When I wrote yesterday’s blog
post about CISA’s retrospective cost analysis of the Chemical Facility
Anti-Terrorism Standards (CFATS) program, I only did a cursory search for
cybersecurity related measures before I noted: “The other area that is
apparently short-changed in this assessment is the cost of cybersecurity
measures.” I have since gone back and done a more organized search for
discussion about cybersecurity costs associated with the program and can find
nothing.
Search Methods
The first and most obvious search was for the term ‘cyber’.
With just one exception the searche only turned up that word in association
with the full name for CISA, the Cybersecurity and Infrastructure Security
Agency. The one exception was found in a footnote (#3) on page on page 15:
“Each SSP consist of a series of
questions for each of the following security topics: Detection; Delay;
Response; Cyber; Security Management. For each of these topics, respondents are
asked to provide information about a number of existing security measures. In
addition to the questions about existing measures, there are questions regarding
planned and proposed measures.”
I then looked for the following terms related to
cybersecurity measures that one would expect to see employed in a chemical
facility:
• Firewall – no matches,
• Intrusion detection – only related
to facility physical security measures,
• Anti-virus – no matches,
• Network segmentation – no matches,
• System boundaries – no matches,
• External Connections – no matches,
• Network – no matches,
• Control system – only related to facility
physical security ‘access control system’,
• Remote access – no matches,
• Virtual Private Network – no matches,
• Least privilege – no matches,
• Information storage media – no matches,
and
• Safety instrumented systems – no matches
Finally, I searched for the cybersecurity security measures recommended
in the Risk
Based Performance Standard (RBPS) guidance document:
• Security policy – no matches,
• Access control – only related to facility
physical security measures,
• Personnel security – no matches,
• Awareness and training – no matches,
• Monitoring and incident response –
no matches,
• Disaster recovery and business
continuity – no matches,
• System development and
acquisition – no matches,
• Configuration management – no matches,
and
• Audits – multiple mentions of
non-cyber specific ‘annual internal audits’
Commentary
While I acknowledge that estimating the cost of many of the
standard cybersecurity measures (network segmentation for instance) would be
difficult to estimate using the processes described in this document, the total
failure to mention any cyber related security measures or costs throws this
complete document into question.
I could understand this failure to address cybersecurity
costs in assessments conducted by non-technical organizations, but the failure
of the CYBERSECURTY and Infrastructure Security Agency to even mention
cybersecurity is a complete travesty. It also begs the question of what other
major areas of security were ignored in the development of this document?
This lack of cybersecurity coverage is even worse when taken
together with the recent GAO
report on cybersecurity issues in the CFATS program. Perhaps Congress needs
to move forward with a one-year continuation of the CFATS program (current
authorization expires next month) while taking a hard look at the cybersecurity
portions of the program.
Posts
No comments:
Post a Comment