US industries: We take cybersecurity seriously

WASHINGTON, D.C. - While lawmakers decried a lack of concern in the U.S. about cybersecurity issues, representatives of the electricity, communications and other so-called critical infrastructure industries on Thursday said they take the potential for cyberattacks seriously.

Executives of companies in the electricity, communications, chemical and oil and gas industries told the U.S. House of Representatives Science Committee they have taken steps to protect against wide-scale cyberattacks, in some cases by setting up alternative networks not directly connected to the public Internet. Thursday's hearing focused on how a wide-scale cyberattack would affect industries critical to the U.S. economy.

Industry assurances that they and other large companies understand cybersecurity threats stood in contrast to concerns raised by committee members. "We still pay inadequate attention to cybersecurity research and operations in both the government and private sector," said Representative Sherwood Boehlert, a New York Republican and committee chairman. "We shouldn't have to wait for the cyber equivalent of Hurricane Katrina to realize that we are inadequately prepared to prevent, detect and respond to cyberattacks."

Industry representatives partially downplayed the potential for a large-scale cyberattack to interrupt critical services such as electricity and telecommunications because of networks that are separate from the public Internet. But as the oil and gas industry moves more of its technology controls to the public Internet, the potential for damage in a wide-scale cyberattack could increase, said John Leggate, chief information officer and group vice president of digital and communications technology at BP PLC, a major oil and gas company based in the U.K.

Currently, a major cyberattack would have a "moderate" effect on the oil and gas industry, because many companies' control systems for functions such as pipelines are run over private networks, Leggate said. But after 2007 or 2008, when many petroleum companies will likely have moved their control systems to the public Internet, a wide-scale cyberattack could be "catastrophic," he added.

Representatives of American Electric Power Company Inc., a provider of electricity to residents in 11 U.S. states, and SBC Communications Inc. also assured the committee that their main networks don't now rely on the public Internet. The electricity industry is also working on sophisticated encryption technologies for use on the public Internet, added Gerald Freese, director of enterprise information security at American Electric Power.

"Cybersecurity is evolving rapidly, and all of us working in the field are tirelessly seeking more effective solutions to protect our assets," Freese added.

The U.S. Department of Homeland Security (DHS) is also working hard to improve cybersecurity, added Donald "Andy" Purdy, acting director of the National Cyber Security Division at DHS. Purdy detailed a number of cybersecurity initiatives happening at DHS, including a national cybersecurity response system and a security threat and vulnerability reduction program.

A national cybersecurity response center, called US-CERT (Computer Emergency Readiness Team), was established in September 2003, Purdy noted, and the agency works with law enforcement and intelligence agencies to evaluate cyberrisks. DHS assisted with a classified report, released in February 2004, that identifies potential organizations capable of cyberattacks, he said.