GAO sees threats to industrial systems

Risks to industrial computer-based systems that control vital critical infrastructures, such as electrical grids, oil refining and pipelines, and water treatment and distribution, are increasing and could have devastating consequences, according to a General Accounting Office report released today.

But an official with the Homeland Security Department said the government is assessing vulnerabilities at such critical infrastructures and working toward shoring up those gaps.

In addition to increasing cyber threats, the GAO cited four factors contributing to the problem:

* With the growing adoption of standardized technologies, such as Microsoft Corp.'s Windows and Unix-like operating systems, there is also the risk of exploitation of known vulnerabilities in those technologies.

* Further vulnerabilities are created as such control systems — often referred to as Supervisory Control and Data Acquisition, or SCADA — are connected to other networks and the Internet.

* Insecure connections, such as dial-up modems or wireless, without use of authentication or encryption can jeopardize the data flow.

* Information about such control systems and infrastructures are widely available to the public though industry and government publications, maps and other materials and documents through the Internet.

"Control systems can be vulnerable to a variety of attacks that could have devastating consequences, such as endangering public health and safety, damaging the environment, or causing a loss of production, generation, or distribution of public utilities," said Robert Dacey, GAO's director of information security issues. "Control systems have already been subject to a number of cyberattacks, including documented attacks on a sewage treatment system in Australia in 1999 and, more recently, on a nuclear power plant in Ohio."

Dacey and others testified today before the House Government Reform Committee's Technology Information Policy, Intergovernmental Relations and the Census Subcommittee.

"It had never occurred to me that the potential threat from a computer somewhere half way around the world might exceed the harm that could be perpetrated by Mother Nature," said Rep. Adam Putnam (R-Fla.), the subcommittee's chairman. "I have learned that today's SCADA systems have been designed with little or no attention to computer security."

GAO officials recommended better coordination among the public and private sectors, better research and development of new security technologies, development of security standards, implementation of effective security management programs and better information sharing.

James McDonnell, director of DHS' Protective Security Division, which is part of the Information Analysis and Infrastructure Protection Directorate, said his group has identified 1,700 facilities that are targeted for security improvement.

"Of those sites, we have identified roughly 565 with process control systems," he said. "As appropriate, reduction in SCADA vulnerabilities will be undertaken just as reductions in physical vulnerabilities are."

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.