By Bob Radvanovsky
Recently, some material produced by the U.S. Department of Homeland Security and marked U//FOUO (Unclassified/For Official Use Only) was released accidentally. Following the unplanned release, debates raged on the validity and relevance of this significant control system advisory. Several key industrial groups and representative individuals felt that the need for securing the information (and its documentation) was weak, based on the premise that the problem, its description and solution were already common knowledge within the industry. They felt that more relevant, important documentation, far more worthy to be designated as U//FOUO, was already on the Internet.
One of the difficulties of attacking the problem of cybersecurity and critical infrastructure is the need to keep control of much of the informationhence the attempts at secrecy.
For Official Use Only
The term For Official Use Only (or FOUO and its placard U//FOUO) is used to identify unclassified information that is considered sensitive in nature. Despite the debate, the released document had been designated as U//FOUO, and is considered a sensitive document. For the control systems industry, information that could lead to the disruption (or worse yet, the destruction) of a piece of critical infrastructure, requires a stronger vital rule covering who has access to what in terms of disclosure and its usage.
What Is Critical Infrastructure Information?
The term critical infrastructure information covers:
- Information about critical infrastructures (or its sectors as defined by the DHS National Infrastructure Protection Plan);
- Information produced from the operations of those critical infrastructures;
- Mapping information about locations and/or directions to any critical infrastructure site, facility or work area;
- Information that the government considers protected critical infrastructure information;
- Any newly found or discovered information about a critical infrastructure;
- Information about future developments of critical infrastructures;
- Information about discontinued or dismantled critical infrastructures that are no longer in use, such as dismantled nuclear power generation facilities;
- Geological information about locations of any critical infrastructure;
- Any meteorological information relevant to critical infrastructure.
Another security designation is protected critical infrastructure information (PCII). Critical infrastructure information means information not customarily in the public domain and related to the security of critical infrastructure or protected systems. PCII is a subset of CII that a critical infrastructure industrial owner/operator voluntarily submits to the federal government because it considers this information valuable and requiring legal protection. The case with which we opened this story and the information contained within it had a PCII designation and is protectedby law. Arguments are still raging over whether it should have had that designation.
Freedom of Speech and Sensitive Information
One of the more significant issues surrounding sensitive information is the valuation of free speech and what that signifies to those who embrace it. Some might consider sensitive information to include data containing locations of water sources (public wells) or air intake vents to facilities and listings of chemicals produced or stored at both commercial and government facilities. This kind of information is essential to groups with nefarious intent to launch offensive attacks.
Academic communities provide opportunistic capabilities to such groups, who may use open-source intelligence to their advantage. They may use coverage of both past and present incidents to observe response times, staging areas, measures and countermeasures used by first responders, law enforcement and government officials. Public commentary then allows them to analyze their errors, gauging any potential success of any future operations that they may decide to carry out.
The recent accidental disclosure, though considered insignificant by many within the industry, represents a procedural error as to how sensitive information should be properly handled, distributed and disposed of once it is no longer useful or effective. What would have happened had documentation that was considered significantly more sensitive, more critical to our country, been accidentally disclosed? Who is at fault? How would you enforce and remediate containment?
For example, how does the individual/organization that needs it obtain actionable information, and what obligations does it have to safeguard and handle information provided to it by the government if the information is U//FOUO? From the governments perspective, the marking on the document provides handling instructions and perceived guidance. There is no mechanism for removing the FOUO when the information is overcome by events. Stakeholders often publish briefing materials on their websites, which essentially makes these documents public unless they also have secured and restricted access for members only. What if this happens?
In the future, we may see proposals of mechanisms, processes or procedures that will allow the removal of any accidentally disclosed protected or sensitive information from public venues. But first we need to change the perception of how and what we perceive as valuable information about critical infrastructure, and what impact this may have on free speech and thought.
Bob Radvanovsky is a critical infrastructure protection and homeland security researcher and is the owner/operator of the SCADASEC mailing list supported through his company, Infracritical. He may be reached at (630) 673-7740 or firstname.lastname@example.org.