http://www.computerworld.com/storyba/0,4125,NAV47_STO70587,00.html By DAN VERTON April 26, 2002 Federal officials and experts from the private sector have started the long-awaited process of studying the IT security requirements of the nation's industrial-control systems, which link critical systems in the electric, oil and natural gas industries. Through a series of relatively obscure meetings this month, senior officials from the president's Critical Infrastructure Protection Board, the National Institute of Standards and Technology (NIST), and the U.S. Department of Commerce have asked the private sector for detailed advice on how to improve cybersecurity for the nation's most critical industrial-control systems. The private sector's recommendations will be included in the next version of the Bush administration's national cybersecurity plan, which is scheduled for release in July. Long before the Sept. 11 terrorist attacks on the U.S., the power industry's demand for remote access encouraged many utility companies to establish network connections between corporate systems and the Supervisory Control and Data Acquisition (SCADA) systems that manage and control the flow of electricity and perform various other critical functions throughout the energy sector. The movement to Web-based connections has made these systems increasingly vulnerable to disruptions and attacks in cyberspace, especially because of the lack of standards to help the private sector to design security hardware and software that can be used in SCADA and other industrial systems. "To prevent or reduce the serious threat of cyberattack on SCADA systems, improved firewalls and cyberintrusion detection must be implemented," said Ed Badolato, president of Washington-based Contingency Management Services Inc. and a former deputy assistant secretary for energy emergencies at the U.S. Department of Energy. "A number of task forces are examining the manner in which data is transmitted between control points to improve security and reduce the potential for hacking or disruption," he said. One such team includes representatives from the Pentagon, the Energy Department and the Institute for Defense Analysis, a nonprofit think tank in Alexandria, Va. On April 4, officials from these organizations held a classified "Red Team" meeting to discuss an upcoming threat-assessment exercise focusing on industrial control systems. However, Joe Weiss, formerly a control systems security expert at the Palo Alto, Calif.-based Electric Power Research Institute who now works as a private consultant at Fairfax, Va.-based KEMA Consulting, said awareness of security issues is still a major challenge, and security classification issues, while necessary, exacerbate those challenges. "The awareness level is still very low," said Weiss, especially among end users and vendors. In addition, traditional IT security organizations, such as the CERT Coordination Center at Carnegie Mellon University in Pittsburgh, "don't know how to look for control system issues," said Weiss. He added that it might be necessary to establish a separate entity to conduct control system incident analysis. With awareness, "It's the Y2k issue all over again," Weiss said. "Control systems in general do not have intrusion detection systems and firewalls, so how would you even know of an incident?" he said. But these systems represent a critical priority in the federal critical infrastructure protection plan, Weiss said, adding, "They're what keep the lights on and water flowing." "Most people in the industry understand that current SCADA security urgently needs to be reviewed and upgraded, and we will need a lot of R&D in this area," said Badolato. On April 3, the NIST-sponsored Process Controls Security Forum (PCSRF) met in Gaithersburg, Md., to develop the minimum-security requirements for control systems. So far, a draft standards document has been issued for review. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Apr 30 2002 - 12:39:24 PDT