Monday, November 18, 2013

Cyber Attack Emergency Services

There is an interesting article over at about the establishment of an emergency response service for cybersecurity events. It isn’t really a unitary service, but rather a certification process for private sector organizations that provide the service. This “service” is for organizations in the UK, but there is no reason that such a service couldn’t be established here. This is a quick look at some of the thing that would have to be included in the certification process for such a service here in the US.

CFATS Customers

There are two different types of regulated organizations that might use this service that would require additional certification verifications before they could use the offered services; chemical facilities regulated under CFATS and defense industrial base organizations. Both types of organizations would almost certainly require personnel surety vetting of any investigators allowed access to covered computer systems.

Any computer system that has been identified as a critical system under a chemical facility’s site security plan {and this would almost certainly include any control system used in the manufacture or handling of DHS chemicals of interest (COI)} would be covered under the requirement for a background check. CFATS rules require that anyone with unaccompanied access to a critical system has to undergo a background check including vetting against the Terrorist Screening Database (TSDB).

I would argue that any access to a covered control system (or information system for that matter), especially the level of access required for an emergency response to an attack on such a system, would have to be considered ‘unaccompanied’ even if a control system engineer was sitting right beside the cyber-responder the whole time he had access to the system.

Access to an information system at a CFATS facility that contained information about the CFATS program implementation would also require that anyone given access to that system would have to be certified by DHS for access to Chemical-Terrorism Vulnerability Information (CVI). This could be avoided if all CVI information were held on a non-networked computer.

DIB Customers

Many defense industrial base organizations store or have access to classified information. Any computer systems that house such information would require a security clearance to access. It could also be argued that systems that contained sensitive unclassified information would require special vetting of personnel before they were given access to such systems.


For the control system side of things, this is the type thing that the ICS-CERT flyaway teams routinely do. Of course there are a number of private organizations that do similar work and I am not sure that we can continue to justify this work by ICS-CERT in view of that fact. I know that there have been some objections raised about the ‘unfair’ competition provided by ICS-CERT. Additionally, the ICS-CERT team is relatively small and I doubt that it could handle any significant increase in taskings for this type of response.

I would assume that ICS-CERT teams do have the requisite clearances to handle the DIB cases, though I would suspect that there is a DOD team that would handle this type of activity for DOD associated organizations.

I would be surprised if the ICS-CERT people were not already vetted in a manner that would be acceptable to the folks at ISCD for CFATS covered facilities. For CFATS related organizations I might suggest that ISCD and ICS-CERT establish an MOU that would specifically allow CFATS facilities to contact ICS-CERT for suspected control system attacks without the need for worrying about vetting the flyaway team for unrestricted access to those control systems.

Existing Private Vendors

It would be interesting to hear from any vendors currently working in the emergency cyber response business to see what they are currently doing in regards to documenting the vetting of their personnel for customers or potential customers in the CFATS program of the DIB program.

No comments:

/* Use this with templates/template-twocol.html */