My post on three ideas for advancing ICS security at a federal level received some comments from Andy Robinson on Twitter. You can read the thread here.

Ideas to make it better. I like. RT @DfnsvTargeteer: Three ideas for federal advancement of ICS security http://t.co/LCaVL7dysz

— Andy Robinson 🌻 (@AndyTheFounder) January 12, 2015

Andy liked my post but took issue with idea number 3:

“Fines for Online ICS. As an example, if water provision systems are connected to the public Internet, it must be brought to the water users’ attention. We need a small consequence right now (something like a $5,000 fine) to avoid a big consequence in the future.”

Essentially, Andy posits that government should help utilities, particularly municipal water provisioners, rather than fine them.

He thinks the punishment should be something like traffic school instead of just slapping them with a fine. He dislikes the idea of transferring funds from already struggling municipalities to the federal government, which only increases taxpayer burden.

That is a fair objection.

Twitter is not an apt medium for discussing some of the broader context of my idea. So here goes:

1. Finding online ICS

Just about anyone can find online ICS. Shodan, ZoomEye, SCADASL cheat sheet. It is not hard. That’s not to say that every online ICS is vulnerable either. But I think being online does make it a target — at least for opportunistic attackers. What we saw with Black Energy supports that.

2. The problem is getting worse

If you go back to Eireann Leverrett’s work on Internet-connected ICS in 2011, and repeat the searches today, you see that in most cases, the number of hits has dramatically increased. Granted, maybe Shodan’s scanning and parsing have also improved, but the assertion that more ICS are being connected to the Internet today is confirmed by Project Shine. We are connecting more ICS to the Internet. The problem is getting worse.

3. Contacting the owner

The problem we want to address is getting the offending systems segmented from the public Internet. The hang-up is that many of these IP addresses are registered to Internet Service Providers (ISPs). There is currently no way to compel the ISP to disclose who owns/operates a particular IP address. Essentially you can’t warn who you can’t reach. There could be privacy and free speech issues here, but also public safety concerns.

4. Assigning responsibility

Even if we know who owns an Internet connected ICS, we don’t know who decided to put it on the Internet (in many cases they probably didn’t “mean” to). Many water systems rely on third party engineers for about every operational aspect of their system. In many cases, it is the engineer’s “fault”. They might know how to specify pumps, but they might not know what a VPN is. Assigning ultimate responsibility is the job of the system owners.

5. Ratepayers must bear the burden at the end of the day

The fact of the matter is that rate-payers have to bear the cost of increased security. It might be unpleasant, but they reap the benefits of a more secure system, ergo, they should pay for what it costs.

6. A fine versus “traffic school”

The “Traffic school” idea is a fair one. We all like to give someone a chance cause they don’t know better — alter behavior though education. I would simply point out that the federal government has offered free trainings for years. Sure take the trainings, I hope they help, but knowing and doing are two different things. Don’t leave it to goodwill alone.

7. Threat of fines will be sufficient in most cases

My belief is that if the DHS or EPA or whoever is the appropriate agency contacts the owner/operator of an Internet-connected ICS and says “we have statutory authority to fine you $5,000 for connecting your industrial control system to the public Internet; however, we will forebear in this instance if you segregate your network within 15 days”, that will effectively get the job done without actually issuing a fine.

CONCLUSION

Now, I understand that creating a regulatory regime would be fraught with costs; defining terms would be a chore. There are burdens of proof, there are protocols for receiving and processing complaints, records must be kept. And there could even be litigation.

I’m not entirely convinced the “fines for online ICS” proposal is “worth it”; but I am convinced that it has a more direct connection with enhancing the cyber security of industrial control systems in the USA than many other programs have had to date.

In September Critical Intelligence held its inaugural CounterIntel Conference and Training in beautiful Park City, Utah. It was probably the most eye-opening security conference I have ever attended. This owes primarily to the outstanding speakers. You can take a look at the full lineup here.

As several recent blog posts have dealt with information sharing, I wanted to relate the on-point comments provided by Mark Weatherford who delivered the keynote address. Mark has an impressive resume, as a former Naval Cryptologic Officer, former DHS Deputy Undersecretary for Cyber Security, and now Principal at the Chertoff Group.

I have heard Mr. Weatherford speak on previous occasions, but I was unprepared for his candor — which had me scribbling furiously away. Here were some gems:

“Government thinks they know what’s right for private industry. That’s wrong and it’s wrong-headed.”

“The government is incapable of providing timely and actionable intelligence to the private sector today.”

“Good intelligence is integrated across sources.”

“Public-private partnership is probably not going to work out, at least in the near term, in a way satisfactory to the private sector.”

“In our business there simply isn’t time to get everyone’s opinion prior to making a decision”

“There is a mystique around classified information — but once people get access to it they are severely disappointed.”

I was more than surprised to hear a former DHS cybersecurity official make those statements. But I think that makes them all the weightier.

Over the past several years I have witnessed a line of federal leaders push information sharing like it is the absolute solution to forever ensuring the cyber security of the infrastructures on which Americans rely. We have had testimony in congressional hearings, proposed and passed legislation, executive orders, NIST info sharing guidance, and WashPost op/eds proclaiming the indispensable nature of information sharing for the preservation of the country.

While fans may show up to watch deceased baseball greats compete on the Field of Dreams, we aren’t talking about the American pastime; we are talking about American infrastructure. We don’t need fans. We need action.

There are three fundamental problems to securing the industrial control systems (ICS) at the heart of our infrastructure that info sharing will never address:

• insecure control system architectures
• insecure control systems products
• insecure control systems communication protocols

Make no mistake: I am an intelligence and information sharing professional. I have been serving the unique intelligence needs of the country’s largest utilities for 8 years, the first two building out the DHS control systems cyber situational awareness effort that became the ICS-CERT, and next six as the Director of Analysis of the only commercial vulnerability and threat intelligence organization to focus specifically and exclusively on industrial control systems. I believe that intelligence and information sharing have a role to play. But that role is to inform appropriate action. It is not a sufficient solution in and of itself.

In an attempt to advance conversation about how to address the core issues at a federal level, I submit the following action-oriented ideas:

ONE

Government to lead the way by cleaning its own house. The U.S. government is a significant buyer of industrial control systems technology. Why not use this purchase power to advance the state of ICS security? How about this: As of July 1, 2016 (or whatever reasonable date you choose), new ICS builds relying on federal funds cannot use unauthenticated protocols.

TWO

Require network security monitoring for ICS networks owned by the federal government. Instead of worrying quite so much about enterprise networks (which are important),  ask/encourage/incentivize federal ICS owner/operators to install network security monitoring solutions that provide defenders insight into anomalies on *ICS* networks. Other technologies such as application whitelisting would also do well in many of those environments. The government push for these solutions on its ICS networks may spur the market and result in advancement and confidence.

THREE

Fines for Online ICS. As an example, if water provision systems are connected to the public Internet, it must be brought to the water users’ attention. We need a small consequence right now (something like a $5,000 fine) to avoid a big consequence in the future.

I recognize that there are significant details to work out in order to implement each of these ideas. But these action-oriented concepts have at least some direct correlation with the underlying problems facing critical infrastructure cyber security.

Let’s forgo the info-sharing pastime, and focus federal efforts on the foundation of a more secure future.