Over the past several years I have witnessed a line of federal leaders push information sharing like it is the absolute solution to forever ensuring the cyber security of the infrastructures on which Americans rely. We have had testimony in congressional hearings, proposed and passed legislation, executive orders, NIST info sharing guidance, and WashPost op/eds proclaiming the indispensable nature of information sharing for the preservation of the country.
While fans may show up to watch deceased baseball greats compete on the Field of Dreams, we aren’t talking about the American pastime; we are talking about American infrastructure. We don’t need fans. We need action.
There are three fundamental problems to securing the industrial control systems (ICS) at the heart of our infrastructure that info sharing will never address:
- insecure control system architectures
- insecure control systems products
- insecure control systems communication protocols
Make no mistake: I am an intelligence and information sharing professional. I have been serving the unique intelligence needs of the country’s largest utilities for 8 years, the first two building out the DHS control systems cyber situational awareness effort that became the ICS-CERT, and next six as the Director of Analysis of the only commercial vulnerability and threat intelligence organization to focus specifically and exclusively on industrial control systems. I believe that intelligence and information sharing have a role to play. But that role is to inform appropriate action. It is not a sufficient solution in and of itself.
In an attempt to advance conversation about how to address the core issues at a federal level, I submit the following action-oriented ideas:
Government to lead the way by cleaning its own house. The U.S. government is a significant buyer of industrial control systems technology. Why not use this purchase power to advance the state of ICS security? How about this: As of July 1, 2016 (or whatever reasonable date you choose), new ICS builds relying on federal funds cannot use unauthenticated protocols.
Require network security monitoring for ICS networks owned by the federal government. Instead of worrying quite so much about enterprise networks (which are important), ask/encourage/incentivize federal ICS owner/operators to install network security monitoring solutions that provide defenders insight into anomalies on *ICS* networks. Other technologies such as application whitelisting would also do well in many of those environments. The government push for these solutions on its ICS networks may spur the market and result in advancement and confidence.
Fines for Online ICS. As an example, if water provision systems are connected to the public Internet, it must be brought to the water users’ attention. We need a small consequence right now (something like a $5,000 fine) to avoid a big consequence in the future.
I recognize that there are significant details to work out in order to implement each of these ideas. But these action-oriented concepts have at least some direct correlation with the underlying problems facing critical infrastructure cyber security.
Let’s forgo the info-sharing pastime, and focus federal efforts on the foundation of a more secure future.