[ISN] DHS to State Its Case to Business

InfoSec News isn at c4i.org
Tue Oct 25 02:19:14 EDT 2005


http://www.eweek.com/article2/0,1895,1876550,00.asp

By Caron Carlson 
October 24, 2005 

Improving cyber-security may be in the public interest, but to
persuade the commercial owners of the country's critical
infrastructure to invest in more secure networks, the Department of
Homeland Security next year plans to show them the bottom line.

Echoing what has become a mantra on Capitol Hill, lawmakers chided the
DHS last week for not making greater strides in developing a plan to
protect the cyber-networks that gird the country's transportation,
power, water, telecommunications, oil and gas pipeline, and chemical
processing systems, as well as other critical infrastructure.

Andy Purdy, acting director of the DHS' National Cyber Security
Division, told legislators that next year the department is going to
present the business case for investing in the security of SCADA
(supervisory control and data acquisition) systems.

Because private companies own most critical infrastructure facilities,
DHS will encourage the deployment of security measures by providing a
cost-benefit analysis, Purdy told lawmakers last week at a hearing of
the House Subcommittee on Economic Security, Infrastructure Protection
and Cybersecurity.

The plan has the support of some security experts, who say businesses
are not inclined to invest in security for an abstract threat but will
do so for a specific threat, as demonstrated in the preparations for
Y2K.

"We must help industries develop a business case for their investment
in SCADA security," Samuel Varnado, director of the Information
Operations Center at Sandia National Laboratories, in Albuquerque,
N.M., told the subcommittee. "Although we know that many threats
exist, specific details are elusive."

Resistance to sharing information about vulnerabilities and breaches
has made it difficult to define the current risks to SCADA systems,
Varnado said. To present the business case, officials might have to
take a different approach. Rather than discuss threats, they may need
to discuss the consequences and show what the disruption of network
systems is costing businesses financially.

"This approach would involve identification of specific portions of
information systems affected by specific attacks," Varnado said. "It
would require vulnerability assessments, analyzing the consequences of
disruptions in economic terms, and defining and implementing optimized
protection strategies based on risk assessments."

Over the next three months, the Idaho National Laboratory will work
with the government to implement a cyber-security self-assessment
framework, according to K.P. Ananth, associate laboratory director at
the INL, in Idaho Falls.

The assessment will include a risk reduction tool to help companies
prioritize the vulnerabilities they find. Next year, the lab will
pilot the framework with several key infrastructure sectors, Ananth
said.

Some in the industry say there are better ways the government can
reduce the vulnerabilities confronting SCADA systems. Alan Paller,
director of research at The SANS Institute, in Bethesda, Md., told the
subcommittee that federal agencies should use their buying power to
force SCADA system vendors to build security into their products.

"Procurement leverage is effective because it places the
responsibility for securing systems in the only place that security
tasks can be done cost-effectively.in the hands of the system vendor
that created the systems," Paller said, adding that only vendors know
the technology well enough to ensure it is secure and that they can
provide the security for all users.

"If you try to force every user to secure their systems, every user
would have to study every system they buy and become a security expert
on every system, and then they would do the same job the vendor could
have done one time," Paller said. "Allowing vendors to foist the
security configuration job onto their users is what got us into this
vulnerable status."





More information about the ISN mailing list