In a blog post, Weiss noted that, "there is a reason that ICS-CERT provides advisories on ICS malware to the entire community, not just to a single entity, and that ICS vendors send out advisories to ALL of their customers."
Venafi's Bocek adds that the damage doesn't have to be physical to be devastating. "When the Dutch Certificate Authority, DigiNotar, was breached, the Netherlands government was unable to use electronic communication for days because the trust established by cryptographic keys and digital certificates was broken," he said.
"While this incident was not on an attack on electrical power plant or water supply system, it illustrates how very real an attack on critical infrastructure can be."
One thing is certain. Cyber attacks on CI are increasing. ICS-CERT, a division of the Department of Homeland Security's (DHS) reported last summer that there were a third more cyber incidents (111) reported by the energy sector in the six-month reporting period ending in May than in the previous 12 months (81).
So there is little to no debate over the need to improve security of CI systems. Whether Framework 1.0 will do that will likely be debated through its rollout and beyond. The general view from security experts seems to be that while it has flaws and omissions, it will still be useful.
Most applaud President Obama for focusing attention on protecting CI, but remain dubious that government frameworks will keep up with rapidly evolving threats. There is also some concern that not all operators will sign on, since the frameworks will, at least at the start, be voluntary.
In an interview, Ginter argued that it is not enough for top management to ask, "Are our communications networks secured (one of the NIST requirements)."
"The answer they'll always get is, 'Yes, of course.' But what does that mean?" he said. "Concrete questions might be, 'Can any messages from the Internet reach our safety critical systems either directly or indirectly?' The framework does not give these kinds of tools to executives."
Bocek criticized it for omitting, "the critical element of trust, established by cryptographic keys and digital certificates, which is foundational to all cybersecurity." But, he added, "One thing is certain: critical infrastructure protection will be better off with the framework than without."
Ginter said he thinks the framework should call for Unidirectional Security Gateways (USG), a network appliance that allows data to travel in only one direction, from the side of a network connection that has less need for security, and prevents it from traveling from the side that needs more security.
But he acknowledged that security is an ongoing battle. "My role is to provide my best advice and insights," he said. "Standards always lag the state-of-the-art, and generally lag, to some degree, the state-of-the-practice. This is the nature of the beast."
Sign up for MIS Asia eNewsletters.