Lots of action and disagreement on cybersecurity legislation in the US Government. One of the main ICS security partisan divides is around regulation of the privately owned critical infrastructure. This week the White House chimed in: “National Security Council spokeswoman Caitlin Hayden said any cybersecurity legislation should include strong privacy protections and should set mandatory security standards for critical infrastructure systems, such as electrical grids and water supplies.” Similar statements were issued by Democrats Rep Langevin and Rep Thompson, and Democrats are trying to push more responsibility to DHS. The Republicans appear to be unifying, especially in the House, around bills that forego regulation and focus on information sharing, awareness and research. These are in the Democrat bills as well, but will the Democrats agree to the limited scope of Republican legislation or prefer nothing?
Consider that an attacker could cause these faults when you read two stories about failures in ICS causing physical damage and safety concerns. First, Veolia Water North America, filed a spill notice with the state that said 2 million gallons of sewage spilled in about 2.5 hours. It said a “programmable logic controller” had failed, shutting down pumps and controls. That caused sewage to back up in the facility, and eventually to Stewart’s Drain and the Tijuana River. Second, a bad valve allowed hydrocarbons to slip into the wrong tank is the cause of a fire at the HollyFrontier refinery last year.
Greentechgrid reports that venture funding for smart grid startups continues to dip from last year. VCs are coming to terms with the fact that utilities are slow to adapt new technologies and subject to all kinds of reversals from customers and regulators. Not all bad news, acquisitions of smart grid companies is up.
The PBS Newshour had a segment on the DETER lab and talked a fair amount of ICS security. DHS S&T group helps fund DETER, which is a large network that can be used for research simulations. Since we got funding from S&T for Quickdraw I had heard quite a bit about it at DHS research events, but we haven’t had a project that needed the 500 computers in DETER yet.
FERC approved Version 4 of the NERC CIP standards. There were some who doubted this would happen because Version 5 is being voted on now. Perhaps FERC read the tea leaves and determined that Version 5 is unlikely to pass. As FERC noted, “The main difference between Version 3 and Version 4 is found in CIP-002-4 and involves a change in the way ‘Critical Assets’ are identified. Specifically, Version 4 includes uniform “bright line” criteria for the identification of ‘Critical Assets,’ which replace the ‘risk based assessment methodology’ developed and applied by individual responsible entities under Version 3.”
Mu Dynamics was acquired by Spirent Communications for $40 million. Probably not the big exit they had hoped for. Mu makes a fuzzer that is used by a number of ICS vendors because it allows the vendor to easily enter and test a proprietary protocol.
If there was any doubt that governments and other organizations are considering playing offense in cyberwar, DHS Director Napolitano’s internal monologue makes it clear. “Should there be some aspect that is in a way proactive instead of reactive?” she responded, and then answered her own question with “yes.” She added, “it is not something that we haven’t been thinking about.”
Tweet of the Week
Worth Reading Articles
- ICS-CERT Monthly Monitor for March DP Note – The first article on Social Engineering is important, but a bit misleading. If you read carefully all they are claiming is “transmission managers” at a power distribution company (mismatch) were subject to social engineering to try to gain access to their PC. No reference to any ICS specific nature of the attack. It just happened to a company that runs an ICS. That said, one of the easiest attack vectors is to use social engineering, probably phishing, to gain control of a corporate PC and then try to get through the corporate / ICS security perimeter.
Critical Intelligence’s ICS Security Event Calendar Updates
- SEL Modern Solutions Conference Cybersecurity Track, June 6 in Chicago, Illinois
Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.
Image by takomabibelot