[ISN] Movement afoot to beef up industrial cybersecurity

From: InfoSec News (isnat_private)
Date: Tue Apr 30 2002 - 02:03:56 PDT

  • Next message: InfoSec News: "[ISN] New Stealth Attack Found Against Personal Firewalls"

    http://www.computerworld.com/storyba/0,4125,NAV47_STO70587,00.html
    
    By DAN VERTON 
    April 26, 2002
    
    Federal officials and experts from the private sector have started the
    long-awaited process of studying the IT security requirements of the
    nation's industrial-control systems, which link critical systems in
    the electric, oil and natural gas industries.
    
    Through a series of relatively obscure meetings this month, senior
    officials from the president's Critical Infrastructure Protection
    Board, the National Institute of Standards and Technology (NIST), and
    the U.S. Department of Commerce have asked the private sector for
    detailed advice on how to improve cybersecurity for the nation's most
    critical industrial-control systems. The private sector's
    recommendations will be included in the next version of the Bush
    administration's national cybersecurity plan, which is scheduled for
    release in July.
    
    Long before the Sept. 11 terrorist attacks on the U.S., the power
    industry's demand for remote access encouraged many utility companies
    to establish network connections between corporate systems and the
    Supervisory Control and Data Acquisition (SCADA) systems that manage
    and control the flow of electricity and perform various other critical
    functions throughout the energy sector. The movement to Web-based
    connections has made these systems increasingly vulnerable to
    disruptions and attacks in cyberspace, especially because of the lack
    of standards to help the private sector to design security hardware
    and software that can be used in SCADA and other industrial systems.
    
    "To prevent or reduce the serious threat of cyberattack on SCADA
    systems, improved firewalls and cyberintrusion detection must be
    implemented," said Ed Badolato, president of Washington-based
    Contingency Management Services Inc. and a former deputy assistant
    secretary for energy emergencies at the U.S. Department of Energy. "A
    number of task forces are examining the manner in which data is
    transmitted between control points to improve security and reduce the
    potential for hacking or disruption," he said.
    
    One such team includes representatives from the Pentagon, the Energy
    Department and the Institute for Defense Analysis, a nonprofit think
    tank in Alexandria, Va. On April 4, officials from these organizations
    held a classified "Red Team" meeting to discuss an upcoming
    threat-assessment exercise focusing on industrial control systems.
    
    However, Joe Weiss, formerly a control systems security expert at the
    Palo Alto, Calif.-based Electric Power Research Institute who now
    works as a private consultant at Fairfax, Va.-based KEMA Consulting,
    said awareness of security issues is still a major challenge, and
    security classification issues, while necessary, exacerbate those
    challenges.
    
    "The awareness level is still very low," said Weiss, especially among
    end users and vendors. In addition, traditional IT security
    organizations, such as the CERT Coordination Center at Carnegie Mellon
    University in Pittsburgh, "don't know how to look for control system
    issues," said Weiss. He added that it might be necessary to establish
    a separate entity to conduct control system incident analysis.
    
    With awareness, "It's the Y2k issue all over again," Weiss said.  
    "Control systems in general do not have intrusion detection systems
    and firewalls, so how would you even know of an incident?" he said.  
    But these systems represent a critical priority in the federal
    critical infrastructure protection plan, Weiss said, adding, "They're
    what keep the lights on and water flowing."
    
    "Most people in the industry understand that current SCADA security
    urgently needs to be reviewed and upgraded, and we will need a lot of
    R&D in this area," said Badolato.
    
    On April 3, the NIST-sponsored Process Controls Security Forum (PCSRF)  
    met in Gaithersburg, Md., to develop the minimum-security requirements
    for control systems. So far, a draft standards document has been
    issued for review.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Apr 30 2002 - 12:39:24 PDT