Cybersecurity: How US utilities passed up chance to protect their networks
"It was never intended to be a silver bullet," Dr. Rush says. "But it would definitely have provided quite a lot more protection for critical infrastructure like gas pipelines and the power grid than we have right now."
The reality of the cyberthreat was driven home in late March, when DHS issued the first of four confidential "alerts" warning of a cyberattack campaign against US natural gas pipeline companies' computer networks. Some researchers have linked the attack to a 2011 attack for which US officials blame China.
Those recent attacks follow a trend in which corporate and industrial networks belonging to critical infrastructure companies are seen to be a growing target. In April, the cybersecurity company McAfee and the Center for Strategic and International Studies (CSIS), a Washington think tank, found that 40 percent of electric utility company officials in 14 countries said their networks were under attack and more vulnerable than ever.
Meanwhile, in an election year, Congress and the Obama administration are wrangling over new cybersecurity standards for critical infrastructure companies – primarily whether they should be based on a voluntary or mandatory approach.
"The issue isn't a lack of standards," says James Lewis, director of the Technology and Public Policy Program at CSIS. "It's the lack of a business case for individual companies to spend for public safety. This [AGA-12 case] just confirms it. They know what to do to make things secure and have chosen not to do it for sound business reasons. A voluntary approach doesn't work."