GAO sees threats to industrial systems

Risks to industrial computer-based systems that control vital critical infrastructures, such as electrical grids, oil refining and pipelines, and water treatment and distribution, are increasing and could have devastating consequences, according to a General Accounting Office report released today.

But an official with the Homeland Security Department said the government is assessing vulnerabilities at such critical infrastructures and working toward shoring up those gaps.

In addition to increasing cyber threats, the GAO cited four factors contributing to the problem:

* With the growing adoption of standardized technologies, such as Microsoft Corp.'s Windows and Unix-like operating systems, there is also the risk of exploitation of known vulnerabilities in those technologies.

* Further vulnerabilities are created as such control systems — often referred to as Supervisory Control and Data Acquisition, or SCADA — are connected to other networks and the Internet.

* Insecure connections, such as dial-up modems or wireless, without use of authentication or encryption can jeopardize the data flow.

* Information about such control systems and infrastructures are widely available to the public though industry and government publications, maps and other materials and documents through the Internet.

"Control systems can be vulnerable to a variety of attacks that could have devastating consequences, such as endangering public health and safety, damaging the environment, or causing a loss of production, generation, or distribution of public utilities," said Robert Dacey, GAO's director of information security issues. "Control systems have already been subject to a number of cyberattacks, including documented attacks on a sewage treatment system in Australia in 1999 and, more recently, on a nuclear power plant in Ohio."

Dacey and others testified today before the House Government Reform Committee's Technology Information Policy, Intergovernmental Relations and the Census Subcommittee.

"It had never occurred to me that the potential threat from a computer somewhere half way around the world might exceed the harm that could be perpetrated by Mother Nature," said Rep. Adam Putnam (R-Fla.), the subcommittee's chairman. "I have learned that today's SCADA systems have been designed with little or no attention to computer security."

GAO officials recommended better coordination among the public and private sectors, better research and development of new security technologies, development of security standards, implementation of effective security management programs and better information sharing.

James McDonnell, director of DHS' Protective Security Division, which is part of the Information Analysis and Infrastructure Protection Directorate, said his group has identified 1,700 facilities that are targeted for security improvement.

"Of those sites, we have identified roughly 565 with process control systems," he said. "As appropriate, reduction in SCADA vulnerabilities will be undertaken just as reductions in physical vulnerabilities are."


  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

    sensor network (agsandrew/

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.