Critical Infrastructure Protection:

Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain

GAO-07-1036: Published: Sep 10, 2007. Publicly Released: Oct 17, 2007.

Additional Materials:

Contact:

David A. Powner
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Control systems--computer-based systems that monitor and control sensitive processes and physical functions--perform vital functions in many of our nation's critical infrastructures, including electric power, oil and gas, water treatment, and chemical production. The disruption of control systems could have a significant impact on public health and safety, which makes securing them a national priority. GAO was asked to (1) determine cyber threats, vulnerabilities, and the potential impact of attacks on critical infrastructure control systems; (2) determine the challenges to securing these systems; (3) identify private sector initiatives to strengthen the cybersecurity of control systems; and (4) assess the adequacy of public sector initiatives to strengthen the cybersecurity of control systems. To address these objectives, we met with federal and private sector officials to identify risks, initiatives, and challenges. We also compared agency plans to best practices for securing critical infrastructures.

Critical infrastructure control systems face increasing risks due to cyber threats, system vulnerabilities, and the serious potential impact of attacks as demonstrated by reported incidents. Threats can be intentional or unintentional, targeted or nontargeted, and can come from a variety of sources. Control systems are more vulnerable to cyber attacks than in the past for several reasons, including their increased connectivity to other systems and the Internet. Further, as demonstrated by past attacks and incidents involving control systems, the impact on a critical infrastructure could be substantial. For example, in 2003, a computer virus was blamed for shutting down train signaling systems throughout the East Coast and in 2006, a foreign hacker was reported to have planted malicious software capable of affecting a water filtering plant's treatment operations. Critical infrastructure owners face both technical and organizational challenges to securing control systems. Technical challenges--including control systems' limited processing capabilities, real-time operations, and design constraints--hinder an infrastructure owner's ability to implement traditional information technology security processes, such as strong user authentication and patch management. Organizational challenges include difficulty in developing a compelling business case for investing in control systems security and differing priorities of information security personnel and control systems engineers. Multiple private sector entities such as trade associations and standards setting organizations are working to help secure control systems. Their efforts include developing standards, providing guidance to members, and hosting workshops on control systems security. For example, the electricity industry has recently developed standards for cybersecurity of control systems and a gas trade association is developing guidance for members to use encryption to secure control systems. Federal agencies also have multiple initiatives under way to help secure critical infrastructure control systems, but more remains to be done to coordinate these efforts and to address specific shortfalls. Over the past few years, federal agencies--including the Department of Homeland Security, the Department of Energy, and the Federal Energy Regulatory Commission (FERC)--have initiated efforts to improve the security of critical infrastructure control systems. However, there is as yet no overall strategy to coordinate the various activities across federal agencies and the private sector. Further, DHS lacks processes needed to address specific weaknesses in sharing information on control system vulnerabilities. Until public and private sector security efforts are coordinated by an overarching strategy and specific information sharing shortfalls are addressed, there is an increased risk that multiple organizations will conduct duplicative work and miss opportunities to fulfill their critical missions.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To improve federal government efforts to secure control systems governing critical infrastructure, the Secretary of the Department of Homeland Security should develop a strategy to guide efforts for securing control systems, including agencies' responsibilities, as well as overall goals, milestones, and performance measures.

    Agency Affected: Department of Homeland Security

    Status: Closed - Implemented

    Comments: In response to this recommendation, DHS issued a 2009 Strategy for Securing Control Systems which included agencies' responsibilities and overall goals. In addition, DHS worked with the public and private sectors to establish roadmaps and plans which include milestones and performance measures. As a result of these actions, DHS has improved the federal government's ability to coordinate activities to improve the security of critical infrastructure control systems.

    Recommendation: To improve federal government efforts to secure control systems governing critical infrastructure, the Secretary of the Department of Homeland Security should establish a rapid and secure process for sharing sensitive control system vulnerability information with critical infrastructure control system stakeholders, including vendors, owners, and operators.

    Agency Affected: Department of Homeland Security

    Status: Closed - Implemented

    Comments: In response to this recommendation, in 2010, DHS established a standardized process to share vulnerability information securely with control system stakeholders. The process includes steps to address the handling of incoming and outgoing communications, and the analysis and reporting of vulnerability information. As a result of establishing this process, federal agencies are equipped to more effectively and securely share vulnerability information with critical infrastructure stakeholders and DHS can more effectively serve as a focal point in the collection and dissemination of sensitive vulnerability information.

    Jul 24, 2014

    Jul 16, 2014

    Jun 27, 2014

    Jun 24, 2014

    Jun 23, 2014

    Jun 18, 2014

    Jun 16, 2014

    Jun 11, 2014

    Looking for more? Browse all our products here