Cyber Security: A "Virtual" Reality
people took off everything they thought of." Obviously, much information remains. Rush points out that he instructed his intern to stop looking for sources of information if it could be found on two or three Web sites. "My guess is that if you took all those things [the intern found] off, he'd just find another set."
Rush also says that there is considerable information in libraries, on paper. Old maps, old magazine issues, and the like all have information that could be used by terrorists.
Scalingi also votes no. "You need to balance security with necessary openness," she argues. Utilities need to trade information with suppliers and customers, she points out. How can that happen if utilities are forbidden to share any information about their systems? And, Scalingi asks, how do you educate the industry on shoring up SCADA systems, if no one can get information about what the weaknesses are?
"You can make it harder and harder," Rush argues, "but one, I doubt you can get it all, and two, there's some reason we want to have that information," Rush argues. For example, he says that topographical maps show where gas pipelines are located. Taking them off those maps would hide them not only from terrorists, but also from those in the industry who might plot a new pipeline over an old one without realizing it.
Scalingi says that the pendulum has swung to keeping everything secret and out of the public domain. "But in doing so, we are really harming ourselves, in terms of understanding what we need to do in a post-9/11 environment."
Or, as Rush puts it, "If we are less willing to communicate, the more closed our society becomes." Taking information away from the public comes with a cost, both he and Scalingi agree.
The Search for Standards
So the threat is real. But does that make an attack likely?
"I don't feel the homework has been done," Scalingi says, speaking of the myriad security measures proposed since 9/11 for the utility industry, including encrypting SCADA systems. She insists that all security proposals must be examined in terms of both economic feasibility, and how much security they would buy the industry and individual companies.
"This is a tough issue," Scalingi says. "Everyone says that you need to be more secure, but what does that mean?" Companies need to ascertain their optimal level of risk, and it would be nice to have a benchmark for doing just that. But is there a risk assessment approach that takes into account what utilities need to do to be secure in a post-9/11 environment? "We don't have it," she says.
The International Organization for Standardization has adopted a standard for information management, ISO-17799. The standard is based on a British standard for data security. As Allen Brill, senior managing director of technical services at of Kroll Inc. points out, the ISO standard gives a starting point for organizations asking themselves how to measure cyber security-how much is enough? Brill says that before the adoption of ISO 17799, there wasn't a good