Guest blog from Wes Iversen who is in La Jolla for a process control safety forum.
There were some interesting sessions at the opening day of the Process Control Systems Industry Conference Tuesday in La Jolla, Calif., though a couple of sessions were closed to the press--apparently the information
presented was too sensitive to risk leaking to any bad guys who might be reading the trade press news columns.
The opening keynote was by Phyllis Schneck, vice president, research integration, for Secure Computing Corp., and chairman emeritus, board of directors, for an organization known as the InfraGard National Members Alliance. Schneck is credited with building the InfraGard into what it is today--an organization with 26,000 members in 86 communities nationwide that focuses on information sharing between the private sector and the Federal Bureau of Investigation, as well as other law enforcement agencies. Some in the audience of around 250 attendees at the conference are InfraGard members.
All of the 86 communities have relationships with a local FBI agent. Each of the 26,000 members has been vetted by the FBI. The group aims to create a "circle of trust," so that private sector members know who to call if they
have a problem or want to report something suspicious. At the same time, "the FBI looks at us as 26,000 sets of eyes and ears," Schneck said.
A panel later in the day--consisting of two FBI representatives and a member of the Royal Canadian Mounted Police--provided a law enforcement perspective on control systems cyber incident handling. Cyber crime is now considered the third highest priority within the FBI, said Scott Huntsberry, FBI supervisory special agent, Cyber Division/Computer Intrusion. All 56 FBI field offices now have trained cyber investigators, he said. He added that the FBI "recognizes that SCADA is different," and the Bureau is doing additional training to equip a group of agents specifically to deal with SCADA cyber crime incidents.
Jeff Morgan, process control systems analyst for the FBIâo[dot accent]s Cyber Division, is dedicated full time to SCADA--a first for the FBI, he said. Heâo[dot accent]s been in that job for about a year, and has noticed that the water sector seems to be producing the most reports of SCADA cyber incidents. "Every time I turn around, something is coming in from the water sector. That's the one that seems to be hitting me the most," Morgan said. He added that the FBI is currently in the middle of prosecuting the first SCADA criminal case in the Bureau's history, and it's a case involving the water sector.
The FBI is trying to encourage more reporting of cyber incidents from the SCADA and control systems communities. The Bureau is aware that some occurrences in the past have raised concerns that might inhibit such reporting. The list includes fears that a cyber criminal investigation could extend process downtime, that assets could be seized by the Bureau, or that information about a reported incident might get out to the media. But the FBI is taking steps to be more sensitive to these concerns, Morgan and Huntsberry said.
The same goes for the Royal Canadian Mounted Police. "Law enforcement evidence gathering procedures donâo[dot accent]t have to conflict with process control system uptime," said Clint Baker, a sergeant in the RCMP's Integrated Technological Crime Unit. Regarding fears of bad publicity, a new law in Canada can be invoked that enables asset owners to know that cyber incidents reported can be protected from public disclosure, Baker said. Likewise in the United States, reports of cyber incidents can be protected from disclosure under the Freedom of Information Act for companies that register under the Protected Critical Infrastructure program, Huntsberry said.
On another front, the ISA Security Compliance Institute (ISCI) held a separate meeting following the Tuesday Process Control Systems conference to discuss status and encourage participation. The ISCI is defining a test specification for certification of control systems products to a defined set of control system security standards. Control systems receiving certification will receive the ISASecure mark.
Mu Dynamics and Wurldtech have both committed to donating test specifications to the ISCI. These will provide the basis for the first version of the ISASecure certification, said Andre Ristaino, managing director of the ISA Automation Standards Compliance Institute, which provides ISCI management. "We expect by the end of the year to have a draft of an embedded controller security specification," said Ristaino. "And by the first quarter of 2009, we think it's possible that we could be doing compliance testing."
Wes Iversen
7:06:19 AM 
|
|
