Review - S 2520 Introduced - State and Local Government Cybersecurity

Last week, Sen Peters (D,MI) introduced S 2520, the State and Local Government Cybersecurity Act of 2021. The bill would add additional responsibilities for CISA with regards to State and local governments. It would also provide additional coordination responsibilities for CISA’s National Cybersecurity and Communications Integration Center (NCCIC). No additional funding is authorized to support these additional responsibilities.

As I mentioned yesterday, this bill will be taken up tomorrow by the Senate Homeland Security and Governmental Affairs Committee in a markup hearing. It is hard to predict whether amendments will be considered, but I do expect to see bipartisan support for the bill. I do not, however, see this bill making its way to the floor of the Senate for consideration. There is not enough legislative meat here for the bill to take up the time to be considered under regular order. There is, however, still time to see this bill added as an amendment to HR 3684 before the final vote later this week.

For a more detailed analysis of the changes that would be made by this bill, including my suggestions for definitional changes, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2520-introduced - subscription required.

HR 1833 Introduced – DHS ICS Capabilities Enhancement Act

Last week Rep. Katko (R,NY) introduced HR 1833 (link is to Committee Print of bill), the DHS Industrial Control Systems Capabilities Enhancement Act of 2021. The bill is very similar to HR 5733 that was introduced in the 115^th Congress and passed in the House in June of 2018. The bill would amend 6 USC 659(e)(1) to ensure that “activities of the Center [NCCIC] address the security of both information technology and operational technology, including industrial control systems” {new 659(3)(1)(I)}.

Industrial Control Systems

In addition to the amendment cited above the bill would also add a new subsection (p) to §659, Industrial Control Systems. That new subsection would require the Cybersecurity and Infrastructure Security Agency (CISA) to:

• Lead Federal Government efforts to identify and mitigate cybersecurity threats to industrial control systems, including supervisory control and data acquisition systems,

• Maintain threat hunting and incident response capabilities to respond to industrial control system cybersecurity risks and incidents,

• Provide cybersecurity technical assistance to industry end-users, product manufacturers, other Federal agencies, and other industrial control system stakeholders to identify, evaluate, assess, and mitigate vulnerabilities,

• Collect, coordinate, and provide vulnerability information to the industrial control systems community by, as appropriate, working closely with security researchers, industry end-users, product manufacturers, other Federal agencies, and other industrial control systems stakeholders, and

• Conduct such other efforts and assistance as the Secretary determines appropriate.

Moving Forward

Katko, and a number of his bipartisan cosponsors, are members of the House Homeland Security Committee to which this bill was assigned for consideration. The fact that Katko is the Ranking Member of the Committee and Rep Thompson (D,MS) is the Chair explains the early consideration (markup this coming Thursday) of this bill by the Committee. The bill is almost certain to receive wide spread bipartisan support in Committee and by the Full House. The bill will be considered in the near future by the House under the suspension of the rules process.

Commentary

First off, it should be obvious to those that follow the control system security activities of CISA that this bill does not actually cause the Agency to undertake any new actions. It merely codifies the authority of CISA to do what it has been doing for quite some time. That could, however, be important in any period of budget constraint; agencies would be more likely to cut back programs and processes that have not been specifically authorized by Congress.

While this bill is similar to HR 5733 there are some interesting changes. First, for clarity’s sake, the section numbering is different because Congress rewrote much of the 6 USC when they stood up CISA as a separate agency within DHS back in November of 2018. For more substantive changes we need only look at the new subsection (p) in comparison to the same addition in the engrossed version of HR 5733.

First is (p)(1) the new version does not contain the phrase ‘in coordination with relevant sector specific agencies,’ following the opening word ‘lead’. This would reinforce the status of CISA as the lead agency for cybersecurity concerns in industrial control systems. This is further reinforced by adding the phrase ‘other Federal agencies’ to the list of entities to which CISA would be required in (p)(3) to provide technical assistance. This reinforcement is extended again in (p)(4) where the same phrase is added to the list of entities in the ‘industrial control system community’ that CISA would be expected to work with in collecting, coordinating, and providing vulnerability information.

As I was with HR 5733, I am concerned that the bill did not modify the subsection (c), Functions, portion of §659 to specifically address the industrial control system support outlined in the new subsection (p). While there are numerous mentions of similar cybersecurity responsibilities, all of the mentions include using terms defined in §659(a) that rely on the IT restrictive definition of information systems. If Congress is not going to address those definitional issues (and that is probably considered by the crafters of this bill as being beyond the scope of the legislation) then they should have included adding a subsection to §659(c) like this:

“(12) supporting the cybersecurity operations of industrial control systems as outline in (p).”

HR 5733 Introduced – ICS Cybersecurity

Last week Rep Bacon (R,NE) introduced HR 5733, the DHS Industrial Control Systems Capabilities Enhancement Act of 2018 (Note: the link is to a Committee draft of the bill not the official GPO version). The bill would amend 6 USC 148 to provide specific requirements for the National Cybersecurity and Communications Integration Center (NCCIC) to address industrial control system security issues.

Section 148 Amendments

The bill would make two specific amendments to §148. First it would add to the list of principles outlined in paragraph (3)(1) the following language: “activities of the Center address the security of both information technology and operational technology, including industrial control systems;”.

Second the bill would add a new paragraph (f) that would require the NCCIC to “maintain capabilities to identify and address threats and vulnerabilities to products and technologies intended for use in the automated control of critical infrastructure processes.” This would specifically include requirements to:

• Lead, in coordination with relevant sector specific agencies, Federal Government efforts to identify and mitigate cybersecurity threats to industrial control systems, including supervisory control and data acquisition systems;

• Maintain cross-sector incident response capabilities to respond to industrial control system cybersecurity incidents;

• Provide cybersecurity technical assistance to industry end-users, product manufacturers, and other industrial control system stakeholders to identify and mitigate vulnerabilities; and

• Conduct such other efforts and assistance as the Secretary determines appropriate.

Moving Forward

Bacon and both of his cosponsors {Rep. McCaul (R,TX) and Rep. Ratcliff (R,TX)} are members of the House Homeland Security Committee to which this bill was assigned. The bill is currently scheduled to be marked-up by that Committee on Wednesday. While there are no Democratic sponsors for the bill, I expect that it will receive bipartisan support in the Committee and on the floor of the House. It would likely be considered under the suspension of the rules provisions in the House (limited debate, no floor amendments).

Commentary

While I certainly applaud the addition of control system language to this bill, the lack of a definition and changes to other definitions in §148 is likely to cause problems down the road. I would like to offer this definition for addition to §148(a):

Industrial Control System - The term ‘control system’ means a discrete set of information resources, sensors, communications interfaces and physical devices organized to monitor, control and/or report on physical processes including but not limited to; manufacturing, transportation, access control, and facility environmental controls;

Additionally, the following existing definitions need revision:

Cybersecurity Risk - The term ‘cybersecurity risk’ means:

(A) threats to and vulnerabilities of information, information systems, or control systems and any related consequences caused by or resulting from unauthorized access, use, disclosure, degradation, disruption, modification, or destruction of such information, information systems, or control systems, including such related consequences caused by an act of terrorism; and

(B) does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement;

Incident - The term ‘incident’ means an occurrence that actually, or imminently jeopardizes, without lawful authority:

(A) the integrity, confidentiality, or availability of information on an information system,

(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, or

(C) an information system or a control system;

I am disappointed that there was no specific mention of cyber emergency response teams, either US-CERT or ICS-CERT. This bill would have been a good place to add mention of them in §148(d)(1)(C). With the addition of industrial control systems to the areas of NCCIC oversight the mention of ICS-CERT would certainly be appropriate, and that mention could not be made without also including US-CERT.

Finally, I am astounded that this bill did not modify the ‘functions’ of the NCCIC, as outlined in §148(c). If the definitions I suggested above were made, at least part of that problem would be corrected because of the frequent references to ‘cybersecurity risk’ and ‘incidents’. Even so the language of §147(c)(7) would still need to add mention of industrial control systems to ensure that the NCCIC appropriately addresses the cybersecurity issues associated with control systems.

ICS-CERT Publishes November-December 2017 Monitor

Today the DHS ICS-CERT published the last ICS-CERT Monitor (for November and December of 2017). According to the opening editorial the next issue will become the (National Cybersecurity and Communications Integration Center) NCCIC Monitor; which will be broadened to include reporting from the three divisions of the NCCIC (ICS-CERT, NCC, and USCERT).

This issue continues the ‘color glossy’, corporate report feel (with 10 full-color photographs) that I have grown to dislike and disparage. While any organization deserves to be proud of their accomplishments and government agencies have a special duty to provide information about what they are doing; the flashy graphics and photographs of industrial facilities have a tendency to make this look more like an organizational selfie that is designed to make the agency feel good about itself.

Physical Security Issues

Even when the reporting is on a topic of interest to critical infrastructure owners and operators, there are some glaring inconsistencies in the information being reported. For example, in the article on the FY 2017 Assessment Summary, the opening paragraph (pg 4) reports that: “While the assessment teams identified weakness across all control families, six categories represented roughly 33 percent of the [753] total vulnerabilities discovered across assessed CI sectors.”

The article then went on to describe the number 4 vulnerability category, physical access control. It notes that:

“Maintaining visibility in the top discoveries this year were problems related to physical access. While this is not something the ICS-CERT focuses on during assessments, the team often sees this issue during assessments. ICS components and infrastructure should only be accessible to authorized personnel as necessary to maintain the system.”

There are two disturbing aspects about that “not something the ICS-CERT focuses on during assessments”. The first is the probability that if ICS-CERT had formally included ‘physical access’ in the assessment process, they might have (probably would have) found many more disturbing instances of poor physical security of control system devices. The second (and more disturbing to my mind) is the fact that ICS-CERT found the same problems in their FY 2016 assessments, AND DID NOT FORMALLY ADDRESS THE PROBLEM IN THE ASSESSMENT PROCESS IN 2017. The first is the result of a not unusual disconnect between cyber security and physical security personnel; a problem that certainly needs to be addressed. The second is a criminally negligent level of professional malfeasance upon the part of ICS-CERT.

ICS-CERT and NCCIC

As I alluded to in the opening paragraph, the editorial leading the publication addresses the changing roles of the NCCIC and its constituent divisions. Specifically, it reports that:

“Recently, the NCCIC went through an organizational realignment to consolidate and enhance the effectiveness of its mission-essential functions, which includes changes to the structures of the ICS-CERT, NCC, and USCERT divisions. This realignment has no impact to the technical expertise and services our stakeholders rely on us to provide….”

There have been a couple of interesting social media conversations about this ‘realignment’ (see here for example). For those of us on the outside looking in, it is really hard to tell what is going on. Having said that, I would like to point to the NCCIC web site (updated on June 22^nd, 2017) and its description of ICS-CERT:

“ICS-CERT works to reduce risks within and across all critical infrastructure sectors by partnering with law enforcement agencies and the intelligence community and coordinating efforts among Federal, state, local, and tribal governments and control systems owners, operators, and vendors. Cybersecurity and infrastructure protection experts from ICS-CERT provide assistance to owners and operators of critical systems by responding to incidents and helping restore services, and by analyzing potentially broader cyber or physical impacts to critical infrastructure. Additionally, ICS-CERT collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and mitigation measures.”

Looking at it from Columbus, GA it seems as if ICS-CERT is definitely continuing with its vulnerability coordination and reporting role. What is less clear is whether or not it is going to be the go-to Federal agency for incident reporting and investigation. It seems to me that with the rise in apparent nation-state attacks and economic attacks (ransomware) on control systems that it is going to be more important to have criminal investigative or federal intelligence agencies more involved in incident response rather than an agency of techno-geeks who may be more suited to understanding the nuts and bolts of an attack, but are probably less familiar with forensic reporting or courtroom testimony.

Forensics-reporting and effective testimony are more necessary for successfully prosecuting attackers than with protecting control systems from future attacks. Letting the techno-geeks muddy the waters of chain-of-custody and forensics reporting will likely make prosecutions more difficult, but will help other organizations learn how to deal with similar attacks. It is an interesting dichotomy that needs to be addressed in appropriate congressional forums.

S 412 Introduced – Cybersecurity Coordination

Last month Sen. Peters (D,MI) introduced S 412, the State and Local Cyber Protection Act of 2017. The bill would require the National Cybersecurity and Communications Integration Center (NCCIC) to provide cybersecurity assistance to State and local government organizations. This bill is very similar to S 2665 that was introduced in the 114^th Congress; no action was taken on the earlier bill.

The Assistance

The bill would amend 6 USC 148 by adding a new paragraph (n); State and Local Coordination on Cybersecurity. It would require the Center (where practicable) to {new §148(n)(1)}:

• Assist State and local governments in identifying information system vulnerabilities;

• Assist State and local governments in identifying information security protections commensurate with cybersecurity risks and the magnitude of the potential harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information systems or stored information;

• Provide and periodically update via a web portal tools, products, resources, policies, guidelines, and procedures related to information security;

• Coordinate a nationwide effort to ensure effective implementation of tools, products, resources, policies, guidelines, and procedures related to information security to secure and ensure the resiliency of State and local information systems;

• Provide operational and technical cybersecurity training to State and local government and fusion center analysts and operators to address cybersecurity risks or incidents;

• Provide privacy and civil liberties training to State and local governments related to cybersecurity

• Provide, upon request, operational and technical assistance to State and local governments to implement tools, products, resources, policies, guidelines, and procedures on information security;

• Assist State and local governments to develop policies and procedures for coordinating vulnerability disclosures procedures consistent with international and national standards in the information technology industry;

• Ensure that State and local governments are made aware of the tools, products, resources, policies, guidelines, and procedures on information security developed by the Department and other appropriate Federal departments and agencies for ensuring the security and resiliency of Federal civilian information systems.

Moving Forward

Peters is a member of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This may mean that he has enough influence to ensure that this bill is considered in Committee. This version was introduced much earlier in the session so it may actually be considered.

There is nothing in the bill that would engender any significant opposition. If the bill does make it to consideration it should be able to pass with substantial bipartisan support.

Commentary

This bill still does not contain any mention of control system security. State and local governments operate a wide variety of control systems (traffic control systems, utility control systems and security control systems to mention a few) and the security of those systems is becoming increasingly important.

This bill frequently mentions the term ‘information security’. Since this bill amends §148 it relies on the definition of that term found in §148(a)(5) which refers back to the very limited, IT-based definition found in 44 USC 3502(8) instead of the broader, ICS-inclusive definition of the term found in 6 USC 1501(9). Simply changing the reference to the newer definition would extend the requirements of this bill to industrial control system security issues.

There are a wide variety of new requirements in this bill that will require personnel, time and materials to effect. Unfortunately, as is common in much legislation, there are no provisions in the bill for providing additional monies to fulfill these requirements. This means that any efforts made by the NCCIC to meet the requirements of this bill would have to draw down existing efforts in other areas of its operation. Where Congress does not provide guidance as to where this funding comes from, it is relying on the Executive Branch to make those decisions. This ultimately allows congress critters to complain about budgetary decisions without having to make those decisions themselves; just keep adding requirements and do not worry about paying for them. That is a great political game….

HR 5459 Introduced – Cybersecurity Information Sharing

Last month Rep. Donovan (R,NY) introduced HR 5459, the Cyber Preparedness Act of 2016 [Note: there is currently something wrong with this link at the GPO, alternative text of bill here]. The bill makes minor revisions to the Homeland Security Act of 2002 to enhance cybersecurity information sharing.

Fusion Centers and NCCIC

Section 2(1) of the bill would add ‘cybersecurity risk information’ to the list of types of information designated in 6 USC 124h(b)(6) and (b)(8) to be shared with fusion centers by DHS. Additionally, the same ‘cybersecurity risk information’ would be added to the list of types of information in §124h(d)(1) for which DHS would be required to “assist law enforcement agencies and other emergency response providers of State, local, and tribal governments and fusion center personnel in using information within the scope of the information sharing environment”.

Section 2(2) of the bill would amend 6 USC 148 addressing the information sharing responsibilities of the National Cybersecurity and Communications Integration Center (NCCIC). It would add fusion centers to the information sharing requirements of §148(c)(5)(B).

Grants

Section 3 of the bill would amend 6 USC 609 by adding “enhancing cybersecurity, including preparing for and responding to cybersecurity risks and incidents” to the list of permitted uses at §609(a) for which grants under the Urban Area Security Initiative or State Homeland Security Grant Program can be used.

As is fairly typical no additional funding is provided for either grant program.

Moving Forward

Donovan and all three of his cosponsors {McCaul (R,TX), Ratcliffe (R,TX), and Payne (D,NJ)} are influential members of the House Homeland Security Committee. That means that this bill has a good chance of moving forward through the committee review process. In fact, shortly after the bill was introduced, it was approved without amendments by the Emergency Preparedness, Response, and Communications Subcommittee.

There is nothing in this bill that would draw any sort or organized opposition. If the bill makes it to the floor of the House it would almost certainly be approved under the suspension of the rules procedure. The only question is if there is enough interest in the bill to get it to the floor of the House for consideration in the limited time remaining in the session.

Commentary

This is the type of ‘i-dotting and t-crossing’ legislative work that needs to take place to ensure that everyone has the appropriate authority to carry out legislative mandates that have been previously passed. Unfortunately, in this case, problems with the underlying definitions that are critical to the intent of the legislation are not addressed.

In this case we go back to the problem of the definition of ‘cybersecurity risk’. There is no definition of the term in §124h, so we are still left with the lack of any real authority to share cybersecurity risk information within the fusion center environment. In §148 we do have a definition {§148(a)(1)}, but it is one of those definitions that narrowly defines the term just with respect to IT systems. So again, we technically have no authority for the NCCIC to share information about cybersecurity risks that apply uniquely to industrial control systems.

Finally, as I have mentioned numerous times, expanding the allowable uses of federal grant monies is all well and good as long as the amount of available funding is already increased. In cases like the one here in this bill where that money pool is not enlarged, the expansion of the allowable uses has the direct effect of decreasing the money available to the existing list of potential grant uses. This means that grants will either be smaller (and less useful) or fewer grants for exiting programs will be approved. Either may be a perfectly legitimate outcome, but there is no discussion of those consequences when bills like this are discussed.

S 2519 Reported in Senate – NCCIC Act

On the last real day of Senate activity before the current recess the Senate Homeland Security and Government Affairs Committee ordered the publishing of their report on S 2519, the National Cybersecurity and Communications Integration Center Act of 2014. As I reported in my original blog posting on this bill this bill was ordered reported the day after its introduction by HSGAC Chair Carper (D,DE).

There was one amendment made to the bill during the markup hearing (.PDF Download link) on June 25^th; an amendment by Sen. Johnson (R,WI). That amendment {§3(b)} clarifies that the legislation does not provide an new authority for the Secretary of Homeland Security to “promulgate regulations or set standards relating to the cybersecurity of private sector critical infrastructure”.

Writing and publishing a committee report in just 30 days (for a non-appropriations bill) is pretty quick in the Senate. That combined with insuring that the report was ordered printed before the recess probably indicates that at least Sen. Carper expects this bill to come to the floor of the Senate early after the return of the Senate in September. We will just have to wait and see if Sen. Reid (D,NV) shares that intention.

NSTAC Teleconference Announced – 11-05-12

Today DHS published an announcement in the Federal Register (77 FR 65393) for a teleconference of the President’s National Security Telecommunications Advisory Committee (NSTAC) on November 5^th, 2012. The NSTAC advises the President on matters related to national security and emergency preparedness (NS/EP) telecommunications policy. This teleconference is a public meeting.

The Agenda

There are three items on the current agenda; two subcommittee updates (no action expected) and the approval of a letter report to the President. The subcommittee reports address;

• The Nationwide Public Safety Broadband Network Subcommittee is examining the national security/emergency preparedness implications of the NPSBN and how to allow priority access during national security events; and

• The Secure Government Communications Scoping Subcommittee is looking at the use of commercial-off-the-shelf technologies (COTS) to secure unclassified government agency communications.

During the period of June to September of this year the NSTAC conducted a review of the operations of the DHS National Cybersecurity and Communications Integration Center (NCCIC). According to the notice the purpose of the study was to determine whether the NCCIC has developed in ways consistent with previous NSTAC recommendations. A letter report has been prepared for review and approval.

Another Late Announcement

This is the third announcement of a DHS NPPD sponsored meeting that was not published within the 15 day time limit required by government regulations; this was published 10 days before the meeting so it does provide more advanced notice the previous two. And the reason does appear to be more legitimate:

“A notice of the meeting of the NSTAC is being published in the Federal Register with less than 15 days notice due to an effort to assure the accuracy and validity of the NSTAC meeting agenda and contents. NSTAC changes in leadership and stakeholder approval of the NSTAC meeting discussion points created a longer than usual adjudication process.”

If it weren’t for the two previous very short term notifications (three days in one case) by NPPD, this probably would not be worth mentioning. And this is a teleconference so no one has to make travel and lodging arrangements to attend this meeting. Having said that, the final sentence of this notice bothers me:

“Although the meeting notice was published in the Federal Register late, the agenda will be published on the NCS Web site: www.ncs.gov [presumably by the October 30^th date mentioned in the notice - PJC] and an email will be sent out to the NSTAC Members.”

This ignores one of the main purposes of requiring a 15 day notice be published in the Federal Register. That is to inform the public so that they may participate/observe the deliberations of this private body that provides information and insights to the President. Again, not such a big deal since this is a teleconference, but the attitude bothers me.

Public Participation

The public can listen in on these deliberations (register with Ms Gallop-Anderson via email -  deirdre.gallop-anderson@hq.dhs.gov) by 5:00 pm EST on October 29^th, 2012. There will be a public comment period at the end of the meeting and registration is also required for that. Documents associated with this meeting will be posted on the NSTAC web site by October 30^th. Written comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # DHS-2012-0063) and must be received by November 19^th, 2012; way too late for consideration during the teleconference.

ICS-CERT Publishes Phishing Advisory

This afternoon the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) posted a copy of an advisory published by the National Cybersecurity and Communications Integration Center (NCCIC) on the potential for cyber criminals/attackers to be using phishing attacks related to the assassination of Osama Bin Laden yesterday. Actually any high-profile news story, including last weeks tornado outbreak have served as phishing lures.

The NCCIC advisory gives a brief overview of the ‘phishing’ and ‘spear phishing’ processes. Most importantly they provide a number of brief descriptions of actions that every internet user can use to help protect themselves from this type of attack. The list includes (with a bit more information):

● Be wary of unsolicited attachments, even from people you know

● Keep software up to date

● Trust your instincts

● Save and scan any attachments before opening them

● Turn off the option to automatically download attachments

● View emails in “Plain Text”

Protecting the individual from phishing attacks is a very important component of protecting an organization from the types of advanced persistent attacks that are apparently becoming more common. Compromising a single computer behind the corporate firewall, particularly one with access to control systems, provides a method for attackers to wonder through the soft-underbelly of the cyber systems.

Cyber security managers (both IT and ICS) would do well to download and copy this alert to every member of their organization that has an email account. Just let everyone know that the file is coming in a separate communication; compromised .PDF files are one of the current favorite vehicles for introducing malware.