There is an interesting
article
over on NextGov.com about plans that CISA has to use the subpoena
authority that it was given last year (§1716 of FY 2021
NDAA
, PL 116-283) to help prevent ransomware attacks on critical industrial
control systems.

360 Mobile Vision - 360mobilevision.com North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - 360mobilevision.com is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

It appears that CISA intends to use tools like Shodan to search for industrial control
system components with known security vulnerabilities that face the internet. Once
those vulnerable IP addresses are found, CISA would then subpoena information
from internet service providers to obtain contact information for the vulnerable
IP addresses.

The article quotes the current CISA acting director as explaining:

“We’re not gonna be regulating that
company,” Wales said. “But we want to be able to talk directly to the owner and
say you know you’ve got a vulnerable system, it’s out on the internet, and we
found it today but tomorrow, a malicious actor could have found that, exploited
it, and your system could have been down, or worse.”

It looks like the Biden CISA is going to be more proactive
in talking with individual companies about cybersecurity issues. We first saw
this change with the letter CISA sent out to facilities covered by the Chemical
Facility Anti-Terrorism Standards (CFATS) program about the Microsoft email
server vulnerabilities. In that case, not only did CISA reach out to the 3,000+
facilities that are regulated under that program, but also the 33,000 plus
facilities that had submitted Top Screen reports to CISA’s Office of Chemical
Security (the new name for the old Infrastructure Security Compliance Division).
Those facilities were not subsequently regulated under the CFATS program, but
are still facilities of concern to OCS.

It will be interesting to see what happens when CISA notes a
CFATS regulated company’s systems being found on their internet search. Under
the cooperative regulatory scheme used in the CFATS program, OCS cannot issue a
blanket instruction to ‘protect’ those vulnerable systems, but it could find
after individual site review, that a particular facility was not complying with
its approved site security plan.

An as-of-yet unused CFATS authority {6
CFR 27.230
(a)(19) could allow DHS to establish a new risk-base performance
standard (RBPS) that would apply to internet facing control systems affecting
the security of the DHS chemicals of interest stored, used or produced at the
facility. It is not clear whether that RBPS establishment would require the use
of the rulemaking process.

There is also the potential that OCS could decide that a currently
non-regulated facility with exposed industrial control systems posed a higher
risk than originally determined and require them to resubmit a new Top Screen.
That, in turn, could allow, under a revised risk assessment, to determine that
the facility was now regulated under the CFATS program. Again, a new rulemaking
might not be required for that redetermination.

By admin