, SecurityFocus 2005-10-28
Story continued from Page 1
The older networks of control systems have not adapted well to the needs of a deregulated power industry, Samuel Varnado, director of the Information Operations Center at Sandia National Labs stated in written testimony to the Congressional subcommittee.
"Under restructuring, the grid is now being operated in a way for which it was never designed," Varnado said. "More access to control systems is being granted to more users, the demand for real-time control has increased system complexity, and business and control systems are interconnected."
Sandia has demonstrated a way to use SCADA system vulnerabilities to turn out the lights in most major cities, Varnado told the subcommittee last week.
With an aim toward improving the situation, the NCSD has established a clearinghouse for information about control systems security and vulnerabilities under the U.S. Computer Emergency Readiness Team (US-CERT) and Idaho National Laboratory (INL). Known as the Control Systems Security Center (CSSC), the group aims to reduce the risk of cyberattack on control systems through assessments, educations and incident support, the DHS's Purdy said.
In 2006, the DHS plans on releasing a document outlining the best practices for control-system operators through the Cybersecurity Protection Framework. Also next year, the U.S. agency will determine if a third-party academic institute is needed to act as a central hub for reporting vulnerabilities and incidents, Purdy said.
"If we have a picture of failures in more than one place, we can connect the dots and figure out there is an attack going on," Purdy said.
Legislators have also taken a hand. The latest energy bill passed in August has a provision requiring that the U.S. Department of Energy create an electric reliability organization. The frontrunner for the job is the North American Electric Reliability Council (NERC), which has already created a set of documents on critical infrastructure protection, known as CIP-002 through CIP-009.
The government could give NERC the ability to levy penalties against companies that do not comply with the standards, essentially creating regulations similar to the Sarbanes-Oxley rules that have cause corporations to spend more on security, said Richard Lord, CEO of security consulting and analysis firm The Steadfast Group.
The lack of reports of security incidents has made such legislative efforts necessary, Lord said.
"People have the same attitude--they have not heard about anything going on, so they are not worrying about it," Lord said. "They can't get a budget for it, so why even try to tackle it, is the thinking."