CSIS Report and Industrial Control Systems

The Center for Strategic and International Studies (CSIS) issued the report “Securing Cyberspace for the 44th Presidency”.  The report does a very good job of addressing the delicate balancing act of securing our critical infrastructures while maintaining personal privacy. In addition, the report specifically includes industrial control systems (ICS) which is elevating our status in the eyes of Washington decision makers. Many of the recommendations in the White Paper on Industrial Systems requested by CSIS have been incorporated in the final CSIS report. These recommendations included the need for senior management buy-in, the need for effective regulation (currently, the NIST Framework, including NIST SP800-53, are the most comprehensive standards for industrial control systems), the need for vendors to include security in the designs of their control instrumentation, and monitoring products, and the need for effective information sharing.

These key issues have been addressed in the CSIS report with the following recommendations:
-    Leaders from four key areas - energy, finance, the converging information technology/communications sectors and government would serve on The President’s Committee for Secure Cyberspace.     
-    A new operational organization, the Center for Cybersecurity Operations (CCSO) where public and private-sector entities can collaborate and share information on critical cybersecurity in a trusted environment.
-    The president should task the National Office for Cyberspace (NOC) to work with appropriate regulatory agencies to develop standards and guidance for securing critical cyber infrastructure, which those industries would then apply their own regulations.
-    The NOC should work with the appropriate regulatory agencies and with NIST to develop regulations for ICS. This could include establishing standard certification metrics and enforceable standards. The government could reinforce regulation by making the development of secure control systems an element of any economic stimulus package that invested in infrastructure improvements.
-    The NOC should immediately determine the extent to which government-owned critical infrastructures are secure from cyber attack, and work with the appropriate agencies to secure these infrastructures.

As representatives of the control system industry, we need to continue working with the Obama administration and all appropriate government representatives to assure the security of our critical infrastructures. We’ve gotten a ticket to the game. Now we have to make sure we show up to play. The CSIS report is a wonderful beginning, and great foundation on which to build.

Joe Weiss