It looks like pretty good timing. Less than a week after a couple of critical infrastructure experts bemoaned the ongoing lack of security in the industry, the US National Institute of Standards and Technology (NIST) is out with the latest (fifth) draft of its Security and Privacy Controls for Information Systems and Organizations, with some specific emphasis on that sector.
Early on, in a section titled Notes to Reviewers, NIST declares:
There is an urgent need to further strengthen the underlying information systems, component products, and services that we depend on in every sector of the critical infrastructure – ensuring those systems, components, and services are sufficiently trustworthy and provide the necessary resilience to support the economic and national security interests of the United States.
So, will that call to action move the industry at least a credible step toward retiring the specter of a “cyber Pearl Harbor” attack against the US grid or other critical infrastructure?
Not likely, it seems. While the draft – nearly 500 pages long – makes more than a dozen mentions of critical infrastructure, along with a couple of references to industrial control systems (ICS), it is not expected to move the needle all that much.
The most compelling evidence for that is right in the document, if you can make it to page 174, where it says:
The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable laws, Executive Orders, directives, policies, regulations, standards, and guidelines.
In other words, nothing new to see here. The “requirement and guidance” are based on what already exists, which has resulted in what Galina Antova, cofounder and chief business development officer at Claroty, called “The Lost Decade of Information Security”.
Joe Weiss, managing partner of Applied Control Solutions, who complained over the past several weeks in posts on his Unfettered blog about a lack of security in ICS process sensors, noted that in spite of numerous references in this new draft to “sensors” and “process controls”, there is nothing in all the “laws, Executive Orders, directives …” etc. that even mentions process sensors. He said:
This is a really big deal, but still, not one of our [ICS] vendors makes authenticated process sensors today.
Another ICS expert, who couldn’t speak for attribution “because of employment stuff,” said in his view such documents amount to
… lots of words and lofty goals, but I really don’t see much changing until things gets out of control and dangerous to the point of diminishing returns at all levels of society. Then there won’t be any other choice, but at that point will we even have a choice? Gloomy times ahead from my perspective, sorry to say.
Not everybody’s view is that bleak. David Shearer, CEO of (ISC)2, an international nonprofit membership association for information security professionals, said he agrees that if attackers are able to get control of elements of ICS infrastructure and change what it does, there could be, “catastrophic outcomes” in everything from medicine to food safety, manufacturing and critical infrastructure, adding:
A threat actor assuming control of an ICS for a dam floodgate, electrical infrastructure, a fossil or nuclear fueled power plant could have life, limb and property implications.
But, he said he is encouraged that NIST is raising awareness that “the argument that ICS enjoys security through obscurity has quickly become a thing of the past,” and that “critical infrastructure cannot be an afterthought”.
And James Scott, cofounder and senior fellow at ICIT (Institute for Critical Infrastructure Technology), said it is important to note that in the private sector, NIST can only persuade, since it doesn’t have the authority to sanction private-sector organizations that fail to meet its standards.
Their standards are just that – standards – and there are no actual requirements on industry to use them to make their organizational IoT microcosms more cybersecure. NIST is doing all they can with the powers that have been allocated to them.
Of course, NIST can and does mandate that the use of the controls it lists apply to all “federal information systems and organizations … in accordance with the provisions of the Federal Information Security Modernization Act7 (FISMA)”.
And, given that the federal government is, by orders of magnitude, the biggest “business” in the country, that should carry considerable weight.
But Scott said Congress still needs to get a lot more aggressive with the private sector, passing legislation that will
…enforce these standards with heavy penalties for those organizations that are breached due to not using these standards. A gentle tap on the shoulder with a hint at standards is the reason our critical infrastructure lacks resiliency.