interesting
article over at SCMazazineUK.com about the establishment of an emergency
response service for cybersecurity events. It isn’t really a unitary service,
but rather a certification process for private sector organizations that provide
the service. This “service” is for organizations in the UK, but there is no
reason that such a service couldn’t be established here. This is a quick look
at some of the thing that would have to be included in the certification
process for such a service here in the US.
CFATS Customers
There are two different types of regulated organizations
that might use this service that would require additional certification
verifications before they could use the offered services; chemical facilities
regulated under CFATS and defense industrial base organizations. Both types of
organizations would almost certainly require personnel surety vetting of any
investigators allowed access to covered computer systems.
Any computer system that has been identified as a critical
system under a chemical facility’s site security plan {and this would almost
certainly include any control system used in the manufacture or handling of DHS
chemicals of interest (COI)} would be covered under the requirement for a
background check. CFATS rules require that anyone with unaccompanied access to
a critical system has to undergo a background check including vetting against
the Terrorist Screening Database (TSDB).
I would argue that any access to a covered control system
(or information system for that matter), especially the level of access
required for an emergency response to an attack on such a system, would have to
be considered ‘unaccompanied’ even if a control system engineer was sitting
right beside the cyber-responder the whole time he had access to the system.
Access to an information system at a CFATS facility that
contained information about the CFATS program implementation would also require
that anyone given access to that system would have to be certified by DHS for
access to Chemical-Terrorism
Vulnerability Information (CVI). This could be avoided if all CVI
information were held on a non-networked computer.
DIB Customers
Many defense industrial base organizations store or have
access to classified information. Any computer systems that house such
information would require a security clearance to access. It could also be
argued that systems that contained sensitive unclassified information would
require special vetting of personnel before they were given access to such
systems.
ICS-CERT
For the control system side of things, this is the type
thing that the ICS-CERT flyaway teams routinely do. Of course there are a
number of private organizations that do similar work and I am not sure that we
can continue to justify this work by ICS-CERT in view of that fact. I know that
there have been some objections raised about the ‘unfair’ competition provided
by ICS-CERT. Additionally, the ICS-CERT team is relatively small and I doubt
that it could handle any significant increase in taskings for this type of
response.
I would assume that ICS-CERT teams do have the requisite
clearances to handle the DIB cases, though I would suspect that there is a DOD
team that would handle this type of activity for DOD associated organizations.
I would be surprised if the ICS-CERT people were not already
vetted in a manner that would be acceptable to the folks at ISCD for CFATS covered
facilities. For CFATS related organizations I might suggest that ISCD and
ICS-CERT establish an MOU that would specifically allow CFATS facilities to
contact ICS-CERT for suspected control system attacks without the need for
worrying about vetting the flyaway team for unrestricted access to those
control systems.
Existing Private
Vendors
Posts
No comments:
Post a Comment