Some time ago I believed it was unlikely that any government would footprint or probe other states' CNIs. My observations have caused me change my mind, and I now believe it is naive to underestimate any foe. SCADA vulnerability is a central challenge to our national security – and we really do need to address this issue now, before a major incident takes place.
So what are the solutions?
There are a number of recommendations that I would make to ensure that SCADA-based systems are better protected. The good news is that most of these actions can be implemented using existing technologies and legislation, though there may be a need for some tweaks to the statute books. It should be remembered that we are talking about the IT systems that control our national infrastructure.
(1) Take a leaf out of the German statute books on data breach law and impose potential prison sentences on those managers that fail to take their SCADA defense obligations seriously.
(2) Impose hefty financial penalties as a stepping stone to the penalties outlined in (1) above.
(3) Issue comprehensive SCADA security guidance - in the form of white papers and best practices recommendations – and stipulate fines for those that fail to comply. A good model could be the PCI DSS rules that govern processing of payment card credentials.
(4) Use existing government cyber-warfare resources to simulate attacks against CNIs and issue confidential reports to the appropriate managers of the organizations concerned. If the organizations fail to remediate their security problems in a timely fashion (that is, within a few months), local country CERT officials will complete the planning element of the task, and a court-imposed mandate will be placed on the organization to deploy the recommendations in the planning document. Further infractions will be treated as a contempt of court process.
(5) Require CNI-based SCADA system operators to adhere to appropriate integrity verification processes on at least a monthly basis, with continuous compliance as the mainstay of the reporting system. An auditing process similar to the PCI DSS governance rules can also be applied.