Lack of federal funds has set back the progress of a number of government computer security programs aimed at improving Supervisory Control and Data Acquisition (SCADA) systems. Witnesses at congressional hearings last week expressed some impatience with both the utility industry's refusal to take SCADA technical gaps seriously and the government's inability to get security solutions out to the private sector more quickly. The hearings were held in the House Government Reform subcommittee on technology, information policy, intergovernmental relations and the census.
Robert Dacey, director of information security issues at the U.S. General Accounting Office (GAO), cited program slowdowns at the Department of Energy's National SCADA Test Bed located at the Idaho National Engineering and Environmental Laboratory where hardware and software is supposed to be tested. He also said that the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) have had to cut back on their efforts on defining a common set of information security requirements for control systems, which is being coordinated through the Process Controls Security Requirements Forum (PCSRF).
Fred Proctor, group leader for the control group at NIST, confirmed that his program's fiscal 2004 budget was set at about $400,000, about 8% less than what he expected to receive. Congress was very late in approving many agency fiscal 2004 budgets, only doing so at the end of January 2004, and then reducing appropriations because of heightened worries about the federal deficit.
"It is not a catastrophe," said Proctor, alluding to the loss of about $33,000. "But it does have an impact. We have had to cut back on travel, holding meetings and other things." Proctor's program is developing "protection profiles" that information security officials can use to help determine what kind of firewalls, link encryption device and password authentication and other software they need for their SCADA systems. "The budget cut will delay our publication of the protection profiles," he added.
The SCADA Test Bed in Idaho only recently got its first funds, about $900,000, which was significantly less than the $2-$3 million officials there had hoped to receive in fiscal 2002 and 2003, when no money was forthcoming. There are only a couple of computer experts working on finding the "holes" in a facility donated by Zurich-based ABB Ranger SCADA, a manufacturer considered one of the Cadillacs of SCADAs.
"We're going to help them patch the holes," explained an official who declined to be identified. "But we need a lot more people to do it," he said. He has an additional 20 computer specialists waiting to go to work if and when he gets federal funds.