What should cyber security legislation look like – and why

I have been asked by any number of people in Washington and different industries what should be the appropriate cyber security standards and why do we need legislation.

There are several driving issues that must be addressed in any cyber security standard or legislation:
-    Industrial control systems are common across multiple industries domestic and internationally. Unless we want a tower of babel of control systems, there needs to be a common standard so we don’t have a “Brand x for non-nuclear power generation”, “Brand x for water”, “Brand x for Smart Grid”, etc.
-    There are a limited number of control system vendors, a limited number of ways to interconnect control systems, and a limited number of control system communication protocols.
-    The same control system cyber security problems that affect one industry affect all others using those same control systems, architectures, and protocols.
-    The various industries’ attempts at control system cyber security standards, particularly NERC, NEI, and water are weak and/or ineffective. In addition, they haven’t addressed the control system cyber incidents that have, and continue, to occur.
-    NIST SP800-53 is mandatory for all federal agencies. Because of this, a significant effort was made by NIST, MITRE, others (including myself) to extend the existing IT controls in NIST SP 800-53 to include control systems. It is now the only document that includes both IT and control systems as well as having been extensively vetted (revision 3 is currently available for comment). Additionally, not mandating NIST means that all non-federal organizations that electronically interconnect with federal agencies will be “weak links” from a cyber security perspective.

Given all of this, it should be obvious the defacto cyber security standard for all industries should be NIST SP800-53 or a close derivative. Since there has been so much pushback by NERC and others, there is a need for legislation to mandate its use in all critical infrastructure industries. This will not only provide the best existing standard, it is also the best chance for interoperability across all industries (see Smart Grid).

Joe Weiss

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


  • <p>Hi Joe,<br /><br /> I would contend that security for control system is "not a local problem (for an individual country) but is a global problem." I only wish I had said it first. Perry Pederson did and he is absolutely and profoundly so very correct.  <br /><br /> Global problems require global solutions and global thinking. If you want to truly "fix" cyber security for control systems and give it the direction and impetus it needs to get the job done then we need to look un-blinkered and without predisposition and out of our traditional comfort zones at how we approach this and use ALL of the tools that are available not just from the centre of your world but from the whole world.<br /><br /> I would suggest that rushing in legislation is not what should be on the legislative agenda right now but rather there is a far greater need to be establishing PROGRAMS that we can ALL implement on our control systems and leverage off the similarities you speak of. To do otherwise will only create further silos. What is needed is to look at the problem in a holistic way and take that form of approach to the problem. <br /><br /> A few of us here that are practitioners that do actually work in the industry in AU have been working on a discussion paper with the idea and intent to create a resilience framework for Industrial control systems security. I would argue that the time is not right for looking at adding legislation but it is right for looking at how we are going to approach the problem not from the traditional management perspective with the traditional energy drink solution but with some strong stewardship, leadership and an all hazards, interdependencies and risks approach in mind using a much more global methodology than we presently undertake. Once we bed down how we approach this level and spirit of collaboration and partnership in the much larger arena we can then and only then see how and what form current and any future legislation fits into such frameworks with not just a single country in mind.<br /><br /> Legislation based on a foundation of current control measures and mitigation techniques is not a sound approach to the problem. Legislation should not require re-tweaking each time some new technology comes out or some now form of exploit is discovered. Legislation should be enshrining precepts of the ideals, governance, leadership accountability and responsibility necessary to get the job done without being swayed by individual interests and with a social standards benefit in mind. Cyber security legislation where necessary should not have any borders, because the threats we face have no borders.<br /><br /> If you were truly interested in improving ICS security Joe, this is what you should be saying to not just Washington but to the world. Until we tackle Industrial Control Systems Resilience in this way we will be continuing to do things in an un-coordinated and piecemeal way, replicating efforts and mistakes and increasing not decreasing the attack surface.<br /><br /> Ron Southworth    </p>


  • <p> Ron- I agree this is an international issue and have been providing input to various international organizations. If you recall, I held the first two International Standards Coordination Meetings on Control System Cyber Security. It is also why the Control System Cyber Security Conference is an international conference. I have been preaching that cyber is simply another threat to system reliability. If people would be as diligent in addressing cyber as other reliability threats, we would be far closer to containing this problem. If industry would do this on their own, there would be no need for legislation. Unfortunately, that hasn't happened. It has been a long time coming, but maybe the tide is turning. </p> <p> Joe Weiss </p>


  • <p> I am having a hard time listening to all those pleas for legislation, especially when they come from US sources... The government doesn't have a very good record of success in dealing with these problems. Remember Executive Order 13030, PCCIP, PDD-63, National Plan 1.0, Executive Order 13231, National strategy to secure cyberspace, ...? More than ten years, and little has changed. Now try to get foreign governments on board which don't regard cyber threats anywhere as credible as the US. This venture is going to take decades with no big chance for success. </p> <p> I'm inclined to follow Ron here (if I got his position right): If opinion leaders can't get their message through, it's probably a problem with the message, rather than with the audience. I don't have anything better in stock, but -- promise -- I'm working on it... </p> <p>  <img border="0" src="/sites/all/modules/tinymce/tinymce/jscripts/tiny_mce/plugins/emotions/images/smiley-cool.gif" alt="Cool" title="Cool" /></p>


  • <p> We are expecting to see the Site Security Plan roll-out anytime now for high-risk chemical facilities under the Chemical Facility Anti-Terrorism Standards (CFATS). Cyber Security should be a major component of any security plan for chemical manufacturing facilities. Unfortnately, unless things have changed dramatically in the re-write of the draft Risk-Based Performance Standards Guidance document, the only effective component of cyber security that DHS will be looking at is the business system side of the equation, not the control system side. </p> <p> With all of the silos in the US Government it is going to be difficult to get comprehensive work done on control system security without specific legislation. With all of the fights that end up going on over any controversial legislation these days, I just don't see that happening. Until we have a serious incident where there is indisputable proof of an outside cyber attack as the cause, this will remain something that will only be discussed amongst the cogniseti. </p> <p> Patrick Coyle </p> <p> Chemical Facility Security News </p>


  • <p>Patrick wrote:</p> <p>"Until we have a serious incident where there is indisputable proof of an outside cyber attack as the cause, this will remain something that will only be discussed amongst the cogniseti. "</p> <p>Agreed. However, we have a problem: How would we know it was a deliberate cyber attack? One would have to have the forensics in place to know that with any certainty. Meanwhile there is a strong tendency to sweep such problems under the rug. </p> <p>So how would the public know this happened? </p>


  • <p class="MsoNormal"> I was planning to respond to Joe's post yesterday, but I'm glad that I waited. It's great to see that this topic seems to have touched a nerve and gotten several people to offer comments (in several different venues). There have been do many good points (and counterpoints) made; I encourage everyone to read them carefully. </p> <p class="MsoNormal"></p> <p class="MsoNormal"> This kind of dialog is always healthy. If and as we achieve some kind of consensus we should also be thinking about how to get the message to a broader audience, including some of those "people in Washington" who posed the original question. </p> <p class="MsoNormal"></p> <p class="MsoNormal"> As I read Joe's initial posting I must admit that I was quite frustrated by some of the statements made. For example, while it is true that the same control systems are often used across multiple industries, it is not necessarily true that these systems are used in the same way in those industries. It is the nature of the underlying process and the requirements for its safe operation that are more of a determining factor than the nature of the technology or product used, at least in my experience. </p> <p class="MsoNormal"></p> <p class="MsoNormal"> There was also the statement that “The various industries’ attempts at control system cyber security standards, particularly NERC, NEI, and water are weak and/or ineffective.” This is a pretty sweeping generalization and while it may be true for some segments, it is not true for all. Maybe it is the phrasing that is vague, but if we are to criticize a particular effort or industry, let's please be specific. To do otherwise does not give the deserved recognition to the many people (some in this conversation) who have been working long and hard in this area. </p> <p class="MsoNormal"></p> <p class="MsoNormal"> As several have already pointed out, it is not as simple as making a statement that "document X is better or more complete than document Y" and then mandating that everyone use document X. Rather than beating each other over the head with assertions about who has the best document, let's concentrate our efforts on moving the state of practice forward, based on a consensus opinion of what is required. By doing this we build on what is best and available, making improvements as required. This is precisely the approach that has been used by the technical requirements working group of ISA99, building on the material in the NIST 800-53 document. </p> <p class="MsoNormal"></p> <p class="MsoNormal"> At the same time, if there is a specific instance where there seems to be inadequate standards in place for a particular industry, then let’s focus on that situation and try to get it fixed. We will never have a situation where there is a single standard that both represents the best available and also applies to all circumstances. The world is just not that simple. </p> <p class="MsoNormal"></p> <p class="MsoNormal"> Finally, let me close by referring to a couple of quotes from previous contributors: </p> <p class="MsoNormal"></p> <p class="MsoNormal"> “Legislation should be enshrining precepts of the ideals, governance, leadership accountability and responsibility necessary to get the job done without being swayed by individual interests and with a social standards benefit in mind.” – Ron Southworth </p> <p class="MsoNormal"></p> <p class="MsoNormal"> I agree with this statement, and I would submit that its intent cannot be achieved by simply legislating that all industries must comply with any specific document or guideline. </p> <p class="MsoNormal"></p> <p class="MsoNormal"> “If opinion leaders can't get their message through, it's probably a problem with the message, rather than with the audience.” – Ralph Langner </p> <p class="MsoNormal"></p> <p> Once again I agree, and I would add that there may also be challenges associated with the media employed to deliver the message. If Joe is correct and there are in fact “only about 100” people who really understand this subject, then let’s work on getting that group to speak with something close to a common voice. We may find that we are closer to consensus than we think.</p>


  • <p> An interesting question and I have no clear answer for a cyber attack on high-risk chemical facilities. The CFATS regulations have no reporting requirement or procedure for reporting a terrorist attack of any kind (this is a result of the political games that went into the authorizing legislation). If there were no reports to a Federal Agency there would almost certainly be no report to the public. Of course a report to a Federal Agency does not guarantee a public report either. </p> <p> The larger question of how would anyone know if an incident was caused by a cyber attack or human error or 'an accident' would depend greatly on the facility attacked. One of the big chemical/petroleum companies may have staff that could track down a computer anomalie to an outside source, but most facilities would not. </p> <p> The only outside investigation likely to catch something would be the Chemical Safety Board investigation of a major incident and I don't know if they have the cyber expertise in house to find such an attack if the attacker was trying to hide the fact.  </p> <p> Patrick Coyle </p> <p> Chemical Facility Security News </p>


RSS feed for comments on this page | RSS feed for all comments