Fines or “Traffic School” for Online ICS?

My post on three ideas for advancing ICS security at a federal level received some comments from Andy Robinson on Twitter. You can read the thread here.

https://twitter.com/archestranaut/status/554777416892039168

Andy liked my post but took issue with idea number 3:

“Fines for Online ICS. As an example, if water provision systems are connected to the public Internet, it must be brought to the water users’ attention. We need a small consequence right now (something like a $5,000 fine) to avoid a big consequence in the future.”

Essentially, Andy posits that government should help utilities, particularly municipal water provisioners, rather than fine them.

He thinks the punishment should be something like traffic school instead of just slapping them with a fine. He dislikes the idea of transferring funds from already struggling municipalities to the federal government, which only increases taxpayer burden.

That is a fair objection.

Twitter is not an apt medium for discussing some of the broader context of my idea. So here goes:

1. Finding online ICS

Just about anyone can find online ICS. Shodan, ZoomEye, SCADASL cheat sheet. It is not hard. That’s not to say that every online ICS is vulnerable either. But I think being online does make it a target — at least for opportunistic attackers. What we saw with Black Energy supports that.

2. The problem is getting worse

If you go back to Eireann Leverrett’s work on Internet-connected ICS in 2011, and repeat the searches today, you see that in most cases, the number of hits has dramatically increased. Granted, maybe Shodan’s scanning and parsing have also improved, but the assertion that more ICS are being connected to the Internet today is confirmed by Project Shine. We are connecting more ICS to the Internet. The problem is getting worse.

3. Contacting the owner

The problem we want to address is getting the offending systems segmented from the public Internet. The hang-up is that many of these IP addresses are registered to Internet Service Providers (ISPs). There is currently no way to compel the ISP to disclose who owns/operates a particular IP address. Essentially you can’t warn who you can’t reach. There could be privacy and free speech issues here, but also public safety concerns.

4. Assigning responsibility

Even if we know who owns an Internet connected ICS, we don’t know who decided to put it on the Internet (in many cases they probably didn’t “mean” to). Many water systems rely on third party engineers for about every operational aspect of their system. In many cases, it is the engineer’s “fault”. They might know how to specify pumps, but they might not know what a VPN is. Assigning ultimate responsibility is the job of the system owners.

5. Ratepayers must bear the burden at the end of the day

The fact of the matter is that rate-payers have to bear the cost of increased security. It might be unpleasant, but they reap the benefits of a more secure system, ergo, they should pay for what it costs.

6. A fine versus “traffic school”

The “Traffic school” idea is a fair one. We all like to give someone a chance cause they don’t know better — alter behavior though education. I would simply point out that the federal government has offered free trainings for years. Sure take the trainings, I hope they help, but knowing and doing are two different things. Don’t leave it to goodwill alone.

7. Threat of fines will be sufficient in most cases

My belief is that if the DHS or EPA or whoever is the appropriate agency contacts the owner/operator of an Internet-connected ICS and says “we have statutory authority to fine you $5,000 for connecting your industrial control system to the public Internet; however, we will forebear in this instance if you segregate your network within 15 days”, that will effectively get the job done without actually issuing a fine.

CONCLUSION

Now, I understand that creating a regulatory regime would be fraught with costs; defining terms would be a chore. There are burdens of proof, there are protocols for receiving and processing complaints, records must be kept. And there could even be litigation.

I’m not entirely convinced the “fines for online ICS” proposal is “worth it”; but I am convinced that it has a more direct connection with enhancing the cyber security of industrial control systems in the USA than many other programs have had to date.