Movement afoot to beef up industrial cybersecurity

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/storyba/0,4125,NAV47_STO70587,00.html

By DAN VERTON 
April 26, 2002

Federal officials and experts from the private sector have started the
long-awaited process of studying the IT security requirements of the
nation's industrial-control systems, which link critical systems in
the electric, oil and natural gas industries.

Through a series of relatively obscure meetings this month, senior
officials from the president's Critical Infrastructure Protection
Board, the National Institute of Standards and Technology (NIST), and
the U.S. Department of Commerce have asked the private sector for
detailed advice on how to improve cybersecurity for the nation's most
critical industrial-control systems. The private sector's
recommendations will be included in the next version of the Bush
administration's national cybersecurity plan, which is scheduled for
release in July.

Long before the Sept. 11 terrorist attacks on the U.S., the power
industry's demand for remote access encouraged many utility companies
to establish network connections between corporate systems and the
Supervisory Control and Data Acquisition (SCADA) systems that manage
and control the flow of electricity and perform various other critical
functions throughout the energy sector. The movement to Web-based
connections has made these systems increasingly vulnerable to
disruptions and attacks in cyberspace, especially because of the lack
of standards to help the private sector to design security hardware
and software that can be used in SCADA and other industrial systems.

"To prevent or reduce the serious threat of cyberattack on SCADA
systems, improved firewalls and cyberintrusion detection must be
implemented," said Ed Badolato, president of Washington-based
Contingency Management Services Inc. and a former deputy assistant
secretary for energy emergencies at the U.S. Department of Energy. "A
number of task forces are examining the manner in which data is
transmitted between control points to improve security and reduce the
potential for hacking or disruption," he said.

One such team includes representatives from the Pentagon, the Energy
Department and the Institute for Defense Analysis, a nonprofit think
tank in Alexandria, Va. On April 4, officials from these organizations
held a classified "Red Team" meeting to discuss an upcoming
threat-assessment exercise focusing on industrial control systems.

However, Joe Weiss, formerly a control systems security expert at the
Palo Alto, Calif.-based Electric Power Research Institute who now
works as a private consultant at Fairfax, Va.-based KEMA Consulting,
said awareness of security issues is still a major challenge, and
security classification issues, while necessary, exacerbate those
challenges.

"The awareness level is still very low," said Weiss, especially among
end users and vendors. In addition, traditional IT security
organizations, such as the CERT Coordination Center at Carnegie Mellon
University in Pittsburgh, "don't know how to look for control system
issues," said Weiss. He added that it might be necessary to establish
a separate entity to conduct control system incident analysis.

With awareness, "It's the Y2k issue all over again," Weiss said.  
"Control systems in general do not have intrusion detection systems
and firewalls, so how would you even know of an incident?" he said.  
But these systems represent a critical priority in the federal
critical infrastructure protection plan, Weiss said, adding, "They're
what keep the lights on and water flowing."

"Most people in the industry understand that current SCADA security
urgently needs to be reviewed and upgraded, and we will need a lot of
R&D in this area," said Badolato.

On April 3, the NIST-sponsored Process Controls Security Forum (PCSRF)  
met in Gaithersburg, Md., to develop the minimum-security requirements
for control systems. So far, a draft standards document has been
issued for review.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.