Is the U.S. prepared for cyber war or are we sitting ducks?
Is the U.S. prepared for cyber war or are we sitting ducks?
By Ron Lepofsky on Thu, 06/17/10 - 11:39am.Before I say anything at all, please eyeball this quote from 60 Minutes by Admiral Mike McConnell, previously chief of national intelligence who oversaw CIA, DIA, and NSA, regarding the cyber terrorism and the US electricity infrastructure:
"If I were an attacker and I wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer, and I probably would sack electric power on the U.S. East Cost, maybe the West Coast, and attempt to cause a cascading effect. All of those things are in the art of the possible from a sophisticated attacker," McConnell explained.
"Do you believe our adversaries have the capability of bringing down a power grid?" Kroft (60 Minutes) asked.
"I do," McConnell replied.
This interview falls on the heels of my blog of June 9 about NERC CIP security "Here's a better idea for security of the nation's electric grid (title courtesy of my Network World publisher) ."
Asked if the U.S. is prepared for such an attack, McConnell told Kroft, "No. The United States is not prepared for such an attack."
Security of the electrical infrastructure is also mentioned in most recent Cyberspace Policy Review on the White House web page. Now the House of Representatives has passed a bill aimed at hardening the cyber security policies of the US Government and involves the Federal Information Security Management Act, (FISMA). In turn, FISMA has an impact on NERC CIP.
Increase the Carrot and the Stick for NERC CIP Compliance
While I read about "strong centralized oversight" and "update our comprehensive policy" I do not read anywhere about enforcement or funding compliance for NERC CIP. We all know there can be huge gaps between policy and implementation, and similarly between oversight and enforcement.
It takes a lot of dollars to convert a demanding security policy into a desired security state. Similarly it takes consistent enforcement of policy including penalties for compliance violations in order to rationalize the existence of oversight.
There are lots of comments about my previous blog regarding both the pros and cons of my suggestion for a bigger stick for enforcing NERC CIP compliance. In my comments I stuck to my guns.
Last night Pres Obama made a speech to the nation about the BP oil spill. One of his three central points dealt with preventing a future oil spill disaster. Today the President told BP to allocate billions of dollars to reimburse those who suffered as the result of BP's oil spill.
Perhaps now is the time to take similar action and allocate funds and sticks to prevent an electrical grid cyber disaster.
Have a safe week.
- About On Being Secure
Ron Lepofsky, CISSP, is founder and president of ERE Information Security and Privacy Auditors, an information security audit and compliance company since 2000. Previously Ron was founder and president of data telecommunications company PTI Telecommunications, founded in 1989.
Ron graduated with a degree in Mechanical Engineering, University of Toronto, B.A. SC. And after that he spent time as a sales representative for high tech companies until he struck out on his own including stints at Digital Equipment of Canada Ltd., Timeplex Canada Limited and Data General Canada Ltd.
Ron is a frequent contributor of articles published in a wide variety of media outlets relating to information security, privacy, law, electrical utilities. He is also an avid blogger on the topics of security and privacy, both on the ERE site and other security sites. When not writing or auditing/implementing, Ron is a frequent speaker at industry conferences.
And if all that wasn't enough, Ron also makes great dark chocolate-covered strawberries, nuts, dried fruit and cookies.
Most Discussed Posts
-
Network World, Inc
The Connected Enterprise