SCADA Security Experts Call for More Public-Private Collaboration
To tackle threats to critical infrastructure control systems, companies, academia and government need to work together and exchange information, experts said at the RSA Conference.SAN FRANCISCO—Information sharing—or the lack of sharing—has become a prominent point of contention between private corporations and government agencies. The issue is even more of a problem for critical infrastructure providers, control-system experts said at the RSA Conference. While there are hubs of activity around security in critical infrastructure, companies tend not to share vulnerability and attack information with each other, a panel of industry and academic experts told attendees. Best practice information on device and network configuration is largely kept in-house, despite the benefits of sharing, said Doug Powell, manager for security, privacy and safety at electric-power generation firm BC Hydro. "We've had to build our own test environment and test our technology—hack it to find vulnerabilities—before we deployed it," Powell said. "But we, as an industry, don't have a good sharing environment, so what we learn—and what others learn—is not necessarily passed along." Unlike the United States, information sharing between the Canadian government and critical infrastructure firms does occur because it does not have to surmount the hurdle of data classification. While the United States is working on getting more companies cleared for classified information, the Canadian utilities already have clearance, Powell said.
For the past half decade, security researchers have focused on breaking industrial-control systems--such as those that use supervisory control and data acquisition (SCADA) protocols--and finding vulnerabilities. Only recently, with the attack by Stuxnet and the identification of vulnerable networks connected to the Internet, have critical infrastructure owners really focused on the problem, panelists said.