A letter to Senate Majority Leader Reid (D-NV), cosigned by 30 privacy and civil liberties advocacy groups, has raised serious concerns about the lack of privacy protections in regard to personally identifiable  information shared with government under cybersecurity legislation soon to be taken up by the Senate. This issue is yet another hurdle to getting the 60 votes needed for the Senate to proceed to Floor consideration of the bill, and may prove to be a major factor whether cybersecurity legislation is enacted this year.

The Cybersecurity Act of 2012, sponsored by Sens. Lieberman (I-CT) and Collins (R-ME) would give the Department of Homeland Security lead authority to oversee the flow of information, including sharing information provided by the private sector to the National Security Agency. The 30 cosignatories of the letter believe this gives the intelligence community the ability to access and collect individual personal information. Moreover, the bill allows the government to use the information for criminal investigations and prosecution unrelated to cybersecurity, and provides overly broad immunity for those sharing the information.

The bill recently passed by the House, the Cyber Intelligence Sharing and Protection Act of 2012, came under similar criticisms and, even though amendments were added that sought to address those concerns before passage, there is continuing debate whether they went far enough.In addition to privacy concerns, there is a great deal of disagreement whether DHS should be put in charge of the nation's cybersecurity efforts and enforcement. The Lieberman bill would give DHS the authority to conduct risk assessments of “covered critical infrastructure” – sectors which are considered most critical to the nation’s economy and security, such as the electric grid and water systems – and impose mandatory risk-based performance standards enforced through thi^rd party audits. An alternative approach, sponsored by Sen. McCain, focuses on incentivizing voluntary information sharing between the government and the private sector to address the cyber threat, similar to the bill passed by the House last month. Majority Leader Reid hopes to bring the cybersecurity measure to the Floor late May or early June.

In the meantime,  White House officials including DHS and the National Security Council, provided a Senate briefing on cyber attacks on natural gas pipelines. The attacks involved spear phishing using an email attachment to allow a hacker to enter the computer network. The email appeared to be sent from someone known to the recipient. It has also been reported that the pipeline companies were aware of the exploit, notified authorities, and were told to allow the attack to continue so that proper forensics and attribution could be conducted. Caitlin Hayden, a spokeswoman for the White House National Security Council, said senior administration officials met with Senate staffers on Monday to brief them on the cyber threats facing critical infrastructure. Hayden noted that the briefing was "intended to provide staff with an appreciation for the cyber threat facing the nation as the Senate prepares to consider new legislative authorities that could help the United States Government prevent and more quickly respond to cyber intrusions and attacks.The White House has endorsed the Lieberman bill.

Leaders of the Department of Homeland Security’s Industrial Control Systems-Certified Emergency Response Team (ICS-CERT) provided a troublesome assessment of the actions and problems faced by United States’ utilities when it comes to cybersecurity. One of the basic problems identified by Sanaz Browarny (Chief of the intelligence and analysis, control systems security program at Department of Homeland Security) was that a lot of utility employees "are using older systems previously not connected to the Internet…The mindset is the equipment would last 20 or 30 years with updates. These systems are quite vulnerable."
She also outlined the types of attacks faced by utilities into three categories. The first is the thrill-seeking "garden-variety" hackers that target known vulnerabilities. The second is the dangerous volley of viruses, worms and botnet attacks. The last is "nation-state actors" that have "unlimited funding available" and conduct espionage as they "establish a covert presence on a sensitive network."
More worrisome was the observation that while "only nine incidents" were reported in 2009, over the last year the number of reported incidents rose to 198. Kevin Helmsley, who works for the Control Systems Security Program at ICS-CERT, noted that slightly more than 40% came from water-sector utilities with others stemming from various energy, nuclear energy and chemical providers.
Overall, Browarny expressed concern that it is in the nature of regulated industries, such as the water and energy utilities, to "do the bare minimum" to pass regulatory audits as they seek to comply with North American Electric Reliability Corporation (NERC) or National Institute of Standards and Technology (NIST) standards. Browarny noted that such steps are simply not enough. For more information, see this news report on the GovSec conference.

Version 5 of the NERC Critical Infrastructure Protection (CIP) was released for comment and vote in December. The results of the voting have been released and the standard updates failed to receive the necessary votes to pass. The voting results can be viewed and downloaded here.

Honeywell's Tom Alrich, who has been working closely with this process, commented, "The only positive vote of greater than 40% was for the implementation plan. CIP-003 and CIP-008 got between 30 and 40% positive votes. Everything else got under 30% positive. In addition, participation was quite high - over 90% for each ballot." Mr. Alrich notes that the Standard Development Team is working on changes that will increase the likelihood of ratification in the next vote. 

Version 3 of the NERC CIP standards are in place now, with version 4 approved and waiting implementation. Some industry professionals hoped that version 5 would be approved quickly so that implementation of procedures to comply with version 4 would not be necessary. The failed vote brings this possibility in question. 

A new report by the Government Accountability Office (GAO) recommended that the Department of Homeland Security (DHS) should work with public and private sector partners to determine whether cybersecurity guidance should be added to sector-specific critical infrastructure plans. The GAO was asked to: 1) identify cybersecurity guidance within the seven critical infrastructure sectors; 2) determine the extent to which this cybersecurity guidance was enforced and promoted; and 3) find commonalities and differences between cybersecurity guidance for private sector entities versus federal government entities.
  Read more »

U.S. utilities are structuring intelligence into their networks with the aim to make power distribution more efficient; however these efforts are getting caught in the myriad of regulations that leave their security efforts incomplete, inadequate and uncoordinated. According to a new report released by researchers at the Massachusetts Institute of Technology (MIT), a single federal agency should be in charge of the nation’s critical infrastructure security, instead of being spread across a group of organizations, as it currently is. The findings also stated that this greater reliance on data communications in the grid increases the importance of standardization for interoperability and of cybersecurity and raises serious issues of privacy. Additionally, the report also discussed the potential risk factors to the grid from the impact of federal regulations, rising prices for fossil fuels and competition from sources of renewable energy. It largely stated that with the right policy measures, the grid would be able to handle the influx of electric vehicles as well as renewable generation sources including wind and solar. Read more »

In a recent announcement, the North American Electric Reliability Corporation (NERC) has published ten CIP standards (CIP-002-5 through CIP-009-5, CIP-010-1, and CIP-011-1), a set of new and revised NERC Glossary definitions, and a proposed implementation plan. The documents have been posted on the NERC website for a formal 60-day comment period through Friday, January 6, 2012, which will be accepted via an electronic form. The implementation plan, also called the mapping document, identifies each requirement in the already-approved Version 4 CIP standards and identifies how the requirement has been treated in the Version 5 CIP standards. For more information, click here.

A security researcher working for NSS Labs, an electronics security firm, reportedly identified security flaws in Siemens industrial control management systems that compromise the critical infrastructure systems to hackers. Siemens SCADA systems were the center of last year's Stuxnet attacks where the computer worm reportedly affected Iran's nuclear facilities. Industry news source Dark Reading reported that the researcher and Siemens had been collaborating along with the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to come up with fixes for the flaws identified but NSS Labs found out that the fixes Siemens came up with still did not fully protect the affected systems. The researcher Dillon Beresford noted that he was able to bypass the fix within 45 minutes, and notified both Siemens and ICS-CERT of this issue. Read more »

In comments filed with the Federal Communications Commission (FCC) late last week, UTC urged the FCC and the National Telecommunications and Information Administration (NTIA) to provide access to federal spectrum for utilities and other critical infrastructure industries (CII). The comments were filed in response to a Public Notice from the FCC inviting comment on technical issues associated with the spectrum bands identified in a NTIA Report that was released in October 2010. This report identifies 115 MHz of federal spectrum that could be freed up for broadband purposes. Read more »