Mark Weatherford, Under Secretary for Cybersecurity at the Department of Homeland Security, offered comments as the morning keynote speaker on the second day of the Industrial Control System Joint Working Group (ICSJWG). Weatherford is the former Chief Security Officer at the North American Electric Reliability Corporation (NERC) and therefore has some knowledge of control system and their security vulnerabilities. Mr. Weatherford stressed a theme of partnerships and information sharing between industry and government, noting that nearly 85% of the critical infrastructures in the US are owned by the private sector. He stated the we need to raise the nation’s cybersecurity IQ, not only with the general public but also with regulators and Congress. He also acknowledged that cybercrime nets more money for criminals than the cocaine, heroin and marijuana industries combined, worldwide. Mr. Weatherford also pointed to the inter-dependencies with the critical infrastructures in the US. Security in the electric sector cannot be accomplished without considering the communications that link electric system devices.

Regarding legislation currently before Congress on this issue, Mr. Weatherford stated that there is a place for government enforcing cybersecurity standards, but the government should not presume that they can write these standards for control systems. Government must still rely on industry for standards and best practices. When asked if vendors should be held accountable for insecure products, Mr. Weatherford responded that industry is making great strides in delivering secure systems, but industry is still accountable for deploying and correctly configuring these systems. If security settings are turned off because they are inconvenient, then the user is to blame, not the vendor.

By a bipartisan vote of 248 to 168, the House has passed HR 3523, the Cyber Intelligence Sharing and Protection Act (CISPA). The bill now proceeds to the Senate which intends to take up cybersecurity early next month.

CISPA focuses on promoting better information sharing between the private sector and the federal intelligence community, and specifically includes utilities as entities with whom this information should be shared. Unlike some of the other cyber bills that have been proposed, there are no additional layers of regulation and does not put DHS as the federal overseer of critical infrastructure cybersecurity protections.

UTC has long been a proponent of better processes for sharing classified cyber threat information with owner and operators of our nation's energy and water critical infrastructure, and have worked in concert with other industry trade associations and groups in support of this legislation. We do not propose that this is a panacea; but it is an important component of a comprehensive cybersecurity ecosystem. In combination with the NERC-CIP standards and the cooperative public-private partnership framework of the Department of Homeland Security (DHS), UTC is dedicated to supporting a flexible and dynamic framework to protect our systems from cyber threats and vulnerabilities.

The bill had come under criticism from both the White House, which supports additional requirements being imposed on critical infrastructure as well as putting DHS in charge of federal cybersecurity policy, and civil libertarian groups based on privacy concerns.

The margin of passage, including 42 Democrats, is significant in light of the veto threat of the White House should the bill in its current form reach the President's desk.

Several less controversial cybersecurity bills concerning research and development, training, public awareness and securing federal networks and IT were also passed by House.

The action now moves to the Senate where two bills are expected to take center stage: the Lieberman bill, which takes a more regulatory approach and establishes the Department of Homeland Security(DHS) as the lead federal agency on cybersecurity, and the McCain bill, which is similar to the voluntary information sharing approach of the House-passed CISPA.

Leaders of the Department of Homeland Security’s Industrial Control Systems-Certified Emergency Response Team (ICS-CERT) provided a troublesome assessment of the actions and problems faced by United States’ utilities when it comes to cybersecurity. One of the basic problems identified by Sanaz Browarny (Chief of the intelligence and analysis, control systems security program at Department of Homeland Security) was that a lot of utility employees "are using older systems previously not connected to the Internet…The mindset is the equipment would last 20 or 30 years with updates. These systems are quite vulnerable."
She also outlined the types of attacks faced by utilities into three categories. The first is the thrill-seeking "garden-variety" hackers that target known vulnerabilities. The second is the dangerous volley of viruses, worms and botnet attacks. The last is "nation-state actors" that have "unlimited funding available" and conduct espionage as they "establish a covert presence on a sensitive network."
More worrisome was the observation that while "only nine incidents" were reported in 2009, over the last year the number of reported incidents rose to 198. Kevin Helmsley, who works for the Control Systems Security Program at ICS-CERT, noted that slightly more than 40% came from water-sector utilities with others stemming from various energy, nuclear energy and chemical providers.
Overall, Browarny expressed concern that it is in the nature of regulated industries, such as the water and energy utilities, to "do the bare minimum" to pass regulatory audits as they seek to comply with North American Electric Reliability Corporation (NERC) or National Institute of Standards and Technology (NIST) standards. Browarny noted that such steps are simply not enough. For more information, see this news report on the GovSec conference.

On February 1, the House Homeland Security Subcommittee on Cybersecurity approved by voice vote an amended version of HR 3674, the Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness (PRECISE) Act of 2011. In keeping with the House Cybersecurity Task Force Report released last year, the bill focuses on improving and incentivizing information sharing between the government and the critical infrastructure on cyber threats and incidents. PRECISE would establish DHS as lead federal agency for the coordination of federal and critical infrastructure cybersecurity efforts, the development of a national cybersecurity strategy, and the formulation of voluntary cybersecurity guidelines. Read more »

A new report by the Government Accountability Office (GAO) recommended that the Department of Homeland Security (DHS) should work with public and private sector partners to determine whether cybersecurity guidance should be added to sector-specific critical infrastructure plans. The GAO was asked to: 1) identify cybersecurity guidance within the seven critical infrastructure sectors; 2) determine the extent to which this cybersecurity guidance was enforced and promoted; and 3) find commonalities and differences between cybersecurity guidance for private sector entities versus federal government entities.
  Read more »

The Industrial Control Systems Joint Working Group (ICSJWG) has created a consolidated document; a sector independent roadmap. This Cross-Sector Roadmap was conceived and developed over the last two years by industry and government thought leaders that saw the need for a unifying Roadmap to secure control systems across all critical sectors. Version 3 of the consolidated roadmaps is available for download. The document aids entities in creating a cybersecurity plan that incorporates the unique environment of control systems. The document is an excellent addition to a utility’s cybersecurity reference library and is available here.
  Read more »

There is no evidence of a cyber intrusion into the SCADA system of the water utility in Springfield, Illinois, said the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in an email yesterday. ICS-CERT and the Federal Bureau of Investigation (FBI) had been investigating the reported incident of a cyber attack on the SCADA systems of the U.S. water utility resulted in a pump failure. It noted that there was no evidence to support claims made in the initial DHS Fusion Center reports. ICS-CERT received a copy of the reports on Nov 16th and inquired to the DHS field office to obtain additional information. The claims of a cyber attack have now also been dismissed by the FBI and DHS. Read more »

Gregory Schaeffer, Acting Deputy Under Secretary, National Protection and Program Directorate, DHS, was one of the keynote speakers at the Industrial Control System Joint Working Group (ICSJWG) meeting held October 24th through the 26th in Long Beach, CA. He noted that ICSJWG offers an opportunity for the control system industry to catch up with security. Control system technology has “outrun its headlights” with respect to cybersecurity. He remarked that cybersecurity today touches everything and we need to treat it holistically. Further, the environment has changed since the 1990’s when the issue first arose. He said, "We are now worried about cybercrime. This problem evolved so rapidly and thoroughly, this area of crime is now far more lucrative than even the narcotics trade. In the last several years, hacking to get information and money has evolved into hacking for intellectual property. Vast amounts of information, both in the private and public sector, is being syphoned into the wrong hands. Identity theft is still a problem."
  Read more »

UTC will again be attending a face-to-face meeting of the Industrial Control System Joint Working Group (ICSJWG) in early October in Long Beach. The group falls under the Department of Homeland Security and is working on sector specific security issues, while merging security roadmaps into a single control system security document.

The draft meeting agenda can be found at the following web site; board members with specific interests, questions or concerns on these topics should contact Klaus Bender prior to October 1 and we will raise those issues at the meeting: http://www.us-cert.gov/control_systems/icsjwg/ICSJWG-2011-Fall-Conference_Agenda_7Sept2011_DRAFT.pdf

The Department of Energy, in collaboration with the National Institute of Standards and Technology and the North American Electric Reliability Corporation, has released a draft of the Electricity Sector Cybersecurity Risk Management Process (RMP) Guideline for public comment. The RMP Guideline was drafted by a joint public-private sector team that also included representatives from the Federal Energy Regulatory Commission, the Department of Homeland Security, and utilities. The initiative to develop the RMP Guideline is led by the Department’s Office of Electricity Delivery and Energy Reliability. Comments are by October 28, 2011 and can be made at: https://public.commentworks.com/CW_DOE_AWF/ Read more »