The US House Committee on Homeland Security held a hearing on SCADA security on Tuesday. All of the testimony is available, see SCADA and the Terrorist Threat: Protecting the Nation’s Critical Control Systems. (hat tip: Mike Torppey).

A few comments on the testimony:

Andy Purdy, Acting Director of NCSD at DHS, gave a good overview of the DHS activities in this area. Priorities are, “to build an effective national cyberspace response system and to implement a cyber risk management program for critical infrastructure protection”. Look out for the National Infrastructure Protection Plan they will be issuing in the next couple of months.

Larry Todd, Dir. of Security, Safety and Law Enforcement in the US Bureau of Reclamantion, spoke about SCADA security in the dams, canals and power plants they built. “From the very beginning of Reclamation’s use of SCADA systems, we have maintained a policy of not connecting our SCADA systems to our administrative networks. Today we adhere to that policy in all but the most unusual of situations.” Draw your own conclusions.

Dr. Sam Varnado, Sandia, and Dr. KP Ananth, INL, gave an overview of the programs going on in their respective labs, the National SCADA Testbed, and areas they felt additional work was required.

Dr. William Rush, GTI, presented the case for the AGA-12 standard (read our review of the standard).

Allan Paller, Dir. of Researech at SANS, gave an overview of well known SCADA Security events, the Queensland wastewater hack, Davis-Besse worm, … I have a lot of respect for Mr. Paller and SANS, but I disagree with his conclusion that government procurement can have a significant impact on SCADA security. We have heard the mantra over and over that the assets are owned 85%+ by private industry. Now government or industry regulation is another story, but this has its pro’s and con’s.