NIST Warns Against Lack of Security in Critical Infrastructure

NIST (National Institute for Standards and Technology) released Special Publication 800-53 version 4 recently, and it covers the shortcomings in privacy and security in the national power grid, water control systems, dams, oil and gas utilities and similar computer controlled systems.  There are no coherent or enforceable standards for Industrial Control Systems (ICS) and Supervisory Control And Data Acquisition (SCADA) systems that are commonplace in the public utility sector, and for that matter, in manufacturing.  So there is nothing in place to prevent an electronic “Pearl Harbor” event from occurring.

The current standards, if they can be called standards, are a loosely coordinated collection Executive Orders, laws, policies, regulations, directives, and guidelines.  There is not a single set of rules, and many of the standards are voluntary.  In many cases, industry lobbyists work against an improvements in the laws or standards that apply to their member utilities.  There is not a single government regulator in charge of critical infrastructure, and in many cases the main regulatory agencies exist at the state level.  Inertia keeps any changes to a minimum.  If there were a cyber attack against the grid or other systems, it will be too late to do anything about it, and recovery may be extremely difficult or impossible.

There is some hope for effective change in this area, and NIST is bringing the issue up and making some recommendations that hopefully will evolve into a set of security standards for critical infrastructure.  This is a “write your congressman” sort of issue, but there does not appear to be a champion for this cause in the Congress.

Somewhere I heard the proverb “we are always preparing to fight the last war.”  The last war was (and continues to be) an asymmetric war between professional armies, sometimes civilian law enforcement agencies and rebels, guerrilla groups, insurgents, and terrorists.  We are already seeing some peculiar non-traditional styles of combat, most recently in the use of large trucks running down civilian pedestrians.  What happens when these non-traditional and non-professional fighters put down their guns and pick up a keyboard?  Are we ready to wage that battle?  I guess we will see, and probably sooner than later.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.