(2) Impose hefty financial penalties as a stepping stone to the penalties outlined in (1) above.
(3) Issue comprehensive SCADA security guidance - in the form of white papers and best practices recommendations – and stipulate fines for those that fail to comply. A good model could be the PCI DSS rules that govern processing of payment card credentials.
(4) Use existing government cyber-warfare resources to simulate attacks against CNIs and issue confidential reports to the appropriate managers of the organizations concerned. If the organizations fail to remediate their security problems in a timely fashion (that is, within a few months), local country CERT officials will complete the planning element of the task, and a court-imposed mandate will be placed on the organization to deploy the recommendations in the planning document. Further infractions will be treated as a contempt of court process.
(5) Require CNI-based SCADA system operators to adhere to appropriate integrity verification processes on at least a monthly basis, with continuous compliance as the mainstay of the reporting system. An auditing process similar to the PCI DSS governance rules can also be applied.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.