Framework 1.0 is based in large part on sections titled Identify, Protect, Detect, Respond and Recover, as a system to protect CI assets and respond effectively to attacks.
Through spokeswoman Jennifer Huergo, NIST said it could not respond to Ginter's criticism. "We haven't had a chance to digest the blog post, and would need to give it more thought," she said, but added that the Obama administration considers the protection of CI a "high priority," and believes the framework, "will be a useful tool for helping to improve the cybersecurity of critical infrastructure and other industries."
The risk of a catastrophic attack is also a subject of continued debate. Some security experts have said even a major attack would be unlikely to do much more damage than a bad hurricane. Keanini said he thinks an "apocalyptic event" is unlikely. Instead, he foresees, "just a continuous stream of security incidents that keep cybercrime profitable and organizations and individuals getting better at incident response."
But others agree with federal officials, who have warned a number of times in recent years of the risk of a "Cyber Pearl Harbor."
The potential for catastrophic damage and loss of life was demonstrated seven years ago at the Idaho National Labs in what was called the Aurora Project, where a cyber attack destroyed a diesel generator.
James Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies (CSIS), famously told CBS's "60 Minutes" in November 2009, "if you can hack into that control system, you can instruct the machine to tear itself apart. And that's what the Aurora test was." He added that it requires a lead time of three or four months just to order major electrical generators, let alone get them manufactured and installed.
At the time, CNN quoted economist Scott Borg, who produces security data for the federal government, saying that if a third of the country lost power for three months, the economic price tag would be $700 billion, or, "the equivalent of 40 to 50 large hurricanes striking all at once."
Much more recent research is unsettling as well. While some security officials have said it would be difficult to take down a broad section of the power grid because of a diversity of control systems that would require multiple types of malware to attack, three researchers from the Network Science Center at West Point published a paper on Jan. 6, arguing that an adversary could target, "certain substations and sources of power generation to initiate a cascading failure that maximizes the number of customers without electricity."
Weiss said the risk of such damage is high. He said the claim that there is wide diversity among CI control systems is a myth. Most of them, he said, "are exactly the same. Not just similar — exactly the same."
Sign up for CIO Asia eNewsletters.