This article can also be found in the Premium Editorial Download "Information Security magazine: Tips from the 2007 Security 7 Awards."
Download it now to read this article plus other related content.
By Michael S. Mimoso
Opportunity knocks; sometimes uncertainty answers. Michael Assante spent the greater part of his early career securing the assets, people and facilities of a major Midwest utility. But all the while, he kept a watchful eye on the disturbing news and trends surrounding critical infrastructure and the SCADA control systems that support it.
"There were marked improvements in frontline IT systems and their protection profiles, but back-end systems were struggling," Assante says. "Systems grew that weren't intended to be connected, but became connected. I started worrying about these systems."
Enter opportunity in the form of an opening with Idaho National Laboratory, a facility in Idaho Falls dedicated to nuclear energy research and focused on partnerships with the U.S. Department of Energy and Homeland Security.
Enter uncertainty in the form of relocation. The prospect of moving to Idaho and working and living near Yellowstone National Park and in the shadow of the Grand Teton mountains was a daunting contrast to the life Assante and his family knew in metropolitan Columbus, Ohio.
"It's quite beautiful here," Assante says. "I was immediately impressed with the lab and the amount of industry experience here, the guidance they provide to industry. I realized they weren't in business just to
| do work for the U.S. government, but to bring value to the end user."
Opportunity won out, and Assante, INL's infrastructure protection strategist, joined the lab two years ago. He was immediately struck by the lack of emphasis put on security by control systems vendors, who countered pleas for improvements with the claim that customers just weren't asking for security. Instead, customers were bearing the expense of tacking it on. "They weren't really resourced or prepared to ask for [security from vendors]," Assante says.
Assante set out to provide control system managers with language to insert into procurement contracts to ensure vendors address security concerns. He sought help from Alan Paller at the SANS Institute and Will Pelgrin, director of the New York State Office of Cyber Security and Critical Infrastructure Coordination, to establish a SCADA Security Summit. The event in March 2006 brought together more than 400 SCADA experts and vendors, and kick-started the SCADA Procurement Project. Recently, version 1.6 of the Cyber Security Procurement Language for Control Systems was posted on the Multi-State ISAC site, msisac.org.
"Vendors were forced to make changes they knew they had to make," Assante says.
Jerry Freese, director of IT security engineering at Assante's former employer, American Electric Power, praises Assante as a man of vision and one who is driven to execute that vision.
"He's a strategic thinker, very focused on the global security threat and astute at distilling that focus into relevant business and critical infrastructure protection planning," Freese says.
SCADA systems were plagued by some common vulnerabilities, regardless of the provider, Assante says. For example, extraneous services were turned on by default, risky configurations needed to be addressed, as did some patch management, authentication, and weak policy management issues. The group edited the procurement language for months, and both sides made necessary compromises.
"It's an incredible resource for asset owners," Assante says, "who can cut-and-paste the language into procurements with vendors to get more secure systems."
Idaho National Lab takes part in several outreach programs with the Departments of Energy and Homeland Security to develop a risk management program for control systems. The lab has brought together ally nations like the U.K. and Australia for information sharing workshops, and has established training environments for critical infrastructure asset owners to demonstrate attacks against these systems, and optimize security technology to combat them.
"We have done a lot of work in vulnerability testing and discovery, looking especially at interdependencies between infrastructures," says Michael Assante. "We're looking at where these crossovers are, the vulnerabilities associated, and what could cause high consequences."
--Michael S. Mimoso
This was first published in October 2007