Kevin Coleman -- Defense Tech Cyberwarfare correspondent
There have been many articles and speeches made about the necessity to assess and secure the critical infrastructure of the United States. In fact Capital Hill even held hearings and proposed legislation about this matter. The General Accounting Office has even gone out an assessed the security of some critical infrastructure assets and the Department of Homeland Security (DHS) has a database that list over 80,000 of these assets.
Who should be doing the security assessment on our critical infrastructure? Recently I was given a Request for Proposal (RFP) to review. The RFP was from a critical infrastructure provider. While multiple sections gave me pause for concern, one section clearly stuck out as an issue. The critical infrastructure provider wanted the organization doing the security assessment to provide detailed information about what they were going to test and how they were going to test it.
They asked for the following -
- The proposed testing
- Background of each of the proposed tests
- Objectives of each of the proposed tests
- The benefits of each of the proposed tests
- The methodology / approach for each of the proposed tests
- The location(s) where testing will be done.
- The output or deliverables to be presented at completion of each of the proposed tests
It was clear the organization wanted to do things their way and did not adhere or even mention in their document any security standards (Example - ISO 27000 series). Nor was there any mention of conducting CFI blind-tests (no prior knowledge) or a CFI spot-test (spur of the moment – no time to prepare) in order to ensure the integrity of the testing. Their stated goal was to evaluate the adequacy and effectiveness of security measures and controls. Is this an acceptable approach to testing the critical infrastructure?