Web extra: Watchdogs wary of fed cybersecurity progress

Editor's note: This story was updated at 1:15 p.m. May 15, 2006, to include the correct name of the Process Control Systems Forum.

The critical infrastructure control systems’ vulnerability to cyberattack is an area of growing concern for the federal government, a lead federal watchdog agency said. But it and other cybersecurity experts said the federal response has been mixed in creating documents governing cybersecurity for critical infrastructure.

Critical infrastructure cybersecurity is a significant issue, said Gregory Wilshusen, director of information security issues at the Government Accountability Office. The risk of cyberattacks on critical infrastructure has been rising for several years, he said.

Immediately after the 2001 terrorist attacks, the Bush administration warned that terrorists could harm the country’s critical infrastructure through cyberattacks. In December 2003, Bush authorized Homeland Security Presidential Directive 7 (HSPD-7), which requires the protection of the country’s critical infrastructure from physical and cyberattacks.

HSPD-7 guides policy development for the National Infrastructure Protection Plan (NIPP) to make it the authority on national critical infrastructure protection.

Worm attacks have compromised supervisory control and data acquisition (SCADA), process control and other industrial control systems, said Patrick McBride, vice president of compliance solutions at Scalable Software. The failure of such systems contributed to the massive blackout in August 2003.

Those incidents led lawmakers to realize that cybersecurity is an important element of overall security for all critical infrastructure sectors, McBride said.

GAO pointed out those problems in a March 2004 report and recommended that the Homeland Security Department implement a strategy to improve public- and private-sector collaboration on control systems security.

“Connecting SCADA systems to a remotely accessible computer network can present security risks,” the report states. Dangers include the introduction of IT security vulnerabilities, the compromising of sensitive operating information and the threat of unauthorized access to SCADA systems’ control mechanisms.

The report recommended the implementation and enforcement of physical and cybersecurity standards for the electric power sector.

GAO found in February 2005 that the Homeland Security Department’s U.S. Computer Emergency Readiness Team had published a National Strategy for Control Systems Security, but that the document had no formal publication date, Wilshusen said.

GAO ordered NIPP to address control systems security, too, he said. The Interim NIPP, however, did not address control systems security, he said. GAO will check on DHS’ progress this summer, he said.

Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit, an independent research group funded by DHS, declined to comment on NIPP. He spoke during a conference presentation last month at which he released a new checklist for critical infrastructure vulnerabilities to cyberattacks.

DHS declined to comment on control systems security and measures for it in the NIPP until after the department issues a new version of the plan later this spring, department spokesman John Papa said.

Control systems security is an “area of serious potential vulnerability that doesn’t appear to be directly addressed in the NIPP,” said Warren Suss, president of Suss Consulting. “As a nation, we have not stepped up with a real plan to address vulnerabilities with the force of law.”

Instead of relying on industry to improve control systems security, Congress should pass legislation that mandates risk-based security measures, Suss said.

Opinions vary on how much regulation is needed to ensure safety, said Michael Torppey, technical manager of the Process Control Systems Forum, an industry group focusing on control systems security.