A word for the next administration…

Recommendation for next administration I have mentioned the Blue Ribbon Committee drafting recommendations for the next president on cyber security. I have been asked to draft a paper for the Committee on what the next administration should think about when it comes to industrial control systems. The paper will address what is different about control systems, identify specific control system cyber security issues based on actual cyber security incidents, and provide address whether there should be regulation or incentives for cyber security. I think it has been pretty obvious that incentives alone don’t work. There is no doubt that regulation will be required as can be seen with Congress drafting legislation to give FERC additional emergency powers and the Nuclear Regulatory Commission (NRC) developing a Regulatory Guide for cyber. Hopefully, all industries will get the message cyber is important and must be adequately addressed for business and national security reasons and not treat it as a paper exercise like the NERC CIPS. If possible, I will try to have a draft available at the August ACS Conference. Joe Weiss

What are your comments?

Join the discussion today. Login Here.

Comments

  • It appears to me that the one major item with the potential to change the landscape radically and quickly is liability. Just think about this:

    You can sue a tobacco company because you got lung cancer from smoking. You can sue McDonald's because they served you hot coffee which you spillt over your legs. You can sue an auto maker for having an accident because you didn't operate the car properly. You can sue an airplane maker because your husband died in the crash of an airplane which he didn't care to maintain properly.

    You can do all this and cash in big. Here's what you CAN'T do:

    Sue a hardware vendor because they sold you PLCs with buggy network drivers that caused production disruptions. Sue a hardware vendor because their buggy network interfaces had never been tested properly. Sue a hardware vendor because they never told you that their products are extremely vulnerable from the network. Sue a software vendor because they open up DCOM access rights for everybody automatically during the installation of their OPC product, even when installing updates. Sue a software vendor for not informing you about any significant vulnerabilities they have found in their product, or about fixes that they have readily available. Sue a contractor for infecting your process network with malware because they didn't care to patch their maintenance notebooks. …and the list could go on and on.

    The good thing about liability is that it leaves the decision about which security measures are appropriate to a jury which takes the circumstances of the individual case into account. The next good thing is that the financial risk for ignoring security will simply get too big for vendors. Another good thing is that we would see security improving almost immediately, as opposed to standardization processes with their 10+ years timeframe. …and the list could go on and on.

    Reply

  • Hi Joe,

    I am glad to hear that you will be providing a paper to describe the difference in buisness processes between classic control and information systems. Many views leads to a greater balance of perspective.

    With respect to your suggestion on regulation(s), I see an opportunity for us all "to get it right".

    With any regulation, we need to make certain that if we are going to implement regulation or other such legislation

    -it needs to target the same people we need to be targeting now with our awareness activities - our C level managers. Any legislation that permits the responsability to be "delegated down" is not going to be effective.

    Liability is an interesting aspect of security Ralph and this is something that we all need to be mindful of and to accept that to be effective we need to share the burden and to collaborate on working on the solutions together. The more effective we are at doing this the closer to security nirvana we will be.

    Reply

RSS feed for comments on this page | RSS feed for all comments