Volunteering falls short on threat information sharing

Critical infrastructure security apparently has its own version of Don’t Ask, Don’t Tell, despite calls in the public and private sector for better information sharing.

And this one goes both ways. The private sector is not telling the government about its vulnerabilities, and government is also keeping threat and vulnerability information from the private sector.

Reuters reported last week that two scheduled presentations at the 12th ICS Cyber Security Conference about a nuclear power plant’s possible vulnerabilities to cyberattacks were cut at the last minute, after an equipment supplier to the plant threatened to sue.

The unnamed vendor reportedly said the presentations would have revealed too much about its equipment, even though the plant’s officials had approved the presentation.

The threatened suit was not an isolated instance. Those at the conference were also told that “a security firm that had uncovered the thousands of pieces of control equipment exposed to online attacks did not tell U.S. authorities where they were installed because it feared being sued by the equipment owners,” Reuters reported.

On the public-sector side, conference attendees heard that the government has kept secret for five years a technique it discovered for attacking electricity generation equipment. That, the report said, meant that potential targets “had not realized they were vulnerable and therefore did not buy hardware needed to protect themselves.”

As has been reported numerous times, information sharing between the private and public sector — especially regarding the control systems of critical infrastructure — was one of the things Congress had hoped to address with cybersecurity legislation. After the latest of those bills, the 2012 Cyber Security Act (CSA), failed to come to a vote in the Senate in August, President Obama has been signaling for months that he would seek to implement some of the same things by executive order.

A couple of drafts of that order have leaked, but it is expected to be issued only if the president wins a second term in today’s election.

The Federal Times said the order “would direct agencies to share cyber threat information with companies operating critical infrastructure,” but would only askprivate firms to share information with the government, although that request would come with some incentives.

While both political parties blame the other for the failure of legislation, both also say they agree on the need for information sharing. But at the present, it seems those in the private and public sector directly involved in infrastructure security don’t think it’s a good enough idea to actually do it.

[INDUSTRY VIEW: 4 factors for avoiding cyber espionage attacks]

The reasons, say experts, are both legal and economic. Marc Zwillinger, an attorney with the Washington, D.C. law firm ZwillGen, said: “Providing information to the government that causes a third party to lose significant business always creates liability risks. There’s a possibility that either you are wrong, or that someone else will make it extremely expensive to prove that you are right, which may be crippling and distracting.”

“Of course, providing information that causes your own company to lose business could also be perceived as potential career-ending risk for the individuals involved,” he said.

Rebecca Herold, CEO of The Privacy Professor, notes that, as has been widely reported, many control systems are old, and were not designed with security or even Internet connectivity in mind.

“When the utilities are thinking about the release of the equipment vulnerabilities, they are probably first thinking, ‘How can we monitor all these locations once the vulnerabilities are reported to the public?’ That is probably one of their key concerns,” she said.

Kevin McAleavey, cofounder and chief architect of the KNOS Project, said he believes “the bad guys” are already aware of vulnerabilities in control systems. “[But] if the customers found out about the vulnerabilities, the manufacturer would have to fix their products or replace them and that would give the customer the opportunity to buy from another vendor with a possibly more secure product if the vendor hasn’t redesigned the existing product,” he said. “So there’s your motive.”

Would either legislation or an executive order fix that problem?

Kevin McAleavey believes so. “When it comes to critical infrastructure that is life-critical, information must be shared, and vendors who refuse to mitigate their security issues need to be exposed,” he said. “Sadly it will probably require legislative or executive action to make this so.”

Marc Zwillinger said the protection of proprietary information is a legitimate concern, “but there are also ways to make relevant disclosures that minimize the privacy risk. It’s not clear if legislation or an EO would solve the information-sharing problem,” he said, “but it isn’t going to solve itself.”

“It would likely be effective to have government groups such as NIST (National Institute of Standards and Technology), NAESB (North American Energy Standards Board) and the SGIP (Smart Grid Interoperability Panel) work with all the entities involved to establish standards for identifying such vulnerabilities, as well as threats, and then create standards and procedures for rolling out fixes for them,” Herold said.

“An associated law or regulation could then require the involved entities to follow the established standards and procedures, as appropriate for their risks,” she said.