If you have opinions on how to protect America's critical infrastructure from hackers, the government wants to hear 'em. The 45-day public comment period is about to open for the preliminary guidelines on how to safeguard power plants, mass transportation, and other large utilities from cyberattacks. The guidelines are set to be released in February 2014 by executive order of the president.
Most national security experts would agree that infrastructure is increasingly vulnerable as it becomes more dependent on computer systems and the internet. It's unclear how much the government's guidelines will help, however.
Utility owners can simply ignore the advice
The guidelines are being drafted by an agency within the Commerce Department, not by a national security agency, and they're fairly vague in order to accommodate the different types of utilities. Recommendations include inventorying "physical devices and systems," establishing an information security policy, and managing users with privileged access.
The guidelines are also non-binding, meaning public and private utility owners can choose to simply ignore the advice. Some utility owners may develop security practices that are more effective than the government's recommendations, but some may choose to save time and money by letting security lapse.
Anyone can comment on the guidelines, but the agency overseeing the effort is really looking for industry input. The National Institute for Standards and Technology (NIST) has received extensive feedback from the private sector, which wrangled some major changes to the executive order that provided for the guidelines, and it's soliciting more. "We encourage organizations to begin reviewing and testing the Preliminary Framework to better inform the version we plan to release in February," NIST director Patrick Gallagher said in a press release.