A letter to Senate Majority Leader Reid (D-NV), cosigned by 30 privacy and civil liberties advocacy groups, has raised serious concerns about the lack of privacy protections in regard to personally identifiable  information shared with government under cybersecurity legislation soon to be taken up by the Senate. This issue is yet another hurdle to getting the 60 votes needed for the Senate to proceed to Floor consideration of the bill, and may prove to be a major factor whether cybersecurity legislation is enacted this year.

The Cybersecurity Act of 2012, sponsored by Sens. Lieberman (I-CT) and Collins (R-ME) would give the Department of Homeland Security lead authority to oversee the flow of information, including sharing information provided by the private sector to the National Security Agency. The 30 cosignatories of the letter believe this gives the intelligence community the ability to access and collect individual personal information. Moreover, the bill allows the government to use the information for criminal investigations and prosecution unrelated to cybersecurity, and provides overly broad immunity for those sharing the information.

The bill recently passed by the House, the Cyber Intelligence Sharing and Protection Act of 2012, came under similar criticisms and, even though amendments were added that sought to address those concerns before passage, there is continuing debate whether they went far enough.In addition to privacy concerns, there is a great deal of disagreement whether DHS should be put in charge of the nation's cybersecurity efforts and enforcement. The Lieberman bill would give DHS the authority to conduct risk assessments of “covered critical infrastructure” – sectors which are considered most critical to the nation’s economy and security, such as the electric grid and water systems – and impose mandatory risk-based performance standards enforced through thi^rd party audits. An alternative approach, sponsored by Sen. McCain, focuses on incentivizing voluntary information sharing between the government and the private sector to address the cyber threat, similar to the bill passed by the House last month. Majority Leader Reid hopes to bring the cybersecurity measure to the Floor late May or early June.

In the meantime,  White House officials including DHS and the National Security Council, provided a Senate briefing on cyber attacks on natural gas pipelines. The attacks involved spear phishing using an email attachment to allow a hacker to enter the computer network. The email appeared to be sent from someone known to the recipient. It has also been reported that the pipeline companies were aware of the exploit, notified authorities, and were told to allow the attack to continue so that proper forensics and attribution could be conducted. Caitlin Hayden, a spokeswoman for the White House National Security Council, said senior administration officials met with Senate staffers on Monday to brief them on the cyber threats facing critical infrastructure. Hayden noted that the briefing was "intended to provide staff with an appreciation for the cyber threat facing the nation as the Senate prepares to consider new legislative authorities that could help the United States Government prevent and more quickly respond to cyber intrusions and attacks.The White House has endorsed the Lieberman bill.

Mark Weatherford, Under Secretary for Cybersecurity at the Department of Homeland Security, offered comments as the morning keynote speaker on the second day of the Industrial Control System Joint Working Group (ICSJWG). Weatherford is the former Chief Security Officer at the North American Electric Reliability Corporation (NERC) and therefore has some knowledge of control system and their security vulnerabilities. Mr. Weatherford stressed a theme of partnerships and information sharing between industry and government, noting that nearly 85% of the critical infrastructures in the US are owned by the private sector. He stated the we need to raise the nation’s cybersecurity IQ, not only with the general public but also with regulators and Congress. He also acknowledged that cybercrime nets more money for criminals than the cocaine, heroin and marijuana industries combined, worldwide. Mr. Weatherford also pointed to the inter-dependencies with the critical infrastructures in the US. Security in the electric sector cannot be accomplished without considering the communications that link electric system devices.

Regarding legislation currently before Congress on this issue, Mr. Weatherford stated that there is a place for government enforcing cybersecurity standards, but the government should not presume that they can write these standards for control systems. Government must still rely on industry for standards and best practices. When asked if vendors should be held accountable for insecure products, Mr. Weatherford responded that industry is making great strides in delivering secure systems, but industry is still accountable for deploying and correctly configuring these systems. If security settings are turned off because they are inconvenient, then the user is to blame, not the vendor.

Following reports about a backdoor login account in its entire line of devices, RuggedCom, a Canadian manufacturer of equipment and software for critical industrial control systems has announced it will eliminate this vulnerability.
Security experts have raised concerns about this issue, noting that this security problem had been discovered a year ago. The backdoor, which reportedly cannot be disabled, leaves power utilities, military facilities, and municipal traffic departments using the industrial-strength gear vulnerable and could affect millions of indirect users. K. Reid Wightman, an industrial control systems security expert for Digital Bond, told tech blog Ars Technica, "If users are running non-redundant networks, this is probably going to require taking their process offline…so it's not the sort of thing that most users can patch right away—they're going to have to patch it during their normal manufacturing patching cycle, which might be a year."

By a bipartisan vote of 248 to 168, the House has passed HR 3523, the Cyber Intelligence Sharing and Protection Act (CISPA). The bill now proceeds to the Senate which intends to take up cybersecurity early next month.

CISPA focuses on promoting better information sharing between the private sector and the federal intelligence community, and specifically includes utilities as entities with whom this information should be shared. Unlike some of the other cyber bills that have been proposed, there are no additional layers of regulation and does not put DHS as the federal overseer of critical infrastructure cybersecurity protections.

UTC has long been a proponent of better processes for sharing classified cyber threat information with owner and operators of our nation's energy and water critical infrastructure, and have worked in concert with other industry trade associations and groups in support of this legislation. We do not propose that this is a panacea; but it is an important component of a comprehensive cybersecurity ecosystem. In combination with the NERC-CIP standards and the cooperative public-private partnership framework of the Department of Homeland Security (DHS), UTC is dedicated to supporting a flexible and dynamic framework to protect our systems from cyber threats and vulnerabilities.

The bill had come under criticism from both the White House, which supports additional requirements being imposed on critical infrastructure as well as putting DHS in charge of federal cybersecurity policy, and civil libertarian groups based on privacy concerns.

The margin of passage, including 42 Democrats, is significant in light of the veto threat of the White House should the bill in its current form reach the President's desk.

Several less controversial cybersecurity bills concerning research and development, training, public awareness and securing federal networks and IT were also passed by House.

The action now moves to the Senate where two bills are expected to take center stage: the Lieberman bill, which takes a more regulatory approach and establishes the Department of Homeland Security(DHS) as the lead federal agency on cybersecurity, and the McCain bill, which is similar to the voluntary information sharing approach of the House-passed CISPA.

The House Homeland Security Committee has approved on a party line vote of 16 – 13 a cybersecurity bill which will join the roster of bills expected to be brought up for Floor consideration in the House next week as part of Cyber Week. Unlike the bill approved by the Subcommittee last month, the bill relegates DHS to a coordination/facilitation/consultation role with other federal agencies and departments on federal cybersecurity matters by retaining the current federal agency or department authority structure. Risk assessments and technical assistance would only be provided upon request of critical infrastructure owners and operations. Moreover, information sharing between the private sector and DHS would remain voluntary, thus reaffirming the DHS public/private partnership framework. 

The final bill designates the National Cybersecurity and Communications Integration Center (NCCIC) as the DHS focal point for information sharing between the federal government, the intelligence community, Department of Defense and the private sector. An Advisory Board, composed of 11 representatives of the private sector, 2 representatives from the privacy and civil liberties community and the chair of the National Council of Information Sharing and Analysis Centers (ISACs), would act as an advocate of the private sector in improving the operations of the NCCIC.

HR 3674 had been criticized for inadequate protections of privacy. To assuage these concerns, an amendment offered by Rep. McCaul was adopted to clarify the legally permissible cybersecurity activities of DHS regarding the collection, interception, retention, and dissemination of communications and system traffic, including compliance with written guidelines and approval of the Attorney General.  Many in the privacy community believe even these added protections do not go far enough.  

In explaining his decision to support the revised version instead of the bill approved by his Subcommittee, Rep. Lungren said that the “support of private sector stakeholders evaporated when they saw what was happening in the Senate”, a reference to the regulatory-approach of the Lieberman bill which Majority Leader Reid intends to bring up in the Senate. However, he went on to say that House Leadership has agreed to bring up the original subcommittee bill if that private sector support can be regained. Rep. Peter King, chair of the Committee, emphasized that in the interests of retaining a seat at the table, and a role for the Committee in the deliberations and the final legislation passed by the House, the bill had to be revised before House Leadership would allow it to be brought to the Floor. 

The Senate intends to turn its attention to cybersecurity in early May.
The revised version of HR 3674 (which is referred to as an Amendment in the Nature of a Substitute) adopted at the mark-up, Section by Section Analysis of bill as brought up for mark-up, amendments adopted at the mark-up, and an archived video of the mark-up session can be found at: http://homeland.house.gov/markup/markup-hr-3674-promoting-and-enhancing-cybersecurity-and-information-sharing-effectiveness

The Federal Energy Regulatory Commission (FERC) has approved Version 4 of the Critical Infrastructure Protection (CIP) Reliability Standards submitted by the North American Electric Reliability Corporation (NERC). The currently-effective Version 3 CIP Reliability Standards. NERC had sent the CIP 4 standards over to FERC for approval back in February 2011, and FERC’s rulemaking on the same was initiated in September.
NERC CIP 4 presents significant changes in the way utilities identify critical assets and the means used to protect them. The main difference between Version 3 and Version 4 is a change in definition for “Critical Assets” (found in CIP-002-4). Specifically, Version 4 includes uniform “bright line” criteria for the identification of “Critical Assets,” which replace the “risk-based assessment methodology” developed and applied by individual responsible entities under Version 3.
NERC now has till March 31, 2013 to submit the next version of the CIP Reliability Standards, and Version 5 is still waiting approval by NERC. Discussions on NERC CIP 5 suggest that it is intended to finally address all of Order 706.

Leaders of the Department of Homeland Security’s Industrial Control Systems-Certified Emergency Response Team (ICS-CERT) provided a troublesome assessment of the actions and problems faced by United States’ utilities when it comes to cybersecurity. One of the basic problems identified by Sanaz Browarny (Chief of the intelligence and analysis, control systems security program at Department of Homeland Security) was that a lot of utility employees "are using older systems previously not connected to the Internet…The mindset is the equipment would last 20 or 30 years with updates. These systems are quite vulnerable."
She also outlined the types of attacks faced by utilities into three categories. The first is the thrill-seeking "garden-variety" hackers that target known vulnerabilities. The second is the dangerous volley of viruses, worms and botnet attacks. The last is "nation-state actors" that have "unlimited funding available" and conduct espionage as they "establish a covert presence on a sensitive network."
More worrisome was the observation that while "only nine incidents" were reported in 2009, over the last year the number of reported incidents rose to 198. Kevin Helmsley, who works for the Control Systems Security Program at ICS-CERT, noted that slightly more than 40% came from water-sector utilities with others stemming from various energy, nuclear energy and chemical providers.
Overall, Browarny expressed concern that it is in the nature of regulated industries, such as the water and energy utilities, to "do the bare minimum" to pass regulatory audits as they seek to comply with North American Electric Reliability Corporation (NERC) or National Institute of Standards and Technology (NIST) standards. Browarny noted that such steps are simply not enough. For more information, see this news report on the GovSec conference.

The National Institute of Standards and Technology’s (NIST) Smart Grid Interoperability Panel (SGIP) opened its Spring Face-to-Face Meeting in Charlotte on March 20, 2012. The opening plenary session featured Dr. George Arnold, the overseer of the NIST Smart Grid effort. Dr. Arnold told the audience that NIST will continue to participate in the SGIP, regardless of the ultimate structure of the organization, citing mandates in the EISA 2007 legislation. Dr. Arnold was referring to the requirement that the SGIP transition to a sustainable, self-sufficient organization by 2013. The SGIP had created a working group to address this issue and has received a report on a variety of options from EnerNex, the SGIP administrator. Concerns from the audience included one from a utility that suggested that if the SGIP was going to charge dues for membership, it should make the fact known as soon as possible. The utility representation stated that utilities are beginning to create budgets for 2013 in the summer and SGIP membership fees may not make the budget, unless identified early. Dr. Arnold said he understood the concern and would make plans known as soon as possible.
A report from Don Sheflin, chair of the Smart Grid Federal Advisory Committee summarized the group’s report to NIST on the workings of the SGIP. Top recommendations included consolidate the disjointed treatment of cybersecurity issues related to the smart grid. Also cited was the need to strengthen state regulatory support for smart grid initiatives, implying that when states treat smart grid efforts in a wide variety of ways, it creates regulatory uncertainty that delays smart grid implementation. Other recommendations included the need for a consolidated communications plan for smart grid education and outreach. UTC will be blogging additional topics from this meeting over the next few days.

A proposal put forward by the North American Electric Reliability Corporation (NERC) to use a three-tier format informational filing to report possible violations of Reliability Standards has been approved by the Federal Energy Regulatory Commission (FERC). In an Order released yesterday, FERC set conditions related to NERC's "Fix, Find, Track and Report" (FFT) proposal intended to ensure that the minor violations dealt with under the program were handled properly. Minor violations are defined as minimal to moderate risk, and include administrative, documentation, and certain maintenance or testing program implementation failures. FERC will also survey a random sample of FFTs each year to determine how the program was working and to see if improvements to the program were needed. The full text of the Order can be viewed here.

The Department of Energy (DOE) has released a second draft of the Electricity Subsector Cybersecurity Risk Management Process (RMP) guideline for public comment. According to the document introduction, “it is intended to be used by the electricity subsector, to include organizations responsible for the generation, transmission, distribution, and marketing of electric power, as well as supporting organizations such as vendors.” The document was prepared in conjunction with the National Institute of Standards and Technology (NIST) and is based on several federal standards related to cybersecurity and risk management. Risk management processes are emerging as a best practice for utilities because of the pressures in the cybersecurity space.

The document is of value to utilities for several reasons. For a newcomer to the topic cybersecurity and the electric sector, the document offers a background that can be built upon to create plans specific to the organization implementing cybersecurity policies. For those familiar with the topic, the comment period offers the chance to review and comment, perhaps providing insight not previously considered. The document is available for download at the link below. Comments are due April 5, 2012.

http://energy.gov/oe/downloads/draft-cybersecurity-risk-management-process-rmp-guideline