More Better Process Security, We Hope!

This morning we heard from Cheri McGuire, the Director, CIP Cybersecurity Program, National Cybersecurity Division, Department of Homeland Security, who is taking over responsibility for the Process Control Systems Forum in the future. She talked in great generality about the "overarching (insert noun here) framework" such as the "overarching risk management framework" and so forth. Overarching must be a real buzz word at the Department of Homeland Security. Fundamentally, she indicated, without really saying so, that the Government will impose standards on process control systems unless the Government likes what the public and private partnerships like PCSF is doing. A very prominent CEO of a highly regarded software company, often quoted in Control, said to me in the hallway, "It's really clear that they better get some people on those government committees that understand control systems." McGuire pointed out that US-CERT (the hacker threat agency) now has a control system security cell, and that NIST is forging ahead on implementing standards for process control. Who's adopting those standards is hard to say, of course. Unless McGuire expects to force industry to adopt them... Then we heard from a set of interesting keynoters. First, William P. Crowell, who was formerly Deputy Director of No Such Agency (NSA). He was followed by Paul Dorey, the chief security officer of BP. Last was Margaret (Peg) Grayson, who is president of AEP Government Solutiosn Group, and a heavy member of Department of Homeland Security committees. Crowell reminded us that TCP/IP isn't going away...it has become too much a part of the fabric of ordinary daily life, and ordinary daily business. It is the productivity enhancement of IP that has driven the economy, and in some very strange ways. "Did any one of you predict that eBay would become a multibillion dollar company? I sure missed it," he confessed. Regarding 9-11, Crowell said, "The threat that al Qaeda used was the Internet. They could not have carried out the 9-11 attack without being detected without the Internet." We have built a very fragile economy by basing our systems on IP. There are, Crowell pointed out, three kinds of threats. First, threats by terrorists within the US. Then there are enterprise threats, which are not limited to within our own borders in the USA, but can be global...including insiders, external threats from hackers and phishers, as well as physical threats. The third is a new threat: disruption of our economic systems. He related a story. On the morning of September 11, 2001, he and Brent Scowcroft (former National Security Advisor) boarded the Air Force plane that is often called "Looking Glass" which is the national aerial command center, just as the first plane hit the WTC. Neither Looking Glass nor Air Force One, which was in Florida, knew anything, or could find out anything, because neither aircraft had access to CNN. Times have changed. We need, he said, to focus on prevention, because the systems that are threatened are too critical to rely on recovery from disaster as a strategy. Paul Dorey, VP Digital Security and CISO of BP plc spoke next. "If it is in BP, and it has a one or a nought in it, it's mine," he said. He noted that security management in process control appears to be happening in three waves, and perhaps it is happening backwards. The first wave is adoption by the End User/Operator of security strategies and specifications and standards. The second is the adoption of these by the System Integrators that work for the End Users, and finally, the adoption, or not, of these standards by the vendors who supply systems and components to the end users. After migrating from IT at a banking concern, Dorey says, "You guys are right! You don't want to let IT anywhere near process control systems!" Getting more serious, he talked about BP's relationship with the vendors who keep saying, "Who's going to pay for this security? "If you want a contract with BP," he said, with a tone of feistiness in his voice, "you must agree to our security clause, and do the required testing, and NO, Mr. Vendor, we are NOT going to pay you extra for making it all right to begin with." BP clocks vendor patch time...in 2004 the average was approximately 90 days, with one significant vendor who actually never got the patch done. In 2005, the average was closer to 10 days, with one company (a little bird told me it was OSIsoft) patching faster than Microsoft did. Software licenses with the traditional "as is no warranty" clause are simply no longer acceptable, at least in process control service, Dorey says. What is needed, "is a step change in systems security and integrity," Dorey said. "And what do we do if the OEMs and vendors don't move with us?" he concluded. Margaret Grayson noted that hackers, and not just script kiddies, are more than aware of SCADA and other control systems in the process area. Why will many attacks be cyber? They are low cost, invisible, can be stealthily crafted for years, are deniable, and have great and precise control of destruction that they cause. This is all part of the great trend towarde convergence, she said. Then came the implied threats, as she reported on what the Government is doing. Pay ATTENTION to Homeland Security Presidential Directive 12. Never heard of HSPD-12? Too bad, it might tell you how you will be forced to run your business. Heard of FIPS201? Same thing. During the Q&A, Paul Dorey put it very well. "Anybody who believes that it is not happening (terrorism and hacker threats)is living with a brown paper sack over his head."