Q. What makes these systems so tough to protect?
Like any computer product, industrial control systems have bugs that programmers can't foresee. Government officials and security researchers say critical systems should never be connected to the Internet — though they frequently are. But having Internet access is convenient and saves money for companies that operate water, power, transit and other systems.
Q. Is cost an issue?
System manufacturers are reluctant to patch older versions of their products, government and private sector researchers said. Utility companies and other operators don't want to shell out money to replace systems that seem to be working fine. Dan Auerbach of the Electronic Frontier Foundation, formerly a security engineer at Google, says the pressure on tech companies to quickly release products sometimes trumps security. "There's an incentive problem," he said.
Q. What's the government doing?
The Department of Energy and the Department of Homeland Security's Computer Emergency Readiness Team, or CERT, work with infrastructure owners, operators and vendors to prevent and respond to cyber threats. Researchers at government-funded labs also assess threats and recommend fixes. But government agencies cannot — and do not attempt to — compel systems vendors to fix bugs.
The only national cybersecurity regulation is a set of eight standards approved by the Federal Energy Regulatory Commission — but these only apply to producers of high-voltage electricity. A Department of Energy audit last year concluded the standards were weak and not well implemented.
Q. So is Congress weighing in?
Cybersecurity has been a much-debated issue. Leading bills, including the Cyber Intelligence Sharing and Protection Act, would enable government and the private sector to share more threat information. But while CISPA and other bills give the Department of Homeland Security and other agencies more power to monitor problems, they all take voluntary approaches.
"Some of my colleagues have said nothing will change until something really bad happens," said Peterson, whose consulting firm exposed vulnerabilities. "I'm hoping that's not true."
Q. What does the Obama administration want?
The White House has called for legislation that encourages private companies to notify government agencies after they've faced cyber intrusions, and recommends private companies secure their own systems against hackers. But the White House stops short of calling for mandatory cybersecurity standards for the private sector.
From ProPublica.org (find the original story here); reprinted with permission.