TESTIMONY OF MICHAEL J. ASSANTE
PRESIDENT AND CHIEF EXECUTIVE OFFICER
NATIONAL BOARD OF INFORMATION SECURITY EXAMINERS OF THE UNITED STATES INC.
BEFORE THE SENATE COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
U.S. SENATE
Hearing on
SECURING CRITICAL INFRASTRUCTURE IN THE AGE OF STUXNET
November 17, 2010
Good morning, Chairman Lieberman, Senator Collins, and members of the Committee. I am pleased to appear here this morning to testify on securing critical infrastructure in the age of Stuxnet.
My name is Michael Assante and I am the Chief Executive Officer of the National Board of Information Security Examiners ("NBISE"). NBISE is a newly-created, not-for-profit, certification body comprised of dedicated staff and a board of experts in information security practice and policy. NBISE is developing assessments, examinations, and certifications designed to uphold the highest standards of professionalism and practice in essential information security disciplines. I am here in this capacity and as someone who has worked in the field of critical infrastructure protection with a focus on industrial control systems security. I have served in the U.S. Navy, been responsible for both physical and cyber security of one of the largest electric utilities in the United States and worked on control system security research at the Idaho National Laboratory. I also recently held the position of the Chief Security Officer at the North American Electric Reliability Corporation ("NERC"), which serves as the Electric Reliability Organization ("ERO") in the United States and much of Canada.
I am pleased that this hearing has been convened to explore the implications of advanced cyber threats on the security of our nation and its critical infrastructure, as exemplified recently by the Stuxnet worm. The Stuxnet code is a worthy centerpiece for this discussion, but I believe this is neither the first nor the last attempt to compromise and use operational systems to effect physical outcomes. Stuxnet is, at the very least an important wake up call for digitally-enhanced and reliant countries; and at its worst, a blueprint for future attackers. There are many lessons that we must learn from this particularly sophisticated piece of malicious code. Because it will set the course for cyber strategy and policy, our response to this demonstration of the new cyber reality is critical. Developing and implementing effective indicators, defenses, and countermeasures to cyber threats like Stuxnet demands that we look not just to the security community but also to the system designers, planners, engineers, and operators of our essential technology and physical infrastructures. We must take a prudent and proactive approach that enhances our ability to learn and apply knowledge fast enough to manage the dangerous consequences that come with these types of attacks. We can no longer ignore known system weaknesses and simply accept current system limitations. We must admit that our current security strategies are too disjointed and are often, in unintended ways, working against our efforts address the highly-advanced security challenges facing our cyber-dependent critical infrastructures.
Click on this link to download the full text of Assante's testimony (PDF format):