Executive Order on Cyber Security, Smart but Too Vague

Feb. 14, 2013
President Obama’s executive order aims to facilitate information sharing on cyber security issues for critical infrastructure dependent on industrial control systems. Many believe its vague implications will limit its impact but agree it is a step in the right direction.

The cyber security executive order signed this week by President Barack Obama is a road paved with good intentions, but some fear that its vagueness will limit its impact. However, experts agree that its voluntary nature is the right approach.

The order aims to increase information sharing between government and private entities in regard to the cyber security of critical infrastructure including power plants and financial, transportation and communications systems. It calls for the development of a framework of best practices via the National Institute of Standards and Technology (NIST).

For industrial control systems (ICS), this may be a small step in the right direction, according to Joel Langill of SCADAhacker. However, the order is very broad in its coverage, as it blankets all “systems and assets, whether physical or virtual. Exactly how this would translate into what actually is implemented regarding security controls within ICS is not obvious and therefore will probably not make much impact on owners and operators of critical infrastructure in its initial phase,” Langill says.

Because the order does not appear to address the role of control system vendors or manufacturers, “this could be a significant oversight” representing a hurdle to improving resilience to cyber threats, Langill says.

The executive order does not set forth any minimum standards for how infrastructure should be protected, as any such act would require Congressional approval. The Obama administration made an attempt to pass such legislation last year and failed when Republicans intervened. If the legislation had passed, it would have given the Department of Homeland Security (DoHS) the authority to enforce security standards of equipment running critical infrastructure, The New York Times reports.

Langill adds that DoHS does not possess the knowledge base to provide any value to owners or operators because it tends to focus on matters of national security.

Eric Byres, CTO and co-founder of the Tofino Security division at Belden Inc., says that any attempt by the government to play “traffic cop” would be futile because the laws would be obsolete before they could be implemented. Byres adds that facilitating the sharing of information and increasing access to resources is the best the government can do beyond holding all companies accountable for negligence.

The final draft of the executive orders is anticipated within a year. During the interim, NIST will seek public input from organizations interested in participating in cyber security workshops over the next several months.

All this hard work, however, might not pay off in the long run, according to  Langill, who explains that orders such as these could easily be nullified by the next administration. In spite of that, he says the order could still serve to clarify existing regulations and lead to better ICS security overall.

Read the Full Executive Order.

Sponsored Recommendations

Why Go Beyond Traditional HMI/SCADA

Traditional HMI/SCADAs are being reinvented with today's growing dependence on mobile technology. Discover how AVEVA is implementing this software into your everyday devices to...

4 Reasons to move to a subscription model for your HMI/SCADA

Software-as-a-service (SaaS) gives you the technical and financial ability to respond to the changing market and provides efficient control across your entire enterprise—not just...

Is your HMI stuck in the stone age?

What happens when you adopt modern HMI solutions? Learn more about the future of operations control with these six modern HMI must-haves to help you turbocharge operator efficiency...