The US Senate has passed a law that allows operators of critical infrastructure firms such as power grids to replace digital software systems and automated systems with low-tech manual procedures to prevent cyber adversaries from mounting cyber attacks on such industries.
The idea behind the new legislation is to replace digital and automated systems at power grids to isolate the energy grid from cyber attacks. The aim is to use more analog devices and manual procedures to operate power grids as adversaries will then require physical access to internal systems to cause sabotage.
Power grids to be controlled using manual functions & analog devices
"The Securing Energy Infrastructure Act aims to remove vulnerabilities that could allow hackers to access the energy grid through holes in digital software systems. Specifically, it will examine ways to replace automated systems with low-tech redundancies, like manual procedures controlled by human operators," said the government in a press release.
"This approach seeks to thwart even the most sophisticated cyber-adversaries who, if they are intent on accessing the grid, would have to actually physically touch the equipment, thereby making cyber-attacks much more difficult.
"This legislation was inspired in part by Ukraine’s experience in 2015, when a sophisticated cyber-attack on that country’s power grid led to more than 225,000 people being left in the dark. The attack could have been worse if not for the fact that Ukraine relies on manual technology to operate its grid," it added.
The passing of the Securing Energy Infrastructure Act will pave the way for the establishment of a two-year programme within the National Laboratories to uncover vulnerabilities in existing systems that power grids and to test "retro" technologies such as analog devices that could be used to isolate the most critical systems from cyber attacks.
"This bill takes vital steps to improve our defenses, so the energy grid that powers our lives is not open to devastating attacks launched from across the globe. It’s bipartisan, it’s commonsense, and it’s necessary – I’m glad that the Senate has advanced this important legislation," said Senators Angus King who introduced the bipartisan bill before the Senate.
Is this a good idea?
Commenting on the passing of the bill, Andrea Carcano, CPO and Co-Founder at Nozomi Networks, said that the government should not seek to decouple operational risk, safety, process excellence and cyber risk as the forces of industrial modernisation cannot be stopped or stalled. Instead, the government should take more steps to prudently enable digital transformation rather than thwart it.
"In the context of critical national infrastructure, the increased operating costs and inefficiencies could be tolerated if it reduces perceived cyber risk, but the approach needs to be carefully balanced. This is not the case within manufacturing and industrial processes where inefficiencies cannot be tolerated as they could result in the reduction of an organisation’s competitive positioning in the market place.
"ICS network monitoring solutions can help organisations achieve cyber resilience within a highly automated and intelligent operational environment without compromising efficiency. These solutions enable organisations to move confidently forward in digitisation with the knowledge that they can effectively manage the associated cyber risks," Carcano added.
ALSO READ: 90% of critical infrastructure firms suffered cyber attacks in the last two years