Govt. Cybersecurity Loopholes Worsen, Committee Hears

But one worthwhile approach doesn’t require regulation or legislation and has been tested effectively by the U.S. Air Force, Paller said. The tack, in which agencies essentially require computer vendors to configure and secure systems in advance of delivery and installation, “recognizes the futility and waste of asking every buyer of SCADA technology to learn to reconfigure their SCADA systems for security, when the SCADA vendors can do that job one time and do it cost effectively.” The approach takes advantage of users’ buying power to get vendors to do the work, he said.

In the Air Force example, the military told Microsoft it would buy 525,000 Windows systems if the firm would sell them securely configured. Microsoft agreed, spurring the Air Force to consolidate 38 contracts into a single 6- year, $500 million procurement of Windows systems and application software. The deal saved $100 million, Paller said. The gambit would work with SCADA security and DHS has a central role to play.

Paller urged DHS to use SCADA vulnerability research by Sandia National Lab and Ida. National Lab with SCADA equipment users’ experience to set safe configuration benchmarks for SCADA systems. Federal SCADA buyers could use that baseline in procurement; vendors seeking govt. business will “see their economic interest lies in meeting the requirement for safer SCADA systems.”

But most critical infrastructure will remain vulnerable because non-secure SCADA systems have long lives -- 15 years or more -- Paller said. To protect legacy systems, a parallel method can be used, he said. In resetting SCADA maintenance fees, agencies can get vendors to deliver special filters that isolate legacy SCADA systems from the rest of the network -- the only known way to secure old infrastructure, he warned. “We can improve security on SCADA systems quickly through DHS leadership and intelligent use of federal procurement,” Paller said: “The costs are low, the value is high. We owe it to the country to try.”

DHS to Address SCADA Vulnerability

The govt. system for monitoring and securing its critical infrastructure has made great strides but steps improvement is always needed, since SCADA is an “attractive target” for foes of U.S. security efforts, DHS National Cyber Security Div. Acting Dir. Donald Purdy told lawmakers.

SCADA networks can be used to do physical, environmental or economic harm to the U.S. from a distance, Purdy said. Relatively mature attack tools, available on the Internet, can be used with little technical expertise to ambush Web-based govt. systems, he said.

Efforts are planned to address the issue soon, Purdy said. Plans include: (1) Developing and finalizing the U.S. Computer Emergency Readiness Team’s Control Systems Security Center (CSSC) portal and website to improve capabilities and encourage data exchange with the control system community. (2) Supporting vulnerability assessments to gauge legacy and next generation control systems’ cybersecurity at critical sites. (3) Continuing to integrate CSSC capabilities and skills to flag high- risk cyber loopholes, with heed in fiscal 2006 to vulnerabilities in at least 2 critical infrastructure sectors. (4) Encouraging voluntary use of security measures by showing their value. (5) Continuing to work with agencies to integrate cybersecurity and control systems security into risk and vulnerability assessment efforts. (6) Participating in forums to raise awareness and talking to senior executives about piloting and validating a control systems protection framework and promoting security.