recommended reading

Electric grid breaches symptomatic of deeper cybersecurity gaps

Malicious software was found on computers that control the nation's power grid, according to a news report.Ambient Photos/Newscom

A Wall Street Journal report about the discovery of malicious software on computers that control the nation's power grid highlights a far more widespread problem, former intelligence officials and other security specialists said on Wednesday.

"Attacks are happening against more than just the power grid -- it's the food system, the transportation system," said Dale Meyerrose, vice president for cyber and information assurance at Melbourne, Fla.-based Harris Corp., and chief information officer for the director of national intelligence during the Bush administration. "Anybody that is looking to have an adverse impact on the U.S. and our economy is looking at all of these things simultaneously."

Sources cited in the Wall Street Journal article claimed computers were penetrated by spies from China, Russia and other countries. This comes more than a year after a CIA official warned the government and utility companies that hackers had targeted power company computers worldwide, causing at least one widespread electricity outage.

Like many other organizations, companies that control the nation's critical infrastructure, including the electric grid, run day-to-day operations in a networked environment that is especially susceptible to cyberattack.

"We're still running legacy Supervisory Control and Data Acquisition systems that were not made to be used in a networking environment," said Howard Schmidt, former White House cybersecurity adviser and chief executive officer of the nonprofit Information Security Forum. "What security is in place on the systems that run the systems? We talk about building interfaces, but that is done with software, which can be vulnerable."

Different federal agencies regulate the industries that control critical infrastructure. In the case of the electric grid, security standards are established by the North American Electric Reliability Corp., an independent organization overseen by the Federal Energy Regulatory Commission. But private sector companies' compliance with regulations is not enforced strongly.

"When I was at [the Homeland Security Department], we were working hard to motivate the owners and operators to invest the resources in technology and training to fix vulnerabilities, but they're still not taking this seriously enough," said Gregory Garcia, who served as assistant secretary of cybersecurity and telecommunications at DHS during the Bush administration and now runs his own information security consulting firm, Garcia Strategies. "There needs to be an aggressive push -- a last push -- to force the private sector to self-regulate. Failing that, there may need to be more required standards."

Alan Paller, director of research at the SANS Institute, said self-regulation doesn't work.

"That was the policy of the last administration," he said. "This [incident] illustrates again that faith-based security is a failed strategy."

Instead, Paller said, government must give NERC more authority to enforce regulations, and force utility companies to implement strict security controls and procure technology to replace legacy systems.

Others said the federal government should provide information and support -- not regulations. Michael Jacobs, who served as information assurance director at the National Security Agency until his retirement in 2002, said while NSA is well-equipped to deal with cybersecurity threats, bureaucratic processes often prevent sharing information with organizations under attack.

"NSA should provide NERC and the companies that run the electric grid with the wherewithal to go in and find and correct this issue, and then work with them to put up perimeter controls to prevent this from happening in the future," Jacobs said. "But [they're] constrained in who they can serve; constrained essentially to the classified world of government."

Meyerrose agreed, saying he often felt his hands were tied from securing cyberspace beyond the intelligence community.

"About 85 percent of the critical infrastructure in our country is in private hands," he said. "Our government needs to figure out how to interface with the companies and individuals that own, control and operate these systems. I'm hoping the Obama administration takes this on."

Threatwatch Alert

Stolen laptop

Wireless Heart Monitor Maker to Pay $2.5M Settlement to HHS After Laptop Stolen

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.