With private sector voices and public officials alike warning of the growing danger of an attack on the nation’s critical infrastructure, the issue of cybersecurity reached new prominence during President Barack Obama’s recent State of the Union speech. In the annual address outlining governmental priorities and progress, the president highlighted the information security threats facing individuals, businesses and government organizations, making particular note of the danger facing large-scale infrastructure systems.
“Our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems,” President Obama said. “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
The SCADA risk
The software security of critical infrastructure has come into prominence in the last year as researchers turned their eyes toward spotting vulnerabilities in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems. These software applications form the backbone of the nation’s power plants, factories, water treatment infrastructure and more, making them an attractive target to attackers and exacerbating the danger of vulnerabilities. Nonetheless, SCADA security lags far behind that of more consumer-friendly applications.
“ICS security now looks like Internet security in early 2000, and we can compare Stuxnet with CodeRed/Nimda worms,” Sergey Gordeychik, a researcher at Russian security research firm Positive Technologies, told Dark Reading in November. “It’s like a trigger.”
In a report released last fall, Positive Technologies researchers noted that 20 times more SCADA vulnerabilities had been found since 2010 as in the five years prior. Around half of these could theoretically be executed remotely, an increasing danger as decades-old systems that were not initially designed for a connected environment are exposed to the internet. As awareness of such issues has mounted, voices throughout the industry have called for more security oversight of SCADA systems and other potential national defense risks.
A federal response to cybersecurity
President Obama underscored his commitment to the issue of cybersecurity by signing an executive order earlier in day of his State of the Union speech. While the order does not carry the force of law, it directs federal agencies to improve the sharing of unclassified cyberthreats with outside stakeholders in the hope of strengthening private sector security.
Additionally, it institutes the development of a Cybersecurity Framework, which will be a collaborative project between the National Institute of Standards and Technology (NIST) and industry operators to develop voluntary security standards and best practices. It also calls for a review of existing cybersecurity regulation, and advises independent regulatory agencies to leverage the Cybersecurity Framework in a way consistent with their authority. For instance, specific agencies may take steps to mandate better software security practices along the lines of the 2013 National Defense Authorization Act’s (NDAA) recent mandate that all new military software acquisitions undergo static analysis testing.
While some lawmakers expressed reservations about the potential regulatory pressure such an order might create, others claimed it did not go far enough and vowed to continue with efforts to pass alternate legislation, InformationWeek reported. The administration urged Congress to take action on the issue but noted the need for action in the interim.
“The Executive Order ensures that federal agencies and departments take steps to secure our critical infrastructure from cyber attack, as a down-payment on expected further legislative action,” the White House noted on its website.
Whether in the form of voluntary standards or actual regulations, pressure to improve cybersecurity is likely to increase in the coming months and years. Vendors of SCADA systems and other critical infrastructure software can adopt a proactive approach by strengthening their coding processes. Using tools such as source code analysis software, manufacturers can reduce the likelihood of vulnerabilities and strengthen citizen and lawmaker confidence in the security of critical systems.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.