ICS-CERT Publishes November-December 2017 Monitor

Today the DHS ICS-CERT published the last ICS-CERT Monitor (for November and December of 2017). According to the opening editorial the next issue will become the (National Cybersecurity and Communications Integration Center) NCCIC Monitor; which will be broadened to include reporting from the three divisions of the NCCIC (ICS-CERT, NCC, and USCERT).

This issue continues the ‘color glossy’, corporate report feel (with 10 full-color photographs) that I have grown to dislike and disparage. While any organization deserves to be proud of their accomplishments and government agencies have a special duty to provide information about what they are doing; the flashy graphics and photographs of industrial facilities have a tendency to make this look more like an organizational selfie that is designed to make the agency feel good about itself.

Physical Security Issues

Even when the reporting is on a topic of interest to critical infrastructure owners and operators, there are some glaring inconsistencies in the information being reported. For example, in the article on the FY 2017 Assessment Summary, the opening paragraph (pg 4) reports that: “While the assessment teams identified weakness across all control families, six categories represented roughly 33 percent of the [753] total vulnerabilities discovered across assessed CI sectors.”

The article then went on to describe the number 4 vulnerability category, physical access control. It notes that:

“Maintaining visibility in the top discoveries this year were problems related to physical access. While this is not something the ICS-CERT focuses on during assessments, the team often sees this issue during assessments. ICS components and infrastructure should only be accessible to authorized personnel as necessary to maintain the system.”

There are two disturbing aspects about that “not something the ICS-CERT focuses on during assessments”. The first is the probability that if ICS-CERT had formally included ‘physical access’ in the assessment process, they might have (probably would have) found many more disturbing instances of poor physical security of control system devices. The second (and more disturbing to my mind) is the fact that ICS-CERT found the same problems in their FY 2016 assessments, AND DID NOT FORMALLY ADDRESS THE PROBLEM IN THE ASSESSMENT PROCESS IN 2017. The first is the result of a not unusual disconnect between cyber security and physical security personnel; a problem that certainly needs to be addressed. The second is a criminally negligent level of professional malfeasance upon the part of ICS-CERT.

ICS-CERT and NCCIC

As I alluded to in the opening paragraph, the editorial leading the publication addresses the changing roles of the NCCIC and its constituent divisions. Specifically, it reports that:

“Recently, the NCCIC went through an organizational realignment to consolidate and enhance the effectiveness of its mission-essential functions, which includes changes to the structures of the ICS-CERT, NCC, and USCERT divisions. This realignment has no impact to the technical expertise and services our stakeholders rely on us to provide….”

There have been a couple of interesting social media conversations about this ‘realignment’ (see here for example). For those of us on the outside looking in, it is really hard to tell what is going on. Having said that, I would like to point to the NCCIC web site (updated on June 22^nd, 2017) and its description of ICS-CERT:

“ICS-CERT works to reduce risks within and across all critical infrastructure sectors by partnering with law enforcement agencies and the intelligence community and coordinating efforts among Federal, state, local, and tribal governments and control systems owners, operators, and vendors. Cybersecurity and infrastructure protection experts from ICS-CERT provide assistance to owners and operators of critical systems by responding to incidents and helping restore services, and by analyzing potentially broader cyber or physical impacts to critical infrastructure. Additionally, ICS-CERT collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and mitigation measures.”

Looking at it from Columbus, GA it seems as if ICS-CERT is definitely continuing with its vulnerability coordination and reporting role. What is less clear is whether or not it is going to be the go-to Federal agency for incident reporting and investigation. It seems to me that with the rise in apparent nation-state attacks and economic attacks (ransomware) on control systems that it is going to be more important to have criminal investigative or federal intelligence agencies more involved in incident response rather than an agency of techno-geeks who may be more suited to understanding the nuts and bolts of an attack, but are probably less familiar with forensic reporting or courtroom testimony.

Forensics-reporting and effective testimony are more necessary for successfully prosecuting attackers than with protecting control systems from future attacks. Letting the techno-geeks muddy the waters of chain-of-custody and forensics reporting will likely make prosecutions more difficult, but will help other organizations learn how to deal with similar attacks. It is an interesting dichotomy that needs to be addressed in appropriate congressional forums.