The DHS CISA Cybersecurity Advisory Committee held a conference call Thursday, March 31, 2022, that discussed current CISA Cybersecurity Advisory Committee activities and the Government’s ongoing cybersecurity initiatives. The meeting was for the Committee members to hear updates and discuss progress as it relates to the CISA Cybersecurity Advisory Committee’s six subcommittees: (1) Transforming the Cyber Workforce Subcommittee; (2) Turning the Corner on Cyber Hygiene Subcommittee; (3) Igniting the Hacker Community Subcommittee; (4) Protecting Critical Infrastructure from Misinformation and Disinformation Subcommittee; (5) Building Resilience and Reducing Systemic Risk to Critical Infrastructure Subcommittee; and (6) Strategic Communications Subcommittee. The summary can be found at https://www.cisa.gov/news/2022/03/31/readout-cisas-second-cybersecurity-advisory-committee-meeting.
I provided comments on issues that will be considered by the Committee. As can be seen, my comments apply to many of the Subcommittees and also apply internationally. CISA’s Eric Goldstein responded to my comments that sensors were indeed important. He mentioned the thousands of OT vulnerability disclosures and the severity of some of those disclosures based on the CVE criteria. However, none of the disclosures were for process sensors. Moreover, the CVE criteria do not apply to process sensors even though these devices have no cyber security. What is necessary is to add a person with engineering expertise to Subcommittee 5 on critical infrastructure that can also coordinate with the other subcommittees on control system-unique considerations. Without a detailed understanding of control system device limitations, it is not possible to know if the Committee’s recommendations can apply to control system devices or could possibly do harm. The process sensor issue, where intrinsic safety conflicts with cyber security, is one example where this knowledge is needed.
