As the US Senate Bill 3414 gains momentum (although I’m still unsure why this is a big story until we hear of corresponding House action), it’s worthwhile looking at the sales effort around the proposed law. What we are seeing in public is likely a small amount of the FUD that Senators are being subjected to by the White House, NSA, DHS and assorted others in the government security structure.
In summary the sales effort is focused on the dubious data on the quantity of attacks rather than the incredible vulnerability of the systems that run the critical infrastructure. Perhaps it is an effort to say something has changed that makes this critical now — other than the fact that US showed everyone how to do it with Stuxnet.
The NY Times reports that NSA Director Alexander stated “that there had been a 17-fold increase in computer attacks on American infrastructure between 2009 and 2011” as a prime reason we need ICS cyber security legislation. These troubling numbers appear to come from the recent ICS-CERT Incident Summary Report covering that period.
- The most glaring problem is ICS-CERT was created in November 2009, so the fact that there were limited reported incidents in 2009 and earlier is not shocking.
- A large portion of the increase had to do with Shodan finding Internet connected ICS. These systems may be important to the building owner, crematorium manager, small factory or those served by small town municipal water. They are not what a government would define as critical infrastructure in a prioritized list.
- A large portion of the incidents are attacks on the corporate network that almost every company endures, critical infrastructure or other.
I’m not arguing against the assertion that we need to do more to protect critical infrastructure ICS. These numbers are a red herring. After Stuxnet, I’m hoping that the US Government has some persuasive offensive security demonstrations that show how easy it is for other nations and motivated attackers to launch a Stuxnet type attack on the US critical infrastructure. An attack that affects the integrity and availability of an ICS is the issue, not some increase in Shodan scanning or greater awareness of ICS-CERT.
CNBC reported that former NSA Director McConnell also was pushing numbers as the reason we need legislation. “companies aren’t even reporting the attacks that do happen, let alone doing enough to prevent new attacks. ‘There are probably millions of attacks per day, and I would say most of them are unreported,’ McConnell said.”
Why would a company report an attack and who would they report it to? Does Adm. McConnell really want millions of attacks per day reported to the government?
I have beat this drum before, but information sharing only occurs if it is in the self interest of the sharing entity. Like everyone else, Digital Bond gets attacked regularly and occasionally is targeted directly. I can’t imagine going to the government and expecting some action or even wanting them looking at Digital Bond data, let alone customer data covered by NDA. And at the risk of joining the tinfoil hat club, would you really trust any government to not share vulnerabilities and other information with the ICS offensive team?
Some have chosen to share ICS security incidents, mostly on the corporate network, with DHS in the interest of getting a DHS flyaway team to provide free incident response reporting. This does not scale.
On occasion we have recommended clients share unresolved vulnerabilities with US-CERT or ICS-CERT to help prod an unresponsive vendor, but again this only occurs when it is the discloser’s interest.
One last article to read is Elinor Mills report on ex-FBI Executive Assistant Director Shawn Henry’s Black Hat keynote call to arms. It’s full of police and military analogies, and a full throated passing of the buck from government to industry. Ranum and Schneier’s quotes at the end say it better than I can.
Image by Rob Crawley