The cyber security executive order signed this week by President Barack Obama is a road paved with good intentions, but some fear that its vagueness will limit its impact. However, experts agree that its voluntary nature is the right approach.
The order aims to increase information sharing between government and private entities in regard to the cyber security of critical infrastructure including power plants and financial, transportation and communications systems. It calls for the development of a framework of best practices via the National Institute of Standards and Technology (NIST).
For industrial control systems (ICS), this may be a small step in the right direction, according to Joel Langill of SCADAhacker. However, the order is very broad in its coverage, as it blankets all “systems and assets, whether physical or virtual. Exactly how this would translate into what actually is implemented regarding security controls within ICS is not obvious and therefore will probably not make much impact on owners and operators of critical infrastructure in its initial phase,” Langill says.
Because the order does not appear to address the role of control system vendors or manufacturers, “this could be a significant oversight” representing a hurdle to improving resilience to cyber threats, Langill says.
The executive order does not set forth any minimum standards for how infrastructure should be protected, as any such act would require Congressional approval. The Obama administration made an attempt to pass such legislation last year and failed when Republicans intervened. If the legislation had passed, it would have given the Department of Homeland Security (DoHS) the authority to enforce security standards of equipment running critical infrastructure, The New York Times reports.
Langill adds that DoHS does not possess the knowledge base to provide any value to owners or operators because it tends to focus on matters of national security.
Eric Byres, CTO and co-founder of the Tofino Security division at Belden Inc., says that any attempt by the government to play “traffic cop” would be futile because the laws would be obsolete before they could be implemented. Byres adds that facilitating the sharing of information and increasing access to resources is the best the government can do beyond holding all companies accountable for negligence.
The final draft of the executive orders is anticipated within a year. During the interim, NIST will seek public input from organizations interested in participating in cyber security workshops over the next several months.
All this hard work, however, might not pay off in the long run, according to Langill, who explains that orders such as these could easily be nullified by the next administration. In spite of that, he says the order could still serve to clarify existing regulations and lead to better ICS security overall.
Read the Full Executive Order.
