SCADA Watch: Official Calls Securing Critical Infrastructure Against Cyber Attack Impractical
Jill R. Aitoro writes on NextGov.com:
Securing the nation's power grid and other computer systems that operate the nation's critical infrastructure against cyberattack is unrealistic, because companies cannot afford to check if suppliers have provided trustworthy products, said an intelligence official from the Energy Department on Thursday.More here.
"If you give me influence or control of your hardware or software supply chain, I control your systems," said Bruce Held, director of intelligence and counterintelligence with Energy. "We're going to have to develop strategies [for managing the supply chain] that are consistent with [the assets] that we're trying to protect."
Systems that pose a national threat if compromised, including military command-and-control systems and networks managing weapons, must be built using equipment from trusted companies. The hardware and software must be checked for security vulnerabilities and possible malicious code that could cause problems, Held said. To vet the products would cost more than what private sector organizations likely can afford, he added.
"Cost considerations are going to make a security strategy impractical" for computer systems that are critically important but owned and operated by the private sector, including those that support the power grid, and the transportation and financial sectors, and other industries that make up the nation's critical infrastructure, Held said.