SCADA security programs short of funds |
 |
By Stephen Barlas, Contributing Writer
05 Apr 2004 | SearchSecurity.com |
|
|
Lack of federal funds has set back the progress of a number of government computer security
programs aimed at improving Supervisory Control and Data Acquisition (SCADA) systems. Witnesses
at congressional hearings last week expressed some impatience with both the utility industry's
refusal to take SCADA technical gaps seriously and the government's inability to get security
solutions out to the private sector more quickly. The hearings were held in the House Government
Reform subcommittee on technology, information policy, intergovernmental relations and the
census.
Robert Dacey, director of information security issues at the U.S. General Accounting Office
(GAO), cited program slowdowns at the Department of Energy's National SCADA Test Bed located at
the Idaho National Engineering and Environmental Laboratory where hardware and software is
supposed to be tested. He also said that the National Institute of Standards and Technology
(NIST) and the National Security Agency (NSA) have had to cut back on their efforts on defining a
common set of information security requirements for control systems, which is being coordinated
through the Process Controls Security Requirements Forum (PCSRF).
Fred Proctor, group leader for the control group at NIST, confirmed that his program's fiscal
2004 budget was set at about $400,000, about 8% less than what he expected to receive. Congress
was very late in approving many agency fiscal 2004 budgets, only doing so at the end of January
2004, and then reducing appropriations because of heightened worries about the federal deficit.
"It is not a catastrophe," said Proctor, alluding to the loss of about $33,000. "But it does
have an impact. We have had to cut back on travel, holding meetings and other things." Proctor's
program is developing "protection profiles" that information security officials can use to help
determine what kind of firewalls, link encryption device and password authentication and other
software they need for their SCADA systems. "The budget cut will delay our publication of the
protection profiles," he added.
The SCADA Test Bed in Idaho only recently got its first funds, about $900,000, which was
significantly less than the $2-$3 million officials there had hoped to receive in fiscal 2002 and
2003, when no money was forthcoming. There are only a couple of computer experts working on
finding the "holes" in a facility donated by Zurich-based ABB Ranger SCADA, a manufacturer
considered one of the Cadillacs of SCADAs.
"We're going to help them patch the holes," explained an official who declined to be
identified. "But we need a lot more people to do it," he said. He has an additional 20 computer
specialists waiting to go to work if and when he gets federal funds.
|
|
|
|
