This past Sunday’s edition of This Week With George Stephanopoulos had a 7-minute segment on critical infrastructure cyber security prompted by the BlackEnergy malware. The lead in by ABC’s Pierre Thomas was particularly bad and conflated attacks on company’s that run the critical infrastructure with attacks on the critical infrastructure. They even went back to the 2007 DHS Aurora footage while making it appear as if this is a recent data point.

An important and easy to understand point still seems to escape the mainstream media reporting. Brand new, top of the line ICS, not just ten-year old legacy systems, being deployed in the critical infrastructure are insecure by design. If an attacker gets through the perimeter, he will have complete control of most ICS. My hope is the “less security than your ATM/bank cash card” will eventually catch on.

One very positive aspect of this segment was Richard Clarke’s comments. He was hitting a lot of points I made at by S4x14 ICSage talk, to a much broader audience in very clear language. Some of the gems:

  • “half dozen countries that have already placed logic bombs” and he specifically included the US on this list
  • “you want to have the ability to push a button when the war starts” when talking about pre-staging ICS cyber weapons
  • “tried this with their potential enemies” again indicating this is already happening

Mr. Clarke also commented that most of these ICS cyber weapons will never be used if they are deployed by nations. However, the risk of a less responsible group with less to lose deploying and using these weapons is his concern. While brief, his comments were literally the best I have seen in the popular media in the last decade.

Congressman James Langevin was also on the program, and he echoed a lot of what Richard Clarke said. However when he came to discuss solutions, his big answer was for Congress to pass an information sharing law. If DHS and the US Government can’t say out loud the most basic and important information, that these insecure by design systems in the critical infrastructure need to be upgraded or replaced in the near term (I say 3 years), what practical use is an information sharing law?