WASHINGTON, D.C. - While lawmakers decried a lack of concern in the U.S. about cybersecurity issues, representatives of the
electricity, communications and other so-called critical infrastructure industries on Thursday said they take the potential
for cyberattacks seriously.
Executives of companies in the electricity, communications, chemical and oil and gas industries told the U.S. House of Representatives
Science Committee they have taken steps to protect against wide-scale cyberattacks, in some cases by setting up alternative
networks not directly connected to the public Internet. Thursday's hearing focused on how a wide-scale cyberattack would affect
industries critical to the U.S. economy.
Industry assurances that they and other large companies understand cybersecurity threats stood in contrast to concerns raised
by committee members. "We still pay inadequate attention to cybersecurity research and operations in both the government and
private sector," said Representative Sherwood Boehlert, a New York Republican and committee chairman. "We shouldn't have to
wait for the cyber equivalent of Hurricane Katrina to realize that we are inadequately prepared to prevent, detect and respond
to cyberattacks."
Industry representatives partially downplayed the potential for a large-scale cyberattack to interrupt critical services such
as electricity and telecommunications because of networks that are separate from the public Internet. But as the oil and gas
industry moves more of its technology controls to the public Internet, the potential for damage in a wide-scale cyberattack
could increase, said John Leggate, chief information officer and group vice president of digital and communications technology
at BP PLC, a major oil and gas company based in the U.K.
Currently, a major cyberattack would have a "moderate" effect on the oil and gas industry, because many companies' control
systems for functions such as pipelines are run over private networks, Leggate said. But after 2007 or 2008, when many petroleum
companies will likely have moved their control systems to the public Internet, a wide-scale cyberattack could be "catastrophic,"
he added.
Representatives of American Electric Power Company Inc., a provider of electricity to residents in 11 U.S. states, and SBC
Communications Inc. also assured the committee that their main networks don't now rely on the public Internet. The electricity
industry is also working on sophisticated encryption technologies for use on the public Internet, added Gerald Freese, director
of enterprise information security at American Electric Power.
"Cybersecurity is evolving rapidly, and all of us working in the field are tirelessly seeking more effective solutions to
protect our assets," Freese added.
The U.S. Department of Homeland Security (DHS) is also working hard to improve cybersecurity, added Donald "Andy" Purdy, acting
director of the National Cyber Security Division at DHS. Purdy detailed a number of cybersecurity initiatives happening at
DHS, including a national cybersecurity response system and a security threat and vulnerability reduction program.
A national cybersecurity response center, called US-CERT (Computer Emergency Readiness Team), was established in September
2003, Purdy noted, and the agency works with law enforcement and intelligence agencies to evaluate cyberrisks. DHS assisted
with a classified report, released in February 2004, that identifies potential organizations capable of cyberattacks, he said.
But Representative Bart Gordon, a Tennessee Democrat, told Purdy that the DHS efforts were "simply not good enough." Gordon
referred to a U.S. Government Accountability Office report, released in May, saying DHS had not yet developed national cyber
threat assessments or government and industry contingency recovery plans. Purdy promised a recovery plan document soon and
a risk assessment by early next year.
"The disruptions and economic damages that could result from a successful cyberattack to one or more of our critical infrastructures
could be substantial," Gordon said. "And damage to water supply systems or chemical processing plants, for example, could
also create life-threatening consequences."
While many large companies now realize the importance of cybersecurity, implementation is often lacking, panelists said. Many
companies are afraid to share their cybersecurity threat data with DHS for fear of it being released as a public document,
Freese said.
Companies also need to more narrowly focus on the most important risk factors, added David Kepler, vice president of shared
services and chief information officer at The Dow Chemical Co. "You can work on everything, and not be effective at anything,"
he said.
Technology companies also need to work on creating more secure products, with security built-in instead of added on later,
added Andrew Geisse, chief information officer at SBC. He gave cellular telephones and Wi-Fi as examples of technologies where
security was an "afterthought."
As the industry representatives offered advice for better cybersecurity, Boehlert complained that Supreme Court nomination
hearings in the Senate attracted hundreds of journalists, while his hearing room had plenty of seats available. He asked the
industry representatives to enlist their lobbying organizations in educating the rest of Congress about the importance of
cybersecurity.
"We've got to focus on the importance of this subject," he said. 'In most quarters, it's greeted with a muffled yawn. And
yet you know, and you're sharing with us, how important this is, and its potential impact on the entire economy."
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
