Monday, March 29, 2021

CISA’s Use of Subpoena Authority

There is an interesting article over on about plans that CISA has to use the subpoena authority that it was given last year (§1716 of FY 2021 NDAA, PL 116-283) to help prevent ransomware attacks on critical industrial control systems.

It appears that CISA intends to use tools like Shodan to search for industrial control system components with known security vulnerabilities that face the internet. Once those vulnerable IP addresses are found, CISA would then subpoena information from internet service providers to obtain contact information for the vulnerable IP addresses.

The article quotes the current CISA acting director as explaining:

“We're not gonna be regulating that company,” Wales said. “But we want to be able to talk directly to the owner and say you know you've got a vulnerable system, it's out on the internet, and we found it today but tomorrow, a malicious actor could have found that, exploited it, and your system could have been down, or worse.”

It looks like the Biden CISA is going to be more proactive in talking with individual companies about cybersecurity issues. We first saw this change with the letter CISA sent out to facilities covered by the Chemical Facility Anti-Terrorism Standards (CFATS) program about the Microsoft email server vulnerabilities. In that case, not only did CISA reach out to the 3,000+ facilities that are regulated under that program, but also the 33,000 plus facilities that had submitted Top Screen reports to CISA’s Office of Chemical Security (the new name for the old Infrastructure Security Compliance Division). Those facilities were not subsequently regulated under the CFATS program, but are still facilities of concern to OCS.

It will be interesting to see what happens when CISA notes a CFATS regulated company’s systems being found on their internet search. Under the cooperative regulatory scheme used in the CFATS program, OCS cannot issue a blanket instruction to ‘protect’ those vulnerable systems, but it could find after individual site review, that a particular facility was not complying with its approved site security plan.

An as-of-yet unused CFATS authority {6 CFR 27.230(a)(19) could allow DHS to establish a new risk-base performance standard (RBPS) that would apply to internet facing control systems affecting the security of the DHS chemicals of interest stored, used or produced at the facility. It is not clear whether that RBPS establishment would require the use of the rulemaking process.

There is also the potential that OCS could decide that a currently non-regulated facility with exposed industrial control systems posed a higher risk than originally determined and require them to resubmit a new Top Screen. That, in turn, could allow, under a revised risk assessment, to determine that the facility was now regulated under the CFATS program. Again, a new rulemaking might not be required for that redetermination.

No comments:

/* Use this with templates/template-twocol.html */