Critical infrastructure debate centers on control systems

The debate continues over whether the government has enough cybersecurity authority over the privately owned industrial control systems that run critical infrastructure such as electricity, water and nuclear power systems.

Some observers say the best approach is for the government to partner with the industry and nonfederal authorities that run the systems — as the Homeland Security Department now does. However, some critics say that approach isn't sufficient and new legislation is needed to make sure the systems that increasingly rely on information technology are safe from cyberattacks.

The situation is complicated by the variety of industrial control systems, the ways they differ from standard IT systems, the many ways the systems are used by different sectors, and their increasing interconnectedness.

As the government organization in charge of coordinating the national effort to improve critical infrastructure protection, DHS gives guidance to the nonfederal owners of infrastructure and works to develop partnerships to improve security through its National Cybersecurity Division’s Control Systems Security Program.

“By ensuring industry is a partner at the table, we can put in place those structures and those recommendations and those practices that serve industry best and not necessarily just come from a mandated, regulated federal position,” said Sean McGurk, director of the DHS program.

However, Joe Weiss, a nuclear engineer and a managing partner at Applied Control Solutions, said the current level of oversight is inadequate. Weiss said it’s also important not to view the industrial infrastructure “with IT glasses.”

“The financial meltdown in this country came from self-regulation; cybersecurity in this country today from a critical infrastructure [perspective] is purely self-regulation,” he said. “We can’t afford what’s going to happen because of self-regulation.”

Weiss and McGurk said cyber threats to industrial control systems could increase if new technologies are not managed correctly. Meanwhile, the government is in the process of drawing up its plans to build smart IT systems to control the electricity grid.

“The older systems were reasonably cyber dumb. They also weren’t nearly as accurate and productive as the newer system that would have more intelligence in it, so you have a trade-off, and I think this is something that a lot of people forget or don’t realize,” Weiss said. “The more intelligence you put in and the more connectivity you put in, the more productive you’ll be, but at the same time, the more cyber vulnerable you’ll become.”

After The Wall Street Journal reported recently that the country’s electricity grid had been infiltrated by spies, Rep. Bennie Thompson (D-Miss.), chairman of the Homeland Security Committee, promised to introduce legislation to address the problem. He cited “a significant gap in current regulation to effectively secure this infrastructure.”

Alan Paller, director of research at the SANS Institute, said legislation is needed to give the North American Electric Reliability Corp. the power to tell the electricity industry what should be done. NERC is a self-regulatory organization that the Federal Energy Regulatory Commission has given legal authority to enforce reliability standards.

Paller also said cybersecurity protections should be included in the control systems’ existing maintenance contracts and the acquisition of new systems. Common procurement specifications for control systems owned by the federal and nonfederal governments “that force the vendors to bake security in to keep their maintenance contracts will profoundly advance the state of the art and make it available to all other organizations,” he said.

DHS has published recommendations for cybersecurity procurement language for control systems that were developed in cooperation with other federal agencies, the private sector and international partners. McGurk said the processes are widely held by industry and internationally as a valid standard for procurement, but DHS can’t mandate or legislate that nonfederal organizations use them.

“I’d rather have the organization adopt the security measures because it’s part of their culture, not because it’s dictated by government,” McGurk said.

He added that he worries about people trying to take an approach to cybersecurity for industrial control systems that doesn’t recognize the differences between different critical infrastructure sectors.

“What I’m most concerned about is people trying to oversimplify the issue who think that there is one magic silver bullet that’s going to shoot across 18 infrastructures,” he said. “The way we integrate products in the water sector is not necessarily the same as how we integrate them into the electric sector or the nuclear sector or the critical manufacturing sector. So we need to take a sector-focused approach to applying these requirements, or otherwise, what’s good for one could potentially disrupt operations in another.”

Retired Maj. Gen. Dale Meyerrose, formerly chief information officer at the Office of the Director of National Intelligence and now vice president and general manager of cyber programs at Harris, said he doesn’t think federal regulations have kept pace with advancements in cyberspace. He also said he thought alleged penetrations of the electric grid are representative of similar attacks on systems that support other critical areas, such as transportation, banking or health care.

“The thing that I think is hugely important to realize is that 85 percent of the critical infrastructure in the United States is in private hands, so we need legislation and we need policy,” he said. “We need to get past a lot of the emotional arguments that we’ve got.”

Meyerrose said he hopes the Obama administration will move quickly to deal with the problem. The administration concluded its 60-day review of the nation’s cybersecurity April 17, and that review is expected to produce a plan that will involve the private sector.