Utility companies managing the nation’s critical infrastructure should regularly check for security gaps within their delivery systems, according to the White House’s cybersecurity head.
White House Cybersecurity Coordinator Howard Schmidt told attendees of the McAfee public sector conference Wednesday that energy sector must perform active risk management, continuous monitoring and simulations to determine security status, Nextgov reports.
The White House and the departments of Energy and Homeland Security are set to test a voluntary model with power companies that would assess security postures and identify where companies should focus their cybersecurity efforts this month.
The Office of Management and Budget finalized the information collection procedures for the Electric Sector Cybersecurity Risk Management Maturity assessment model March 30, which could potentially serve as a future template.
McAfee officials said incentives such as tax credits and liability reforms has been a driving force in security compliance for U.S. energy sector.
Schmidt said Internet-connected sensors for smart meters are becoming a hacker target, as skilled cyber criminals could manipulate the meter to display a smaller volume of consumption than the actual amount.
Hackers could also access industrial control systems to shut down facilities and create massive power interruptions, Schmidt said.
Schmidt highlighted additional security issues including difficulty determining motives behind cyber attacks.
Espionage issues get jumbled in with criminal activity and it takes a while for his team to “parse these things out,” Schmidt said.
Bring your own device is another area of concern to Schmidt. He said nearly one in 10 Americans has malicious software on their devices and allowing employees to bring their device opens potential for more malware.
Thomas Gann, McAfee vice president for government relations, said that companies are starting to shift to a whitelisting approach, which authorizes a predetermined selection of downloads.
This method differs from the previous model blacklisting any program potentially having worms or that could be dangerous to the network.
Phyllis Schneck, chief technology officer for McAfee global public sector, said the company is adapting whitelisting methods into their products and computer components.