Critical Infrastructure Protection: Challenges in Securing Control Systems

Computerized control systems perform vital functions across many of our nation's critical infrastructures. For example, in natural gas distribution, they can monitor and control the pressure and flow of gas through pipelines; in the electric power industry, they can monitor and control the current and voltage of electricity through relays and circuit breakers; and in water treatment facilities, they can monitor and adjust water levels, pressure, and chemicals used for purification. In October 1997, the President's Commission on Critical Infrastructure Protection emphasized the increasing vulnerability of control systems to cyber attacks. The House Committee on Government Reform, Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census asked GAO to testify on potential cyber vulnerabilities. GAO's testimony focused on (1) significant cybersecurity risks associated with control systems; (2) potential and reported cyber attacks against these systems; (3) key challenges to securing control systems; and (4) steps that can be taken to strengthen the security of control systems, including current federal and private-sector initiatives.