SCADA systems are currently used to safely and reliably operate critical infrastructure in the electric power, water, energy, chemical and transportation sectors. These systems lack the necessary security technology to escalate cyber threats in real-time to the appropriate authorities. Threats to control systems can come from numerous sources, including hostile governments, terrorist groups, disgruntled employees, and malicious intruders.
Legislation pending before Congress would expand the Federal government’s authority to regulate cyber-security initiatives within the private sector. Any final legislation should require the deployment of cyber-security technologies that will enable the real-time escalation of security threats and exposure of incidences by the private sector to the appropriate government authorities in order to minimize any harmful consequences.
Presently there is no privacy – or “hold-harmless” – protection afforded to the private sector for disclosure of escalation of threats and exposure of incidences to the federal government. Without these protections in place, private sector companies will be less inclined to share the information and risk potential negative exposure to the public and government.
The current legislation being stalled in Congress attempts to address this issue by providing protection to disclosed cyber-security data; however, the proposals do not provide a similar protection to the disclosing entity. In order to ensure open communication from the private sector, it is essential to provide privacy protection for the disclosing entity as well as the cyber-security data being disclosed.
Passing cybersecurity legislation to protect the nation’s critical infrastructure must happen in 2012. As a nation, we cannot afford to have another year like last year, where attacks on critical infrastructure increased by at an insurmountable rate.
According to the Symantec Internet Threat Report, in 2011 there were 129 public SCADA vulnerabilities, which was a massive increase over the just 15 vulnerabilities in 2010. Deciding to do nothing is like playing with fire, and all of our grids, water systems, electrical grids are at risk. And, in return, millions of Americans lives can be affected by a single attack on these systems.
Something the government needs to incorporate into its legislation is a privacy (or hold-harmless) protection for the private sector to help encourage disclosure of threats to the government. This hold-harmless policy will ensure that both the public and private sectors can collaborate on security threats without repercussions. I urge legislators to seriously consider these aspects and begin to put into place tangible protection for our infrastructure.