The fact that Congress has to deal with DCS and SCADA security for the critical infrastructure is another representation of failure by all in the ICS community, but in the US Government realm primarily by DHS as the responsible government agency.
Congress can’t be an expert in all fields and certainly not in something as arcane as control system security. It’s ridiculous that Congress and their staff have to try to determine how to solve this problem by crafting legislation. They should assign this and provide money to an agency who works the issue, and there is no evidence that the problem is DHS has failed due to lack of authority. To their credit, Congress sees little progress by the responsible agency in securing critical control systems and is trying to move the situation forward.
The best way to illustrate DHS’s failure is to look at the legislation itself, starting with the most damning evidence.
Prioritization and Focus – Sector Based Risk Assessment
Section 102 requires DHS to perform a sector by sector risk assessment “to determine which sectors pose the greatest immediate risk”. Sections 102 and 103 go into how this should be repeatable and ongoing.
Has this not be done yet by DHS? Shouldn’t DHS have handed the Committee the risk assessment report they have been doing repeatedly since they were founded? Shown how it has become more sophisticated and thorough over time. Show how it has driven the DHS programs. Show how they have measured success in terms of an improved security posture.
And I would hope they have a more than just an assessment as to what sectors should be prioritized. They should have:
- a risk-based, tiered list of owner/operators in each sector (related to the crazy over reaction to a water pump in a small Illinois water utility)
- a list of the key hardware and software technologies by sector, for example refineries use primarily Honeywell, Emerson and Yokogawa DCS. (related to the prioritization of ICS-CERT resources on key systems and applications rather than spending majority time with freeware HMI)
- and possibly a list of the most important technical and administrative security controls missing in the top tier owner/operator systems
This prioritization requires making decisions such as a canal that provides the only water to a large, heavily populated region should receive a great deal of attention while a small, municipal owned water pump in Springfield, IL is handled by local authorities. It also requires the discipline to not jump on every vulnerability that can be tied to some control system function. Perhaps most of these should go through the normal US-CERT / CERT/CC process except for those in the key hardware and software list.