When I
reviewed HR 54, the Frank Lautenberg Memorial Secure Chemical Facilities
Act, I did not go into any great detail because the bill
is dead in the water. I saw a TWEET yesterday
from @5ean5ullivan that made me
go back and look at one section much more closely. It seems that Rep. Jackson-Lee
(D,TX) wants covered chemical facilities to employ hackers to checkout their
cybersecurity.
Cybersecurity
Requirements
Section 2111(b)(6) requires: “the conduct of tests
of facilities should include blue hat, red hat, and white hat hackers to validate
the security measures instituted to address cyber based threats”.
Interestingly this requirement does not come in the
portion of the legislation that discusses site security plans or risk-based
performance standards for security measures. Instead it is found in the section
of the bill that deals with Methods to Reduce the Consequences of a Terrorist
Attack, commonly referred to inherently safer technology (IST).
In the discussion of the required assessment of IST
measures the §2111(b) describes the various things that a facility must look at
in conducting their assessment. In an apparent after thought (and certainly
never included in earlier versions of Democrat bills on chemical security) are
two sub-paragraphs dealing with cybersecurity issues.
The first requires: the design of computing systems
and development of plans, exercises, and drills to re-engage computing systems
used in the processing, transport, storage of chemicals that are designed [should
be ‘designated’] as a ‘‘risk’’ by the Secretary using protocols for trusted
recovery under the worse case [worst case?] conditions” {§2111(b)(5)}.
This certainly sounds like a reasonable requirement,
but it probably should have been included in §2103(d)(8) the discussion of deterring
cyber sabotage in the risk based performance criteria that would be required by
this bill.
The requirements to use hackers described above is
also out of place in the discussion of IST requirements. I am not so sure,
however, that this was intended to be part of the planning requirements for
facility security plans. It actually looks like it should have been included in
§2104, Site Inspections. If that were the case it would call for DHS to use hackers
to evaluate the cybersecurity protections that are part of the site security
plan. That would be a radically new type of cybersecurity requirement that I
have not seen suggested in any other regulatory program.
Problems
with Hacker Requirement
Now I understand how this might sound like a good
idea to some congress critter. This would seem to be the only way to verify
that proper protective actions have been taken. But as a practical matter, this
will cause more problems than it could possible solve. Before we get into any
of the technical reasons why this is not a good idea we only need to look at
the lack of personnel available to be able to do this type of hack. There are
probably not 100 people world-wide familiar enough with control systems to
conduct such an evaluation and I would venture to guess that none of them are
familiar enough with all of the different types of control systems and
components to be able to do a complete evaluation.
Secondly, as many recent presentations have pointed
out (see my
post here and upcoming posts on DigitalBond.com
from S4x15) have pointed out, it will take a team of people, various control
systems experts and chemical engineers, to cause catastrophic damage at a
chemical facility. This is, in many ways good news as it is unlikely that the
average terrorist group (particularly home-grown terrorists) will have that
level of expertise available to conduct such an attack.
Finally, no chemical facility owner/operator is
going to allow any outsider to hack into a live control system involved with
the handling, storage or manufacture of hazardous chemicals. The potential for
problems is just too high. And taking a system down to allow for such an
evaluation off-line is just too costly for most chemical facilities.
Congress
and Cybersecurity
It is good to see that Congress is starting to
seriously think about cyber security. But provisions like this hacker requirement
shows just how far removed from reality too many of these congress critters
really are. It will be interesting to see how many problems congress tries to
institute as they address the complicated problem of cybersecurity.
Posts
3 comments:
Does section 2111 really require "red hat hackers?" I was under the impression red hat referred to a Linux operating system rather than a type of hacker.
Congressional typo?
I think that they may have meant 'red team?' You never can tell.
Great blog coverage.
On the topic of limited ICS capable hackers for pen testing. I'm concerned there's a common misconception by government, industry and the public that the ICS is the vulnerability of the system. Stuxnet, the german incident, etc all entered via social engineering, over business machines likely running Windows. Those attacks pivoted to different equipment but the point of entry was basic.
I'm not sure if a pen test needs a defcon expert to walk a facility control room and ask what computers control various aspects. Ask what security features those computers have to mitigate social engineering Trojans (Updates implemented, Personal email/website restriction, usb port restriction, etc). The inspection could be handled without endangering the active systems, but could greatly benefit from onsite vision/communication.
To date I'm only familiar with two public cases that directly bypassed the business computers. One was an Australian municipal facility and they 2nd was a Russian pipeline. They appear to represent a small fraction.
Post a Comment