Little progress seen toward securing nation's critical infrastructure

By David
October 19, 2005

The House Homeland Security Committee yesterday heard testimony regarding the security of the nation’s supervisory control and data acquisition (SCADA) systems — the computer systems used to control such things as water flow through dams, the operation of power plants, and so on. The occassion was a joint hearing between the Subcommittee on Economic Security, Infrastructure Protection, and Cybersecurity and the Subcommittee on Emergency Preparedness, Science, and Technology. The news wasn’t very encouraging (from a related WaPo article):

Guarding the computer-based controls from terrorists gained attention after the attacks of Sept. 11, 2001.

“It’s four years later and we are no further down the line,” Rep. Bill Pascrell, D-N.J., said while questioning Andy Purdy Jr., acting director of the Homeland Security Department’s National Cyber Security Division. “We’re not prepared. You know it, I know it.”

Joining Purdy before the committee were Larry Todd (U.S. Bureau of Reclamation), Sam Varnado (Sandia National Lab.), K.P. Ananth (Idaho National Lab.), William Rush (Gas Tech. Inst.), and Alan Paller (SANS Inst.) — the written statement of each witness is available here.

Readers may also recall that earlier this year USACM sent a letter to the Nuclear Regulatory Commission (NRC) calling for stronger cybersecurity for U.S. power plants and highlighting the importance of SCADA systems:

Cybersecurity experts often cite the importance of supervisory control and data acquisition (SCADA) systems and other computer-mediated and controlled systems. Exploitation of vulnerabilities in these systems could have catastrophic effects. Threats to such systems come not only from individuals bent on terrorism or other mischief, but also from subtler sources such as lack of secure design, programming and implementation errors, and human factor issues.

Cybersecurity with respect to SCADA systems was also touched on in PITAC’s excellent cybersecurity report released earlier this year.