By Andy Greenberg
Last June, the Department of Homeland Security leaked a video
documenting a disturbing experiment. Using only digital means,
researchers hacked into a power plant's generator and caused it to cough
and shake before shutting down in a cloud of black smoke.
That clip, demonstrating what has since become known as the Aurora
vulnerability, served as a wake-up call for regulators, highlighting the
need to guard against cyber-security threats to critical infrastructure
like power plants and the telecom system. But at a hearing Wednesday,
members of the House Committee on Homeland Security warned that those
regulatory bodies aren't moving fast enough.
"I think we could search far and wide and not find a more disorganized
response to a national security issue of this import," said Rep. James
Langevin (D-R.I.), chairman of the Subcommittee on Emerging Threats,
Cybersecurity and Science and Technology. He pointed a finger to several
groups: the DHS for giving scanty details of its video-taped simulation;
the power industry for working too slowly to mitigate the threat; and
the North American Electric Reliability Corporation, an industry group,
for failing in its role as the self-regulatory body assigned to ensure a
consistent national power supply. "Everything about the way this
vulnerability was handled . leaves me with little confidence that we're
ready or willing to deal with the cyber security threat," he said.
The House's criticisms focused primarily on the electric utility
industry group, NERC. They argued that the advisories issued by NERC are
ineffective and that it has repeatedly misled the House in its
investigation of the Aurora vulnerability.
Rep. Bill Pascrell (D-N.J.) recalled that in a subcommittee hearing last
October on the Aurora vulnerability, a NERC representative told him that
75% of the nation's power plants had made progress in securing their
systems against cyber threats. But when the subcommittee requested that
survey, Pascrell said, it became clear that NERC had only performed the
research two days after the subcommittee hearing.
"You are not going to sit there and waste my time telling us you're
doing the job you're supposed to do," Pascrell said. "Who do you think
we are, a bunch of jerks?"
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com