Classified ICS Security Information

There is an interesting discussion that has been taking place for a couple of days now over on LinkedIn. It was initiated by Isiah Jones from LEO Cyber Security. A lot of the response has been targeted at Isiah’s confrontational language, but the really important take away is that Isiah thinks/knows(?) that there is classified information available about threats to industrial control systems in critical infrastructure in the United States. Now Isiah is being necessarily vague about the information, but the discussion is important none the less.

Now I have not had access to classified information of any sort since I left the military a goodly number of years ago. My TS clearance is certainly not in force after this time and I have not had the necessary ‘need to know’ for access in any case. Having said that, I am absolutely certain that such classified information exists and that is unlikely to get into the hands of many of the people who could actively use that information to protect their facilities against serious nation-state level threats.

All is not lost, however. More about that later in the post.

The Need for Secrecy

Contrary to the beliefs of my friends in the black helicopter set, there are many legitimate reasons for the intelligence community (IC) to keep threat information classified. In most cases, the need to protect future access to critical information is more important than the need to share the current information; this is best exemplified by the Coventry-Ultra controversy from WWII. In other cases, the ‘knowledge’ is either so incomplete as to be useless (the Russians want to be able to attack the power grid) or the level of confidence in the information is so low that the intelligence community does not want to be accused of crying wolf.

Information Sharing Problems

Even when the IC is willing to share information, it is not easy to get the information to the correct people. First off, the information is going to be classified so the person receiving the information needs to be properly vetted to receive classified information. Anyone familiar with this process knows that it tedious and time consuming.

If IC waits until they know who will need a specific piece of information before the vetting process begins, the information will probably be worthless once the process is complete; the whole closing the barn door after the animals have gotten out thing. If you vet everyone that might need access to some specific piece of classified information at some unknown future time you end up clogging the vetting system even further with probably unnecessary vetting requests.

Even if the appropriate people have the necessary security clearances, getting them the appropriate information in a secure manner is also a problem. Even if secure messaging aps are used to protect the information in transit, the receiving device has to have minimum levels of security to prevent the information from getting into the wrong hands. Those security measures are expensive; too expensive to set up and maintain on the off chance of needing to receive classified information at some unknown point in the future.

This whole thing is further complicated by the fact that within the receiving organization, the information still needs to be protected during the internal sharing process. Everyone that needs access to the information to put proper protections in place needs to be vetted, their communications need to be protected, and many of their working files will be derivatively classified and need similar protections. This stuff gets very complicated; just ask anyone that has done operation planning in the military.

An alternative that many people have advocated (and I am certainly one) is for the IC to produce unclassified versions of their intelligence information to make the sharing process easier. I did this at the tactical intelligence level in one of my military jobs. It is time consuming to try to extract useable information from an intelligence report and then get that unclassified version vetted to ensure that means and methods are not inadvertently disclosed. Usually, the resulting product is useful for background purposes only, providing little or no information that provides for direct reaction by the recipient.

So, What to Do?

So, all is not lost. The IC can tell (and has told) us that adversaries are targeting control systems in critical infrastructure and has sophisticated techniques for doing so. The specific attack vectors are not necessarily important (as other attack vectors will certainly be used in future attacks). What is important to know is that nation-state level actors are involved and thus will ultimately get through defenses that they are really interested in attacking; THERE IS NO SUCH THING AS A SECURE SYSTEM.

First off, facilities need to determine what they really need to protect to survive and thrive. Information that would significantly hurt the company if it found its way into the hands of competitors or other adversaries needs to be encrypted at rest and in transit. Portions of control systems that are necessary for safety and quality control need to be isolated to the greatest extent possible. Where complete isolation is not possible for whatever reason, communications between the critical portions and other networks need to be closely monitored for anomalies. Where safety effects could be felt outside the facility, additional controls need to be implemented that are physically separated from the control network and analog safety measures should be established whenever possible.

Finally, a reaction plan needs to be firmly in place for all worst-case scenarios. The plan needs to assign specific responsibilities and identify any outside resources that need to be contacted, how that contact is to be made (with at least one alternative communications method identified), and who will make the contact. And, most importantly, those outside resources need to know in advance their roles in responding to an emergency event at the facility. That reaction plan needs to be trained and tested on a recurring basis.

Folks, none of this is new. We have been doing fire drills since we were little kids. We take precautions to prevent fires but recognize that fires can happen none-the-less. We install sprinkler systems and place fire extinguishers at key locations. At facilities where we have an unusually high threat for fires because of combustible materials we take additional precautions and put additional reactive measures in place. We need to extend that same mind set to control system security.