- Develop a clear understanding of ICS cyber security
- Develop a clear understanding of the associated impacts on system reliability and safety on the part of industry, government and private citizens
- Define “cyber” threats in the broadest possible terms including intentional, unintentional, natural and other electronic threats such as EMP
- Develop security technologies and best practices for the field devices based upon actual and expected ICS cyber incidents
- Develop academic curricula in ICS cyber security
- Leverage appropriate IT technologies and best practices for securing workstations using commercial off-the-shelf (COTS) operating systems
- Establish standard certification metrics for ICS processes, systems, personnel, and cyber security
- Promote/mandate adoption of the NIST Risk Management Framework for all infrastructures or at least the industrial infrastructure subset
- Establish a global, non-governmental Computer Emergency Response Team (CERT) for Control Systems staffed with control system expertise for information sharing
- Establish a means for vetting experts rather than using traditional security clearances
- Establish, promote, and support an open demonstration facility dedicated to best practices for ICS systems
- Provide regulation and incentives for cyber security of critical infrastructure industries
- Include Subject Matter Experts with control system experience at high level cyber security planning sessions
- Change the culture of manufacturing in critical industries so that security is considered as important as performance and safety
Recognize that first and foremost, ICS systems need to operate safely, efficiently, and securely which will require regulation. ICS cyber vulnerabilities are substantial and have already caused significant impacts including deaths. Security needs to be incorporated in a way that does not jeopardize the safety and performance of these systems. One should view ICS cyber security as where mainstream IT security was fifteen years ago – it is in the formative stage and needs support to leapfrog the previous IT learning curve. There is a convergence of mainstream IT and control systems that will require both areas of expertise. To ensure that ICS are adequately represented, include subject matter experts with control systems experience in all planning meetings that could affect these systems. The prevailing perception is the government will not protect confidential commercial information and organizations such as ISACs will act as regulators. This has Sarbanes-Oxley implications as well. It is one reason why the US CERT, which is government-operated, does not work as effectively as needed and a “CIRT for Control Systems” by a global non-governmental organization with credible control system expertise is required.
- The testimony is based on the White Paper prepared for the Center for Strategic and International Studies, “Assuring Industrial Control System (ICS) Cyber Security”, by Joe Weiss, dated August 25, 2008.
- It should be noted that many of the acronyms used in industrial controls may be similar to acronyms used in government or other applications but with different meanings. Examples are ICS, IED, and IDS. In order to avoid confusion all acronyms have been spelled out the first time they have been used.
- “Pipeline Accident Report Pipeline Rupture and Subsequent Fire in Bellingham, Washington June 10, 1999”, National Transmission Safety Board Report NTSB/PAR-02/02 PB2002-916502.
- National Institute of Standards and Technology Federal Information Processing Standards Publication 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006. http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
- “Bellingham, Washington Control System Cyber Security Case Study”, Marshall Abrams, MITRE, Joe Weiss, Applied Control Solutions, August 2007, http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Bellingham_Case_Study_report%2020Sep071.pdf
- US CERT Control Systems Security Program, http://csrp.inl.gov/Self-Assessment_Tool.html