Information Sharing in the Process Control Systems Forum Assessing Liability Issues

The Process Control Systems Forum (http://www.pcsforum.org) is an open, collaborative, voluntary forum established by the Department of Homeland Security. The purpose of the Forum is to accelerate the development of technology that will enhance the security, safety, and reliability of process control systems (PCS) and supervisory control and data acquisition (SCADA) systems. It is intended as a venue for technologists from user sectors, vendors, and academia. The Forum is not a standards body. Within the Forum, there is a variety of working groups and interest groups that are focused on specific subject areas. One such Interest Group is addressing how to create a ''safe zone'' for critical information sharing. This Interest Group is concerned with topics such as: trade-offs between maintaining security and sharing best practices; secure mechanisms for sharing of critical information; legal issues associated with sharing information; institutional impediments to sharing best practices and relevant incidents; finding a meaningful manner of exchange for sharing process control security events, incidents, audit logs, etc.; and creating a database of relevant industrial cyber events. The purpose of this white paper is to address liability issues that might arise from sharing of critical information such as recommended ''best practices''. There is a concern that by publishing ''best practices'' or similar information, the Forum or its members might be inadvertently assuming some liability. The following scenarios illustrate the concerns about potential liability.