A special commission seeking to advise the incoming presidential administration has concluded that SCADA and other type industrial control systems should be subject to a regulatory regime that establishes standard certification metrics for processes, systems, and personnel. Additional standards and requirements might include, for example, “requiring senior officials in publicly traded companies to affirm that adequate measures have been taken to secure control systems.” The report, “Securing Cyberspace for the 44th Presidency,” was authored by the Commission on Cyber-security for the 44th Presidency, itself established in August 2007 by the Center for Strategic and International Studies (CSIS). A bipartisan, nonprofit organization, CSIS includes more than 220 full-time staff and a network of affiliated scholars focused on defense and security. The cyber-security commission co-chairs included two members of the Congressional House of Representatives. While the seeming majority of the report focuses on arcane coordination issues related to the federal bureaucracy, the basic principles it postulates for addressing what it calls a “major national security problem,” as well as the specific focus it gives to control systems should be of interest to the petroleum industry. First, efforts have to bridge both the public and private sectors. Second, overreliance on market forces is a mistake, and a regulatory regime must be established, albeit one that is not overly restrictive. Finally, the goal is to build on and streamline efforts already underway within government. One problem identified by the commission is that efforts to secure cyber space have to date been too diffuse, spread out across 18 different sectors of the US economy. Instead efforts should be focused on four critical areas where a major disruption is capable of doing harm to the entire US economy. The four are energy, finance, the converging information technology and communications sectors, and government services. The commission describes industrial control systems as an “important and atypical area for cyber-space regulation.” Besides supervisory control and data acquisition systems (SCADA), these industrial control systems include distributed control systems (DCS), programmable logic controllers (PLC), and devices such as remote telemetry units (RTU), smart meters, and intelligent field instruments. One SCADA anomaly, the commission points out is that these systems are “designed to remain in place for very long periods of time and are often more difficult to upgrade” than other type IT systems. Yet they are increasingly connected to the Internet. Further, the environment for addressing SCADA security concerns here is only in its formative stage — 15 years behind other IT sectors, says the commission. The commission recommends that in addition to regulation, the government could, as part of a national economic stimulus package, “fund development programs with industry to create secure control system technology.” While the commission’s recommendations are only that, President-elect Obama has placed cyber-security at the top of a list of priorities for his incoming administration. While the thought of a government industrial policy is anathema for many, addressing the need for cyber security through legislation may deliver the double benefit of furthering the economic recovery and promoting innovation in the controls industry