Improving cyber-security may be in the public interest, but to persuade the commercial owners of the countrys critical infrastructure to invest in more secure networks, the Department of Homeland Security next year plans to show them the bottom line.
Echoing what has become a mantra on Capitol Hill, lawmakers chided the DHS last week for not making greater strides in developing a plan to protect the cyber-networks that gird the countrys transportation, power, water, telecommunications, oil and gas pipeline, and chemical processing systems, as well as other critical infrastructure.
Andy Purdy, acting director of the DHS National Cyber Security Division, told legislators that next year the department is going to present the business case for investing in the security of SCADA (supervisory control and data acquisition) systems.
Because private companies own most critical infrastructure facilities, DHS will encourage the deployment of security measures by providing a cost-benefit analysis, Purdy told lawmakers last week at a hearing of the House Subcommittee on Economic Security, Infrastructure Protection and Cybersecurity.
The plan has the support of some security experts, who say businesses are not inclined to invest in security for an abstract threat but will do so for a specific threat, as demonstrated in the preparations for Y2K.
"We must help industries develop a business case for their investment in SCADA security," Samuel Varnado, director of the Information Operations Center at Sandia National Laboratories, in Albuquerque, N.M., told the subcommittee. "Although we know that many threats exist, specific details are elusive."
Resistance to sharing information about vulnerabilities and breaches has made it difficult to define the current risks to SCADA systems, Varnado said. To present the business case, officials might have to take a different approach. Rather than discuss threats, they may need to discuss the consequences and show what the disruption of network systems is costing businesses financially.
"This approach would involve identification of specific portions of information systems affected by specific attacks," Varnado said. "It would require vulnerability assessments, analyzing the consequences of disruptions in economic terms, and defining and implementing optimized protection strategies based on risk assessments."
Over the next three months, the Idaho National Laboratory will work with the government to implement a cyber-security self-assessment framework, according to K.P. Ananth, associate laboratory director at the INL, in Idaho Falls.
The assessment will include a risk reduction tool to help companies prioritize the vulnerabilities they find. Next year, the lab will pilot the framework with several key infrastructure sectors, Ananth said.
Some in the industry say there are better ways the government can reduce the vulnerabilities confronting SCADA systems. Alan Paller, director of research at The SANS Institute, in Bethesda, Md., told the subcommittee that federal agencies should use their buying power to force SCADA system vendors to build security into their products.
"Procurement leverage is effective because it places the responsibility for securing systems in the only place that security tasks can be done cost-effectively—in the hands of the system vendor that created the systems," Paller said, adding that only vendors know the technology well enough to ensure it is secure and that they can provide the security for all users.
"If you try to force every user to secure their systems, every user would have to study every system they buy and become a security expert on every system, and then they would do the same job the vendor could have done one time," Paller said. "Allowing vendors to foist the security configuration job onto their users is what got us into this vulnerable status."