Experts call energy infrastructure cybersecurity bill ‘shortsighted’
Some cybersecurity experts are skeptical of new Senate legislation to address concerns that hackers are looking to ramp up attacks against the U.S. energy infrastructure.
Members of the Senate Committee on Energy and Natural Resources introduced the Securing Energy Infrastructure Act in early June — a first-of-its-kind bill to establish a pilot program and private-public working group to explore and better identify cybersecurity vulnerabilities evident in industrial control systems, or ICS, which are used to measure, control or manage some industrial functions.
Though they see the intent of the bill as earnest, some cybersecurity experts told FedScoop they believe it addresses the issue in the wrong way.
“While there is nothing wrong with the legislation from a technical perspective, in my opinion this is a shortsighted bill that misses the bigger picture,” Cris Thomas, a strategist at Tenable Network Security, told FedScoop.
[Read More: Senators look to DHS reorg to guard power grid]
Numerous U.S.-based power plants, electrical substation and other elements of the power grid use ICS to regulate and monitor different mechanisms that are crucial to facilities’ everyday functionality.
If a hacker were to gain control of an ICS — as was the case in the hack of the Ukrainian power grid — they could force components to shut down, explained Lior Frenkel, CEO of ICS cybersecurity firm Waterfall Security Solutions.
Several U.S. entities, such as the National Institute of Standards and Technology, provide detailed guidance to secure industrial control systems. A bill, however, that creates a formal private-public working group is an entirely new venture.
Much criticism of the bill is directed at a research recommendation that suggests replacing some advanced ICS components at energy-providing facilities with “retro,” offline and otherwise human-operated options.
“By mandating analog controls through legislation, you are in a sense already admitting defeat. While information security professionals will routinely say that it is not when, but if, you get compromised, at no time do we advocate that you should return to pencils, paper and calculators because you are afraid of the big bad cyber threat,” Tenable’s Thomas said.
“Instead of advocating for less technology, information security professionals usually advocate for more properly applied technology. Only with additional technological controls are we going to be able to detect, remediate and hopefully prevent electronic intrusions,” he added.
The legislation makes the case that a step backwards in ICS technology capabilities will shrink the number of potential access points for hackers to invade.
“Analog boards, for example, would be harder for attackers to reprogram than the original software,” explained Frenkel. “[But] nobody knows yet if the approach can be made practical, or what kinds of attacks this approach will be able to defeat. So far, the conversion-to-analog technique has been proposed to replace computers at only the very lowest layers of industrial control system architectures — the computers in direct contact with industrial equipment.”
Eli Mahal, a vice president for industrial and critical infrastructure security software maker NextNine, is against the devolution of ICS technology. He believes that resorting to old control systems — at any level — will not result in a better security posture for energy providers.
Mahal described that “the benefits of having an integrated and connected [energy infrastructure] operation are too good to ignore.” Returning to old technology doesn’t make sense because of the lost capabilities, he said.
“Plant owners and operators, today, can measure everything worth measuring in order to make data-driven decisions; to predict operational failures and provide preventive maintenance to improve safety and asset reliability; and to utilize analytics to manage processes more effectively and reduce costs. This all translates to higher levels of safety, improved productivity and better profit margins,” Mahal said.
Doug Wylie, a vice president for ICS security software maker NexDefense, is slightly more optimistic about the bill than his colleagues. Wylie explained that it serves as a good first step to reinforce existing ICS cybersecurity standards.
“Optimistically, the results of the S.3018 Act will be carefully folded into, or even simplify, existing industry regulations that already have momentum and increasing coverage of power producers and distributors of electricity in the U.S.,” he said.
The bill asks for roughly $11.5 million to fund the pilot program’s creation, formation of a working group and a report to inform Congress of its findings, which won’t be publicly disclosed. If the bill is signed into law, it promises to deliver the pilot, to be housed at the National Laboratories, within 60 days.
The secretary of energy would be required to name members to the working group from his own department; the energy industry; the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team; the North American Electric Reliability Corporation; the Nuclear Regulatory Commission; the intelligence community; the Department of Defense; state and regional energy agencies; and the National Laboratories.
A spokesperson for Sen. Angus King, the independent from Maine who authored the bill, told FedScoop the measure’s six co-sponsors have requested and hope the committee will ‘hold a hearing on the bill before the Senate leaves for the August work period.’