Industrial control systems seen as 'undeniably vulnerable'
Congress is focusing on securing the nation's critical infrastructure
Computerworld - WASHINGTON -- The Department of Homeland Security and the private sector still haven't developed a comprehensive strategy for securing the real-time control systems that manage much of the nation's critical infrastructure, according to the chairman of a House subcommittee studying the issue.
In a hearing yesterday on the security of Supervisory Control and Data Acquisition systems, which are used to manage infrastructure such as the electric power grid and oil and gas pipelines, Rep. Adam Putnam (R-Fla.) said the lack of a national strategy to deal with SCADA system security makes the nation "undeniably vulnerable" to cyberterrorism.
Putnam is chairman of the House Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.
"The more I've learned [about the lack of SCADA system security], the more concerned I've become," said Putnam. "I've learned that today's SCADA systems have been designed with little or no attention to computer security. Data are often sent as clear text; protocols for accepting commands are open, with no authentication required; and communications channels are often wireless, leased lines or the Internet."
The hearing was the second held by Putnam to look into the security of SCADA systems. At yesterday's hearing, the General Accounting Office released a detailed study of SCADA system security that Putnam had requested. In its report, "Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems," the GAO concludes that the DHS hasn't moved as fast as it could to work with the private sector to improve SCADA security.
James F. McDonnell, director of the Protective Security Division at the DHS, told Putnam and other lawmakers that it's his job to coordinate both physical and cyber security for more than 1,700 facilities identified so far as containing critical national security infrastructure systems. Of those facilities, 565 contain SCADA systems that must be protected.
McDonnell outlined a series of physical security efforts, such as site security assessments and buffer zone protection mechanisms, underlying the DHS's current strategy for SCADA security. Amit Yoran, the director of the DHS's National Cyber Security Division, "looks at the ones and zeros," said McDonnell, adding that he and Yoran are still developing a "joint" physical and cyber protection plan.
Yoran wasn't present at the hearing.
According to McDonnell, the National Communications System (NCS) is currently working with the Idaho National Engineering and Environmental Lab to conduct communications modeling and simulation of SCADA systems, known as the National SCADA Test Bed. The NCS has initiated a study of vulnerabilities in the natural gas pipeline system throughout the eastern U.S. Other efforts are under way to identify the
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts