Some good things - but look beyond the words

"A commission formed to offer advice on cybersecurity to the next president is nearing the completion of its work, and some of the recommendations are likely to conflict with elements of President Bush's Cyber Initiative. It will be finalized very shortly," said Rep. Jim Langevin (D-R.I.), co-chairman of the bipartisan Commission on Cyber Security for the 44th Presidency. "The findings are preliminary at this point." The commission, created in November 2007 by the Center for Strategic and International Studies (CSIS), held a series of public meetings to hear recommendations on issues of information security, identity theft and government leadership. It plans to present its findings to the new president prior to his inauguration in January. When it does, one of the biggest departures from current cyber security policy will be the commission's recommendation to take the lead away from the Homeland Security Department and give it to the White House."

The White Paper on Industrial Control Systems, of which I was the principal author, was prepared for this effort. I would like to make absolutely clear my support for the work being performed by the Congressman’s Committee and the recommendations they have prepared.

SEL, Emerson, Invensys, Honeywell, and other major vendors are taking security more seriously. They are incorporating security technologies and providing security consulting services. The key will be end-user acceptance.

SANS – "Some Good News for a Change. American utilities have made a 180 degree turn in the past five months - - no longer trying to claim that their control systems are ‘safe from cyber attacks.’ As a result, oversight organizations (like NERC, North American Energy Reliability Corporation) have stepped up to help them measure the effectiveness of their security using the right metrics, and are reaching for consensus on what must be done to secure the systems and how utilities can be sure they have done the right things..."

There is a need to develop the right metrics. To date, the NIST standards are the closest to "the right" standards. When public in 2009, I believe the NRC Regulatory Guide DG-5022 will be the most appropriate guidance with metrics for all industries.  

On October 28, US CERT issued Critical Infrastructure Information Notice- CIIN-08-302-01, ICONICS Dialog Wrapper Module ActiveX Control Vulnerability. It stated: "In January 2007, a buffer overflow vulnerability in the ICONICS Dialog Wrapper Module ActiveX Control was discovered. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. Exploit code for this vulnerability was made publicly available on September 21, 2008…"

The January 2007 buffer overflow vulnerability was on the website demo, not in the released software itself, and was explained, and repaired, at least six months ago. This is simply another reason for the need for a non-governmental CERT for Control Systems with control system expertise.   

Joe Weiss