Feds, Industry not in Security Sync

Wednesday, February 16, 2011 @ 03:02 PM gHale

In the fight against cyber hackers, there has to be constant communication between the public and private sectors to ensure top flight security, and right now that effort is lacking.

The U.S. government is falling short on sharing real-time cyber security intelligence with private industry, an electricity industry executive testified before a House panel.

Industry needs to have access to real-time information on cyber security threats the U.S. government knows about, said Gerry Cauley, chief executive of the North American Electric Reliability Corp. (NERC). NERC is an industry-sponsored organization that develops cyber security and other standards for the electricity industry.

“The electric industry is in the best position to understand the impact that a particular event or incident could have on the [power grid], but they do not have the same access to actionable intelligence and analysis that the government does. This lack of information leads the industry to be, at best, a step behind when it comes to protecting against potential threats and unknown vulnerabilities”, Cauley told the House Armed Service Committee’s subcommittee on emerging threats and capabilities in written testimony.

“Too often, we have heard from government agencies that the threats are real, but are given little or no additional information,” Cauley said. “This leads to frustration among the private sector leaders who are unable to take fact-based responsive measures due to ill-defined and nebulous threat information.”

Cauley said to achieve the highest standard of security, the private and public sector must work together to keep the critical infrastructure safe.

“As illustrated by Stuxnet, industrial control system software can be changed and data can be stolen without intrusions even being detected,” Cauley said. “These injection vectors serve as a blueprint for future attackers who wish to access controllers, safety systems, and protection devices to insert malicious code that could result in changes to set points and switches as well as the alteration or suppression of measurements.

“Increasing information sharing and growing trusted relationships between government agencies and the private sector organizations can go a long way in improving the overall security posture of our critical infrastructure,” he said.

Leave a Reply

You must be logged in to post a comment.