Executive Order on Cyber Security, Smart but Too Vague

Feb. 14, 2013
President Obama’s executive order aims to facilitate information sharing on cyber security issues for critical infrastructure dependent on industrial control systems. Many believe its vague implications will limit its impact but agree it is a step in the right direction.

The cyber security executive order signed this week by President Barack Obama is a road paved with good intentions, but some fear that its vagueness will limit its impact. However, experts agree that its voluntary nature is the right approach.

The order aims to increase information sharing between government and private entities in regard to the cyber security of critical infrastructure including power plants and financial, transportation and communications systems. It calls for the development of a framework of best practices via the National Institute of Standards and Technology (NIST).

For industrial control systems (ICS), this may be a small step in the right direction, according to Joel Langill of SCADAhacker. However, the order is very broad in its coverage, as it blankets all “systems and assets, whether physical or virtual. Exactly how this would translate into what actually is implemented regarding security controls within ICS is not obvious and therefore will probably not make much impact on owners and operators of critical infrastructure in its initial phase,” Langill says.

Because the order does not appear to address the role of control system vendors or manufacturers, “this could be a significant oversight” representing a hurdle to improving resilience to cyber threats, Langill says.

The executive order does not set forth any minimum standards for how infrastructure should be protected, as any such act would require Congressional approval. The Obama administration made an attempt to pass such legislation last year and failed when Republicans intervened. If the legislation had passed, it would have given the Department of Homeland Security (DoHS) the authority to enforce security standards of equipment running critical infrastructure, The New York Times reports.

Langill adds that DoHS does not possess the knowledge base to provide any value to owners or operators because it tends to focus on matters of national security.

Eric Byres, CTO and co-founder of the Tofino Security division at Belden Inc., says that any attempt by the government to play “traffic cop” would be futile because the laws would be obsolete before they could be implemented. Byres adds that facilitating the sharing of information and increasing access to resources is the best the government can do beyond holding all companies accountable for negligence.

The final draft of the executive orders is anticipated within a year. During the interim, NIST will seek public input from organizations interested in participating in cyber security workshops over the next several months.

All this hard work, however, might not pay off in the long run, according to  Langill, who explains that orders such as these could easily be nullified by the next administration. In spite of that, he says the order could still serve to clarify existing regulations and lead to better ICS security overall.

Read the Full Executive Order.

Sponsored Recommendations

Understanding and Using E-Stops

E-stops, or emergency stop switches, are used to ensure machine as well as personnel safety. They are used to provide a consistent and predictable failsafe response on a wide ...

Demystifying motor disconnect switches: What are they and how are they used?

From conveyor belts to drum mixers, motors are used in virtually every industrial application to drive machinery. Equipment downtime is the main motivation behind monitoring and...

Full Line of DIN Rail Terminal Blocks Video

Altech offers an extensive line of DIN Rail Terminal Blocks including all major Connection Technologies available in the industry to meet requirements for a vast variety of applications...

The Value of Integrating DIN Rail Cylindrical Fuse Holders Into Your Designs

What short circuit currents do I have to consider when purchasing a DIN rail cylindrical fuse holder? That data is available from the manufacturer. For example, Altech cylindrical...