recommended reading

Electric grid breaches symptomatic of deeper cybersecurity gaps

Malicious software was found on computers that control the nation's power grid, according to a news report.Ambient Photos/Newscom

A Wall Street Journal report about the discovery of malicious software on computers that control the nation's power grid highlights a far more widespread problem, former intelligence officials and other security specialists said on Wednesday.

"Attacks are happening against more than just the power grid -- it's the food system, the transportation system," said Dale Meyerrose, vice president for cyber and information assurance at Melbourne, Fla.-based Harris Corp., and chief information officer for the director of national intelligence during the Bush administration. "Anybody that is looking to have an adverse impact on the U.S. and our economy is looking at all of these things simultaneously."

Sources cited in the Wall Street Journal article claimed computers were penetrated by spies from China, Russia and other countries. This comes more than a year after a CIA official warned the government and utility companies that hackers had targeted power company computers worldwide, causing at least one widespread electricity outage.

Like many other organizations, companies that control the nation's critical infrastructure, including the electric grid, run day-to-day operations in a networked environment that is especially susceptible to cyberattack.

"We're still running legacy Supervisory Control and Data Acquisition systems that were not made to be used in a networking environment," said Howard Schmidt, former White House cybersecurity adviser and chief executive officer of the nonprofit Information Security Forum. "What security is in place on the systems that run the systems? We talk about building interfaces, but that is done with software, which can be vulnerable."

Different federal agencies regulate the industries that control critical infrastructure. In the case of the electric grid, security standards are established by the North American Electric Reliability Corp., an independent organization overseen by the Federal Energy Regulatory Commission. But private sector companies' compliance with regulations is not enforced strongly.

"When I was at [the Homeland Security Department], we were working hard to motivate the owners and operators to invest the resources in technology and training to fix vulnerabilities, but they're still not taking this seriously enough," said Gregory Garcia, who served as assistant secretary of cybersecurity and telecommunications at DHS during the Bush administration and now runs his own information security consulting firm, Garcia Strategies. "There needs to be an aggressive push -- a last push -- to force the private sector to self-regulate. Failing that, there may need to be more required standards."

Alan Paller, director of research at the SANS Institute, said self-regulation doesn't work.

"That was the policy of the last administration," he said. "This [incident] illustrates again that faith-based security is a failed strategy."

Instead, Paller said, government must give NERC more authority to enforce regulations, and force utility companies to implement strict security controls and procure technology to replace legacy systems.

Others said the federal government should provide information and support -- not regulations. Michael Jacobs, who served as information assurance director at the National Security Agency until his retirement in 2002, said while NSA is well-equipped to deal with cybersecurity threats, bureaucratic processes often prevent sharing information with organizations under attack.

"NSA should provide NERC and the companies that run the electric grid with the wherewithal to go in and find and correct this issue, and then work with them to put up perimeter controls to prevent this from happening in the future," Jacobs said. "But [they're] constrained in who they can serve; constrained essentially to the classified world of government."

Meyerrose agreed, saying he often felt his hands were tied from securing cyberspace beyond the intelligence community.

"About 85 percent of the critical infrastructure in our country is in private hands," he said. "Our government needs to figure out how to interface with the companies and individuals that own, control and operate these systems. I'm hoping the Obama administration takes this on."

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.