Critical Infrastructure Protection: Multiple Efforts to Secure
Control Systems Are Under Way, but Challenges Remain (17-OCT-07,
GAO-08-119T).
Control systems--computer-based systems that monitor and control
sensitive processes--perform vital functions in many of our
nation's critical infrastructures such as electric power
generation, transmission, and distribution; oil and gas refining;
and water treatment and distribution. The disruption of control
systems could have a significant impact on public health and
safety, which makes securing them a national priority. GAO was
asked to testify on portions of its report on control systems
security being released today. This testimony summarizes the
cyber threats, vulnerabilities, and the potential impact of
attacks on control systems; identifies private sector
initiatives; and assesses the adequacy of public sector
initiatives to strengthen the cyber security of control systems.
To address these objectives, GAO met with federal and private
sector officials to identify risks, initiatives, and challenges.
GAO also compared agency plans to best practices for securing
critical infrastructures.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-08-119T
ACCNO: A77410
TITLE: Critical Infrastructure Protection: Multiple Efforts to
Secure Control Systems Are Under Way, but Challenges Remain
DATE: 10/17/2007
SUBJECT: Command and control systems
Computer systems
Critical infrastructure
Cyber security
Homeland security
Information infrastructure
Information security
Information technology
Private sector
Risk assessment
Risk management
Strategic planning
Security standards
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-08-119T
* [1]Results in Brief
* [2]Background
* [3]Control Systems Are Used in Many Critical Infrastructures
* [4]Control Systems: Types and Components
* [5]The Federal Government Plays a Critical Role in Helping Secu
* [6]Critical Infrastructure Control Systems Face Increasing Risk
* [7]Control Systems Are Vulnerable to Cyber Attacks
* [8]Reported Control Systems Incidents Reveal the Potential for
* [9]The Private Sector Has Multiple Initiatives Under Way to Hel
* [10]Federal Agencies Have Multiple Initiatives to Help Secure Cr
* [11]Implementation of GAO Recommendations Would Help Improve Fed
* [12]GAO's Mission
* [13]Obtaining Copies of GAO Reports and Testimony
* [14]Order by Mail or Phone
* [15]To Report Fraud, Waste, and Abuse in Federal Programs
* [16]Congressional Relations
* [17]Public Affairs
Testimony
Before the Subcommittee on Emerging Threats, Cybersecurity, and Science
and Technology, Committee on Homeland Security, House of Representatives
United States Government Accountability Office
GAO
For Release on Delivery
Expected at 2:00 p.m. EDT
Wednesday, October 17, 2007
CRITICAL INFRASTRUCTURE PROTECTION
Multiple Efforts to Secure Control Systems Are Under Way, but Challenges
Remain
Statement of Gregory C. Wilshusen
Director, Information Security Issues
GAO-08-119T
Mr. Chairman and Members of the Subcommittee:
Thank you for the opportunity to join today's hearing on the cyber threat
to control systems. Control systems perform vital functions in many of our
nation's critical infrastructures, including electric power generation,
transmission, and distribution; oil and gas refining and pipelines; water
treatment and distribution; chemical production and processing; railroads
and mass transit; and manufacturing.
In 2003, the National Strategy to Secure Cyberspace^1 reported that the
disruption of control systems could have significant consequences for
public health and safety and made securing these systems a national
priority. This strategy further states that both the private and public
sectors have a role in securing control systems and directs the Department
of Homeland Security (DHS), in coordination with the Department of Energy
(DOE) and other agencies, to work in partnership with private industry in
increasing awareness of the importance of efforts to secure control
systems, developing standards, and improving policies with respect to
control systems security.
As requested, our testimony summarizes portions of a report being released
today that discusses (1) the cyber threats, vulnerabilities, and the
potential impact of attacks on critical infrastructure control systems;
(2) private sector initiatives to strengthen the cyber security of control
systems; and (3) the adequacy of public sector initiatives to strengthen
the cyber security of control systems.^2 In preparing for this testimony,
we relied on our work supporting the report, which contains a detailed
overview of our scope and methodology. All the work on which this
testimony is based was performed in accordance with generally accepted
government auditing standards.
Results in Brief
Critical infrastructure control systems face increasing risks due to cyber
threats, system vulnerabilities, and the serious potential impact of
attacks as demonstrated by reported incidents. Threats can be intentional
or unintentional, targeted or nontargeted, and can come from a variety of
sources. Control systems are more vulnerable to cyber attacks than they
were in the past for several reasons, including their increased
connectivity to other systems and the Internet. Further, as demonstrated
by past attacks and incidents involving control systems, the impact on a
critical infrastructure could be substantial. For example, in 2006, a
foreign hacker was reported to have planted malicious software^3 capable
of affecting a water filtering plant's water treatment operations; and,
also in 2006, excessive traffic on a nuclear power plant's control system
network--possibly caused by the failure of another control system
device--caused two circulation pumps to fail, forcing the unit to be shut
down manually.
^1The White House, The National Strategy to Secure Cyberspace (Washington,
D.C.: February 2003).
^2GAO, Critical Infrastructure Protection: Multiple Efforts to Secure
Control Systems Are Under Way, but Challenges Remain, [18]GAO-07-1036
(Washington, D.C.: Oct. 17, 2007).
Multiple private sector entities such as trade associations and standards
setting organizations specific to the electric, chemical, oil and gas, and
water sectors are working to help secure control systems. These entities
are developing standards, providing guidance to members, and hosting
workshops on control systems security.
Over the past few years, federal agencies--including DHS, DOE, the
National Institute of Standards and Technology (NIST), and others--have
initiated efforts to improve the security of critical infrastructure
control systems. However, there is as yet no overall strategy to
coordinate the various control systems activities across federal agencies
and the private sector. Further, DHS lacks processes needed to address
specific weaknesses in sharing information on control system
vulnerabilities. Until public and private sector security efforts are
coordinated by an overarching strategy, there is an increased risk that
multiple organizations will conduct duplicative work and miss
opportunities to learn from other organizations' activities. In addition,
until information-sharing weaknesses are addressed, DHS risks not being
able to effectively carry out its responsibility for sharing information
on vulnerabilities with the private and public sectors.
Given the importance of these issues, in our report being released today,
we are making recommendations to the Secretary of the Department of
Homeland Security to (1) develop a strategy for coordinating control
systems security efforts and (2) enhance information sharing with control
systems stakeholders. In its comments on our report, DHS neither agreed
nor disagreed with these recommendations, but stated that it would take
them under advisement. The agency also discussed new initiatives to
develop plans and processes that are consistent with our recommendations.
^3"Malware" (malicious software) is defined as programs that are designed
to carry out annoying or harmful actions. They often masquerade as useful
programs or are embedded into useful programs so that users are induced
into activating them.
Background
Critical infrastructures are physical or virtual systems and assets so
vital to the nation that their incapacitation or destruction would have a
debilitating impact on national and economic security and on public health
and safety. These systems and assets--such as the electric power grid,
chemical plants, and water treatment facilities--are essential to the
operations of the economy and the government. Recent terrorist attacks and
threats have underscored the need to protect our nation's critical
infrastructures. If vulnerabilities in these infrastructures are
exploited, our nation's critical infrastructures could be disrupted or
disabled, possibly causing loss of life, physical damage, and economic
losses.
Although the vast majority of our nation's critical infrastructures are
owned by the private sector, the federal government owns and operates key
facilities that use control systems, including oil, gas, water, energy,
and nuclear facilities.
Control Systems Are Used in Many Critical Infrastructures
Control systems are computer-based systems that are used within many
infrastructures and industries to monitor and control sensitive processes
and physical functions. Typically, control systems collect sensor
measurements and operational data from the field, process and display this
information, and relay control commands to local or remote equipment.
Control systems perform functions that range from simple to complex. They
can be used to simply monitor processes--for example, the environmental
conditions in a small office building--or to manage the complex activities
of a municipal water system or a nuclear power plant.
In the electric power industry, control systems can be used to manage and
control the generation, transmission, and distribution of electric power.
For example, control systems can open and close circuit breakers and set
thresholds for preventive shutdowns. The oil and gas industry uses
integrated control systems to manage refining operations at plant sites,
remotely monitor the pressure and flow of gas pipelines, and control the
flow and pathways of gas transmission. Water utilities can remotely
monitor well levels and control the wells' pumps; monitor flows, tank
levels, or pressure in storage tanks; monitor water quality
characteristics such as pH, turbidity, and chlorine residual; and control
the addition of chemicals to the water.
Installing and maintaining control systems requires a substantial
financial investment. DOE cites research estimating the value of the
control systems used to monitor and control the electric grid and the oil
and natural gas infrastructure at $3 billion to $4 billion.^4 The
thousands of remote field devices represent an additional investment of
$1.5 billion to $2.5 billion. Each year, the energy sector alone spends
over $200 million for control systems, networks, equipment, and related
components and at least that amount in personnel costs.
Control Systems: Types and Components
There are two primary types of control systems: distributed control
systems and supervisory control and data acquisition (SCADA) systems.
Distributed control systems typically are used within a single processing
or generating plant or over a small geographic area, while SCADA systems
typically are used for large, geographically dispersed operations. For
example, a utility company may use a distributed control system to manage
power generation and a SCADA system to manage its distribution.
A SCADA system is generally composed of six components: (1) instruments,
which sense conditions such as pH, temperature, pressure, power level, and
flow rate; (2) operating equipment, which includes pumps, valves,
conveyors, and substation breakers; (3) local processors, which
communicate with the site's instruments and operating equipment, collect
instrument data, and identify alarm conditions; (4) short-range
communication, which carry analog and discrete signals between the local
processors and the instruments and operating equipment; (5) host
computers, where a human operator can supervise the process, receive
alarms, review data, and exercise control; and (6) long-range
communications, which connect local processors and host computers using,
for example, leased phone lines, satellite, and cellular packet data.
^4Newton-Evans Research Company, Inc., World Market Study of SCADA, Energy
Management Systems and Distribution Management Systems in Electrical
Utilities: 2005-2007, (Ellicott City, Maryland: June 2005) as cited in
U.S. Department of Energy, Roadmap to Secure Control Systems in the Energy
Sector (Washington, D.C.: January 2006).
The Federal Government Plays a Critical Role in Helping Secure Critical
Infrastructures and Their Control Systems
Several key federal plans focus on securing critical infrastructure
control systems. The National Strategy to Secure Cyberspace^5 calls for
DHS and DOE to work in partnership with industry to develop best practices
and new technology to increase the security of critical infrastructure
control systems, to determine the most critical control systems-related
sites, and to develop a prioritized plan for short-term cyber security
improvements for those sites. In addition, DHS's National Infrastructure
Protection Plan^6 specifically identifies control systems as part of the
cyber infrastructure, establishes an objective of reducing vulnerabilities
and minimizing the severity of attacks on these systems, and identifies
programs directed at protecting control systems. Further, in May 2007, the
critical infrastructure sectors issued sector-specific plans to supplement
the National Infrastructure Protection Plan. Twelve sectors, including the
chemical, energy, water, information technology, postal, emergency
services, and telecommunications sectors, identified control systems
within their respective sectors. Of these, most identified control systems
as critical to their sector and listed efforts under way to help secure
them.
Critical Infrastructure Control Systems Face Increasing Risks Due to Cyber
Threats, Vulnerabilities, and the Potentially Serious Impact of an Attack
Cyber threats can be intentional and unintentional, targeted or
nontargeted, and can come from a variety of sources. Intentional threats
include both targeted and nontargeted attacks, while unintentional threats
can be caused by software upgrades or maintenance procedures that
inadvertently disrupt systems. A targeted attack is when a group or
individual specifically attacks a critical infrastructure system and a
nontargeted attack occurs when the intended target of the attack is
uncertain, such as when a virus, worm, or malware is released on the
Internet with no specific target.
There is increasing concern among both government officials and industry
experts regarding the potential for a cyber attack on a national critical
infrastructure, including the infrastructure's control systems. The
Federal Bureau of Investigation has identified multiple sources of threats
to our nation's critical infrastructures, including foreign nation states
engaged in information warfare, domestic criminals, hackers, and virus
writers, and disgruntled employees working within an organization.
^5The White House, The National Strategy to Secure Cyberspace.
^6Department of Homeland Security, National Infrastructure Protection Plan
(Washington, D.C.: June 2006).
Control Systems Are Vulnerable to Cyber Attacks
Control systems are vulnerable to flaws or weaknesses in system security
procedures, design, implementation, and internal controls. When these
weaknesses are accidentally triggered or intentionally exploited, they
could result in a security breach. Vulnerabilities could occur in control
systems' policies, platform (including hardware, operating systems, and
control system applications), or networks.
Federal and industry experts believe that critical infrastructure control
systems are more vulnerable today than in the past due to the increased
standardization of technologies, the increased connectivity of control
systems to other computer networks and the Internet, insecure connections,
and the widespread availability of technical information about control
systems. Further, it is not uncommon for control systems to be configured
with remote access through either a dial-up modem or over the Internet to
allow remote maintenance or around-the-clock monitoring. If control
systems are not properly secured, individuals and organizations may
eavesdrop on or interfere with these operations from remote locations.
Reported Control Systems Incidents Reveal the Potential for Substantial Impact
Reported attacks and unintentional incidents involving critical
infrastructure control systems demonstrate that a serious attack could be
devastating. Although there is not a comprehensive source for incident
reporting, the following examples, reported in government and media
sources,^7 demonstrate the potential impact of an attack.
o Bellingham, Washington, gasoline pipeline failure. In June 1999,
237,000 gallons of gasoline leaked from a 16-inch pipeline and
ignited an hour and a half later, causing three deaths, eight
injuries, and extensive property damage. The pipeline failure was
exacerbated by poorly performing control systems that limited the
ability of the pipeline controllers to see and react to the
situation.
o Maroochy Shire sewage spill. In the spring of 2000, a former
employee of an Australian software manufacturing organization
applied for a job with the local government, but was rejected.
Over a 2-month period, this individual reportedly used a radio
transmitter on as many as 46 occasions to remotely break into the
controls of a sewage treatment system. He altered electronic data
for particular sewerage pumping stations and caused malfunctions
in their operations, ultimately releasing about 264,000 gallons of
raw sewage into nearby rivers and parks.
o CSX train signaling system. In August 2003, the Sobig computer
virus shut down train signaling systems throughout the East Coast
of the United States. The virus infected the computer system at
CSX Corporation's Jacksonville, Florida, headquarters, shutting
down signaling, dispatching, and other systems. According to an
Amtrak spokesman, 10 Amtrak trains were affected. Train service
was either shut down or delayed up to 6 hours.
o Los Angeles traffic lights. According to several published
reports, in August 2006, two Los Angeles city employees hacked
into computers controlling the city's traffic lights and disrupted
signal lights at four intersections, causing substantial backups
and delays. The attacks were launched prior to an anticipated
labor protest by the employees.
o Harrisburg, Pennsylvania, water system. In October 2006, a
foreign hacker penetrated security at a water filtering plant. The
intruder planted malicious software that was capable of affecting
the plant's water treatment operations. The infection occurred
through the Internet and did not seem to be a direct attack on the
control system.
o Browns Ferry power plant. In August 2006, two circulation pumps
at Unit 3 of the Browns Ferry, Alabama, nuclear power plant
failed, forcing the unit to be shut down manually. The failure of
the pumps was traced to excessive traffic on the control system
network, possibly caused by the failure of another control system
device.
^7See National Institute of Standards and Technology, Special Publication
800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and
Industrial Control Systems Security: Recommendations of the National
Institute of Standards and Technology, (Gaithersburg, Maryland: September
2006); Los Angeles County District Attorneys Office
(da.co.la.ca.us/mr/010507a.htm), Two City Engineers Charged with Allegedly
Hacking Into City's Traffic Computer (Los Angeles, California: Jan. 5,
2007); and ISA
(www.isa.org/content/contentgroups/news/2006/november29/hackers_hit_pennsylvania_water_system.htm),
Hackers Hit Pennsylvania Water System, (Research Triangle Park, North
Carolina: Nov. 2, 2006).
As control systems become increasingly interconnected with other
networks and the Internet, and as the system capabilities continue
to increase, so do the threats, potential vulnerabilities, types
of attacks, and consequences of compromising these critical
systems.
The Private Sector Has Multiple Initiatives Under Way to Help Secure
Control Systems
Industry-specific organizations in various sectors, including the
electricity, oil and gas, and water sectors, have initiatives
under way to help improve control system security, including
developing standards and publishing guidance. Our report being
released today provides a detailed list of industry initiatives;
several of these initiatives are described below.
o Electricity. In 2007, the North American Electric Reliability
Corporation began implementing cyber security reliability
standards that apply to control systems and the Institute of
Electrical and Electronics Engineers has several standards working
groups addressing issues related to control systems security in
the industry.
o Oil and gas. The American Gas Association supported development
of a report that would recommend how to apply encryption to
protect gas utility control systems; and, over the past three
years, the American Petroleum Institute has published two
standards related to pipeline control systems integrity and
security and the design and implementation of control systems
displays.
o Water. The water sector includes about 150,000 water,
wastewater, and storm water organizations at all levels of
government and has worked with the Environmental Protection Agency
on development of the Water Sector-Specific Plan, which includes
some efforts on control systems security. In addition, the Awwa
Research Foundation is currently working on two research projects
related to the cyber security of water utility SCADA systems.
Federal Agencies Have Multiple Initiatives to Help Secure Critical
Infrastructure Control Systems, but More Remains to Be Done
Over the past few years, federal agencies-- including DHS, DOE,
and others--have initiated efforts to improve the security of
critical infrastructure control systems. For example, DHS is
sponsoring multiple control systems security initiatives,
including the Control System Cyber Security Self Assessment Tool,
an effort to improve control systems' cyber security using
vulnerability evaluation and response tools, and the Process
Control System Forum, to build relationships with control systems'
vendors and infrastructure asset owners. Additionally, DOE
sponsors control systems security efforts within the electric,
oil, and natural gas industries. These efforts include the
National SCADA Test Bed Program, which funds testing, assessments,
and training in control systems security, and the development of a
road map for securing control systems in the energy sector. Our
report being released today provides a more detailed list of
initiatives being led by federal agencies.
DHS, however, has not yet established a strategy to coordinate the
various control systems activities across federal agencies and the
private sector. In 2004, we recommended that DHS develop and
implement a strategy for coordinating control systems security
efforts among government agencies and the private sector.^8 DHS
agreed and issued a strategy that focused primarily on DHS's
initiatives. The strategy does not include ongoing work by DOE,
the Federal Energy Regulatory Commission, NIST, and others.
Further, it does not include the various agencies'
responsibilities, goals, milestones, or performance measures.
Until DHS develops an overarching strategy that delineates various
public and private entities' roles and responsibilities and uses
it to guide and coordinate control systems security activities,
the federal government and private sector risk investing in
duplicative activities and missing opportunities to learn from
other organizations' activities.
Further, DHS is responsible for sharing information with critical
infrastructure owners on control systems vulnerabilities, but
lacks a rapid, efficient process for disseminating sensitive
information to private industry owners and operators of critical
infrastructures. An agency official noted that sharing information
with the private sector can be slowed by staff turnover and
vacancies at DHS, the need to brief agency and executive branch
officials and congressional staff before briefing the private
sector, and difficulties in determining the appropriate
classification level for the information. Until the agency
establishes an approach for rapidly assessing the sensitivity of
vulnerability information and disseminating it--and thereby
demonstrates the value it can provide to critical infrastructure
owners--DHS's ability to effectively serve as a focal point in the
collection and dissemination of sensitive vulnerability
information will continue to be limited. Without a trusted focal
point for sharing sensitive information on vulnerabilities, there
is an increased risk that attacks on control systems could cause a
significant disruption to our nation's critical infrastructures.
^8GAO, Critical Infrastructure Protection: Challenges and Efforts to
Secure Control Systems, [26]GAO-04-354 , (Washington, D.C.: Mar. 15,
2004).
Implementation of GAO Recommendations Would Help Improve Federal
Control Systems Security Efforts
Control systems are an essential component of our nation's
critical infrastructure and their disruption could have a
significant impact on public health and safety. Given the
importance of control systems, in our report being released today,
we are recommending that the Secretary of the Department of
Homeland Security implement the following two actions:^9
o develop a strategy to guide efforts for securing control
systems, including agencies' responsibilities, as well as overall
goals, milestones, and performance measures and
o establish a rapid and secure process for sharing sensitive
control system vulnerability information with critical
infrastructure control system stakeholders, including vendors,
owners, and operators.
In its comments on our report, DHS neither agreed nor disagreed
with these recommendations, but stated that it would take them
under advisement. The agency also discussed new initiatives to
develop plans and processes that are consistent with our
recommendations.
In summary, past incidents involving control systems, system
vulnerabilities, and growing threats from a wide variety of
sources highlight the risks facing control systems. The public and
private sectors have begun numerous activities to improve the
cyber security of control systems. However, the federal government
lacks an overall strategy for coordinating public and private
sector efforts. DHS also lacks an efficient process for sharing
sensitive information on vulnerabilities with private sector
critical infrastructure owners.
Until DHS completes the comprehensive strategy, the public and
private sectors risk undertaking duplicative efforts. Further,
without a streamlined process for advising private sector
infrastructure owners of vulnerabilities, DHS is unable to fulfill
its responsibility as a focal point for disseminating this
information. If key vulnerability information is not in the hands
of those who can mitigate its potentially severe consequences,
there is an increased risk that attacks on control systems could
cause a significant disruption to our nation's critical
infrastructures.
^9 [27]GAO-07-1036 .
Mr. Chairman, this concludes my statement. I would be happy to
answer any questions that you or members of the subcommittee may
have at this time.
If you have any questions on matters discussed in this testimony,
please contact me at (202) 512-6244, or by e-mail at
[19][email protected] . Other key contributors to this testimony
include Scott Borre, Heather A. Collins, Neil J. Doherty, Vijay
D'Souza, Nancy Glover, Sairah Ijaz, Patrick Morton, and Colleen M.
Phillips (Assistant Director).
GAO's Mission
The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in
meeting its constitutional responsibilities and to help improve
the performance and accountability of the federal government for
the American people. GAO examines the use of public funds;
evaluates federal programs and policies; and provides analyses,
recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at
no cost is through GAO's Web site ( [20]www.gao.gov ). Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of
newly posted products every afternoon, go to [21]www.gao.gov and
select "E-mail Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies
are $2 each. A check or money order should be made out to the
Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are
discounted 25 percent. Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM
Washington, DC 20548
To order by Phone: Voice: (202) 512-6000
TDD: (202) 512-2537
Fax: (202) 512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: [22]www.gao.gov/fraudnet/fraudnet.htm
E-mail: [23][email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [24][email protected] , (202)
512-4400 U.S. Government Accountability Office, 441 G Street NW,
Room 7125 Washington, DC 20548
Public Affairs
Susan Becker, Acting Manager, [25][email protected] , (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, DC 20548
(310860)
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
To view the full product, including the scope
and methodology, click on [28]GAO-08-119T .
For more information, contact Gregory C. Wilshusen at [email protected]
or at (202) 512-6244.
Highlights of [29]GAO-08-119T , a testimony before the Subcommittee on
Emerging Threats, Cybersecurity, and Science and Technology, Committee on
Homeland Security, House of Representatives
October 17, 2007
CRITICAL INFRASTRUCTURE PROTECTION
Multiple Efforts to Secure Control Systems Are Under Way, but Challenges
Remain
Control systems--computer-based systems that monitor and control sensitive
processes--perform vital functions in many of our nation's critical
infrastructures such as electric power generation, transmission, and
distribution; oil and gas refining; and water treatment and distribution.
The disruption of control systems could have a significant impact on
public health and safety, which makes securing them a national priority.
GAO was asked to testify on portions of its report on control systems
security being released today. This testimony summarizes the cyber
threats, vulnerabilities, and the potential impact of attacks on control
systems; identifies private sector initiatives; and assesses the adequacy
of public sector initiatives to strengthen the cyber security of control
systems. To address these objectives, GAO met with federal and private
sector officials to identify risks, initiatives, and challenges. GAO also
compared agency plans to best practices for securing critical
infrastructures.
[30]What GAO Recommends
In its report, GAO recommends that DHS improve coordination of control
systems activities and information sharing (see table). DHS neither agreed
nor disagreed with these recommendations, but stated that it would take
them under advisement. The agency also discussed new initiatives to
develop plans and processes that are consistent with GAO recommendations.
Critical infrastructure control systems face increasing risks due to cyber
threats, system vulnerabilities, and the serious potential impact of
attacks as demonstrated by reported incidents. Threats can be intentional
or unintentional, targeted or nontargeted, and can come from a variety of
sources. Control systems are more vulnerable to cyber attacks than in the
past for several reasons, including their increased connectivity to other
systems and the Internet. Further, as demonstrated by past attacks and
incidents involving control systems, the impact on a critical
infrastructure could be substantial. For example, in 2006, a foreign
hacker was reported to have planted malicious software capable of
affecting a water filtering plant's water treatment operations. Also in
2006, excessive traffic on a nuclear power plant's control system network
caused two circulation pumps to fail, forcing the unit to be shut down
manually.
Multiple private sector entities such as trade associations and standards
setting organizations are working to help secure control systems. Their
efforts include developing standards and providing guidance to members.
For example, the electricity industry has recently developed standards for
cyber security of control systems and a gas trade association is
developing guidance for members to use encryption to secure control
systems.
Federal agencies also have multiple initiatives under way to help secure
critical infrastructure control systems, but more remains to be done to
coordinate these efforts and to address specific shortfalls. Over the past
few years, federal agencies have initiated efforts to improve the security
of critical infrastructure control systems. However, there is as yet no
overall strategy to coordinate the various activities across federal
agencies and the private sector. Further, the Department of Homeland
Security (DHS) lacks processes needed to address specific weaknesses in
sharing information on control system vulnerabilities. Until public and
private sector security efforts are coordinated by an overarching
strategy, there is an increased risk that multiple organizations will
conduct duplicative work. In addition, until information-sharing
weaknesses are addressed, DHS risks not being able to effectively carry
out its responsibility for sharing information on vulnerabilities with the
private and public sectors.
GAO Recommendations to DHS
o Develop a strategy to guide efforts for securing control
systems, including agencies' responsibilities, as well as overall
goals, milestones, and performance measures.
o Establish a rapid and secure process for sharing sensitive
control system vulnerability information with critical
infrastructure control system stakeholders, including vendors,
owners, and operators.
References
Visible links
18. http://www.gao.gov/cgi-bin/getrpt?GAO-07-1036
19. mailto:[email protected]
20. http://www.gao.gov/
21. http://www.gao.gov/
22. http://www.gao.gov/fraudnet/fraudnet.htm
23. mailto:[email protected]
24. mailto:[email protected]
25. mailto:[email protected]
26. http://www.gao.gov/cgi-bin/getrpt?GAO-04-354
27. http://www.gao.gov/cgi-bin/getrpt?GAO-07-1036
28. http://www.gao.gov/cgi-bin/getrpt?GAO-08-119T
29. http://www.gao.gov/cgi-bin/getrpt?GAO-08-119T
*** End of document. ***