The Department of Homeland Security (DHS) is ready to roll out an effort to convince about 565 facilities in the U.S. with process control systems to address their computer security gaps.
Leading the campaign will be James McDonnell, director of protective security division (PSD), Information Analysis and Infrastructure Protection Directorate (AIPD), at DHS. "It is incumbent upon IAIP to ensure that those responsible for protecting America are doing something about it," McDonnell said.
Companies have been slow to undertake SCADA revamping efforts on their own. Robert Dacey, director of information security issues at the U.S. General Accounting Office, released the GAO's newest report on SCADA vulnerabilities at hearings of the Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census on March 30. The report said, "Until industry users of control systems have a business case to justify why additional security is needed, there may be little market incentive for the private sector to develop and implement more secure control systems."
Aside from the apparent absence of a "business case," Dacey said that the tension between IT security personnel on one hand, and control system engineers on the other was responsible for corporate stasis. That was echoed by Joseph Weiss, an executive consultant with Burlington, Mass.-based KEMA Inc. "There is often animosity between IT and operations," he said. "As a point of illustration of this dichotomy, a two-level security solution that IT often proposes includes the requirement to add an additional password login function. This requirement might prevent a substation or power plant engineer from addressing a real-time outage or incident while attempting to get past a password lockout."
The GAO's Dacey repeated a recommendation from earlier reports: that the federal government provide appropriate incentives. "Without appropriate consideration of public policy tools, such as regulation, grants, and tax incentives, private-sector participation in sector-related CIP [critical infrastructure protection] efforts may not reach full potential," Dacey said.