|
||||||||||||
Led by Subcommittee Vice Chairman Anthony Weiner, the hearing heard from Dan Kaminsky, IOActive's director of penetration testing; Rodney L. Joffe, senior vice president and senior technologist for Neustar; Larry Clinton, president and CEO of the Internet Security Alliance; and Greg Nojeim, senior counsel for the Center for Democracy and Technology.
While the overarching question put to these witnesses was what role they felt the federal government should take in addressing the three branches of the cyber security issue (personal security, critical infrastructure and protecting it, and national security), testimony and discussion ranged from the continued and insidious threat of the Conficker worm to the potential dangers to the expanding smart grid. "Is our energy infrastructure susceptible?" Weiner asked these four non-electrical industry witnesses.
"There's an old joke from the NSA," Kaminsky told Weiner, "that all networks are connected, just not that fast."
"The `90s saw a tremendous increase in the use of personal computing technologies and information technologies to, quite frankly, make work more efficient. And the energy industry has not been immune from that," Kaminsky said. "One of the technologies that we've seen spreading, at least in recent design, has been an ability for the actual power meters to communicate with each other, for them to create a peer-to-peer mesh as one meter speaks to another meter speaks to another meter."
He told the hearing that the current lack of connectivity in the electric industry is "the only thing preventing widespread attack." But, with connectivity growing more and more, Kaminsky added, "that's a temporary solve."
Rodney Joffe expanded upon Kaminsky's comments. "One of the biggest problems we face is that the Internet was never designed to do the things that it's doing today. There are control systems, there are systems that were never designed to be on the open Internet," he said. "But the open Internet -- one of the great values is the fact that it allows you to communicate fairly cheaply and fairly easily with other computing devices."
The power industry, Joffe said, is used to a closed network. "But by its very nature, those home devices, the smart meters, are going to have to rely on an open Internet. If they made use of the technology that the power industry was used to, which is point-to-point secured connections.then perhaps there wouldn't be an issue."
The Internet Security Alliance's Larry Clinton also weighed in with another caution: "We also have to operate these systems better," he said. "The single biggest vulnerability that we have is not technical at all. It is the insider threat. Depending on which study you read, a third to half of the problems we have are people on the inside. These are people with keys to the technology."
"We not only need to have good technology," he continued, "we need to have incentives for people to want to use the technology. Again, this is a system-wide problem. It involves technology, it involves human resources, it involves economy, it involves legal compliance -- a variety of things. It's not going to be fixed when somebody comes up with a new device."
And that is where the energy industry issue was left in this two-hour hearing of presentations and questions and answers. As the debate continues, it will be up to the industry -- to those who design and build the new devices that will create the necessary two-way communication capability of the emerging intelligent utility -- to step up to the plate and defend the security of their technologies, and to present this information to Congress.
It is only then that a rounded, truly informed decision can be made.