GAO sees threats to industrial systems

Risks to industrial computer-based systems that control vital critical infrastructures, such as electrical grids, oil refining and pipelines, and water treatment and distribution, are increasing and could have devastating consequences, according to a General Accounting Office report released today.

But an official with the Homeland Security Department said the government is assessing vulnerabilities at such critical infrastructures and working toward shoring up those gaps.

In addition to increasing cyber threats, the GAO cited four factors contributing to the problem:

* With the growing adoption of standardized technologies, such as Microsoft Corp.'s Windows and Unix-like operating systems, there is also the risk of exploitation of known vulnerabilities in those technologies.

* Further vulnerabilities are created as such control systems — often referred to as Supervisory Control and Data Acquisition, or SCADA — are connected to other networks and the Internet.

* Insecure connections, such as dial-up modems or wireless, without use of authentication or encryption can jeopardize the data flow.

* Information about such control systems and infrastructures are widely available to the public though industry and government publications, maps and other materials and documents through the Internet.

"Control systems can be vulnerable to a variety of attacks that could have devastating consequences, such as endangering public health and safety, damaging the environment, or causing a loss of production, generation, or distribution of public utilities," said Robert Dacey, GAO's director of information security issues. "Control systems have already been subject to a number of cyberattacks, including documented attacks on a sewage treatment system in Australia in 1999 and, more recently, on a nuclear power plant in Ohio."

Dacey and others testified today before the House Government Reform Committee's Technology Information Policy, Intergovernmental Relations and the Census Subcommittee.

"It had never occurred to me that the potential threat from a computer somewhere half way around the world might exceed the harm that could be perpetrated by Mother Nature," said Rep. Adam Putnam (R-Fla.), the subcommittee's chairman. "I have learned that today's SCADA systems have been designed with little or no attention to computer security."

GAO officials recommended better coordination among the public and private sectors, better research and development of new security technologies, development of security standards, implementation of effective security management programs and better information sharing.

James McDonnell, director of DHS' Protective Security Division, which is part of the Information Analysis and Infrastructure Protection Directorate, said his group has identified 1,700 facilities that are targeted for security improvement.

"Of those sites, we have identified roughly 565 with process control systems," he said. "As appropriate, reduction in SCADA vulnerabilities will be undertaken just as reductions in physical vulnerabilities are."

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.