GAO sees threats to industrial systems

Risks to industrial computer-based systems that control vital critical infrastructures, such as electrical grids, oil refining and pipelines, and water treatment and distribution, are increasing and could have devastating consequences, according to a General Accounting Office report released today.

But an official with the Homeland Security Department said the government is assessing vulnerabilities at such critical infrastructures and working toward shoring up those gaps.

In addition to increasing cyber threats, the GAO cited four factors contributing to the problem:

* With the growing adoption of standardized technologies, such as Microsoft Corp.'s Windows and Unix-like operating systems, there is also the risk of exploitation of known vulnerabilities in those technologies.

* Further vulnerabilities are created as such control systems — often referred to as Supervisory Control and Data Acquisition, or SCADA — are connected to other networks and the Internet.

* Insecure connections, such as dial-up modems or wireless, without use of authentication or encryption can jeopardize the data flow.

* Information about such control systems and infrastructures are widely available to the public though industry and government publications, maps and other materials and documents through the Internet.

"Control systems can be vulnerable to a variety of attacks that could have devastating consequences, such as endangering public health and safety, damaging the environment, or causing a loss of production, generation, or distribution of public utilities," said Robert Dacey, GAO's director of information security issues. "Control systems have already been subject to a number of cyberattacks, including documented attacks on a sewage treatment system in Australia in 1999 and, more recently, on a nuclear power plant in Ohio."

Dacey and others testified today before the House Government Reform Committee's Technology Information Policy, Intergovernmental Relations and the Census Subcommittee.

"It had never occurred to me that the potential threat from a computer somewhere half way around the world might exceed the harm that could be perpetrated by Mother Nature," said Rep. Adam Putnam (R-Fla.), the subcommittee's chairman. "I have learned that today's SCADA systems have been designed with little or no attention to computer security."

GAO officials recommended better coordination among the public and private sectors, better research and development of new security technologies, development of security standards, implementation of effective security management programs and better information sharing.

James McDonnell, director of DHS' Protective Security Division, which is part of the Information Analysis and Infrastructure Protection Directorate, said his group has identified 1,700 facilities that are targeted for security improvement.

"Of those sites, we have identified roughly 565 with process control systems," he said. "As appropriate, reduction in SCADA vulnerabilities will be undertaken just as reductions in physical vulnerabilities are."

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.