Control Systems Need Tighter Cybersecurity, DHS Panel Hears
Convergence of IT networks and the systems that control electricity, water and other essential services offers targets for cyberattackers, a Dept. of Homeland Security advisory body heard Tues. The National Infrastructure Advisory Council (NIAC) urged the White House to focus more DHS resources on the problem and set a deadline for national compliance.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
A cyberattack on Supervisory Control & Data Acquisition (SCADA) systems that regulate electrical grids, municipal water flow and gas and oil pipelines “has the potential to cause large scale interruption,” Grayson & Assoc. Pres. Margaret Grayson told the body, presenting her group’s report (WID Oct 11 p5). Until recently IT networks weren’t connected to SCADA systems, but more companies are doing so, often unaware that they're opening “new avenues of access for potential cyber attackers,” she said.
NIAC agreed to urge President Bush to establish 2015 as a cutoff date for SCADA systems to be “designed, installed, operated and maintained to survive an intentional cyberassault with no loss of critical function.” Grayson conceded the move is “aggressive,” but said recent intelligence indicates “a step up in malicious activity.” The council recommended that DHS promote “uniform acceptance across all sectors that investment in cybersecurity is a priority” and include such costs in new budgets.
The U.S. should “rapidly ramp up” the U.S. Computer Emergency Readiness Team (US-CERT) and develop a “cyber incident information collection” database, the group was told. “Most control systems operators have little access to info on cyber incidents,” Grayson said: “Companies don’t have a way of sharing information safely” and “it’s going to take a lot of diplomacy and a lot of hard work.” Companies don’t want “to lose either customer or shareholder confidence,” but US-CERT could lead this initiative as an independent 3rd party, she said.
As NIAC’s next project, DHS Secy. Michael Chertoff asked the council to study “insider” threats to key infrastructure and the “conflict between counter terrorism and privacy laws for employees working in critical infrastructure.” Chertoff is particularly concerned about the “possibility of sleepers within the infrastructure,” he said.
“There is no significant body of research on this issue,” said Neill Sciarrone, Homeland Security Council Dir.- Protection & Information Sharing Policy. NIAC Chmn. Erle Nye promised the council would look into the matter.