By Damian R. Taylor
Copyright © 2012 Potomac Institute for Policy Studies
On Wednesday, February 3, 2012, the U.S. House of Representatives passed legislation aimed at formalizing and regulating how critical infrastructure is protected against cyber threats. Spearheaded by California Republican Dan Lungren, the bill is called the “Promoting and Enhancing Cyber Security and Information Sharing Effectiveness Act (PRECISE) of 2011” (H.R. 3674). If signed into law, PRECISE will grant the Department of Homeland Security (DHS) the authority to conduct cyber security evaluations of private-sector and federal entities’ (excluding the Department of Defense) critical infrastructure operations, enforce compliance of standards and lead efforts to become the authoritative information source for sharing vulnerability and threat information with stakeholders. The legislation would create the private-sector led, National Information Sharing Organization (NISO), whose board of directors will be composed of both private and federal leadership, with eight seats reserved for representatives of specific sectors.
Some pundits will likely voice concerns about additional regulation, as it will require additional corporate expenditures to comply with new regulations. In anticipation, Lungren stated, “The status quo of voluntary action is no longer acceptable.” Lungren has a point. “Best practices” and “recommendations” don’t necessarily lead to effective implementation of protective measures.
With approximately 85 percent of the United States’ critical infrastructure operated by the private sector, some compliance standards must be mandated by law. Many of the Supervisory Control and Data Acquisition (SCADA) systems in use are vulnerable, with known flaws. Nonetheless, the operators of these systems continue to use the risky controllers, doing nothing to reduce the risk. Unlike software applications and operating systems on typical networks, which are regularly patched and updated, the code behind the SCADA systems and Programmable Logic Controllers (PLCs) is static. In essence, it is never updated or patched and it remains an open risk.
The threat is real and the actors are multiplying. The key difference comes down to the effects: non-kinetic vs. kinetic. The typical cyber attack, such as a distributed denial of service attack (DDOS), can bring down a web server and disrupt a critical infrastructure controls system with far-reaching implications such as severe degradation of the nation’s national security.
There’s no time like the present to be proactive in taking the steps necessary to ensure secure and resilient control systems are in place. After all, public safety is at stake as well as our national livelihood.
Not convinced of the threat? I invite you to watch a YouTube video of Max, a teenager, demonstrating his ability to hack a bridge PLC, opening and closing a bridge with his PDA– easily procured hardware and minimal technical competency.
Disclaimer: Any views, comments or opinions expressed are solely those of the author and do not necessarily state or reflect those of the United States Government, the United States Navy or the Potomac Institute for Policy Studies.