Critical Infrastructure Protection
Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain Gao ID: GAO-08-119T October 17, 2007Control systems--computer-based systems that monitor and control sensitive processes--perform vital functions in many of our nation's critical infrastructures such as electric power generation, transmission, and distribution; oil and gas refining; and water treatment and distribution. The disruption of control systems could have a significant impact on public health and safety, which makes securing them a national priority. GAO was asked to testify on portions of its report on control systems security being released today. This testimony summarizes the cyber threats, vulnerabilities, and the potential impact of attacks on control systems; identifies private sector initiatives; and assesses the adequacy of public sector initiatives to strengthen the cyber security of control systems. To address these objectives, GAO met with federal and private sector officials to identify risks, initiatives, and challenges. GAO also compared agency plans to best practices for securing critical infrastructures.
Critical infrastructure control systems face increasing risks due to cyber threats, system vulnerabilities, and the serious potential impact of attacks as demonstrated by reported incidents. Threats can be intentional or unintentional, targeted or nontargeted, and can come from a variety of sources. Control systems are more vulnerable to cyber attacks than in the past for several reasons, including their increased connectivity to other systems and the Internet. Further, as demonstrated by past attacks and incidents involving control systems, the impact on a critical infrastructure could be substantial. For example, in 2006, a foreign hacker was reported to have planted malicious software capable of affecting a water filtering plant's water treatment operations. Also in 2006, excessive traffic on a nuclear power plant's control system network caused two circulation pumps to fail, forcing the unit to be shut down manually. Multiple private sector entities such as trade associations and standards setting organizations are working to help secure control systems. Their efforts include developing standards and providing guidance to members. For example, the electricity industry has recently developed standards for cyber security of control systems and a gas trade association is developing guidance for members to use encryption to secure control systems. Federal agencies also have multiple initiatives under way to help secure critical infrastructure control systems, but more remains to be done to coordinate these efforts and to address specific shortfalls. Over the past few years, federal agencies have initiated efforts to improve the security of critical infrastructure control systems. However, there is as yet no overall strategy to coordinate the various activities across federal agencies and the private sector. Further, the Department of Homeland Security (DHS) lacks processes needed to address specific weaknesses in sharing information on control system vulnerabilities. Until public and private sector security efforts are coordinated by an overarching strategy, there is an increased risk that multiple organizations will conduct duplicative work. In addition, until information-sharing weaknesses are addressed, DHS risks not being able to effectively carry out its responsibility for sharing information on vulnerabilities with the private and public sectors.
GAO-08-119T, Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain
This is the accessible text file for GAO report number GAO-08-119T
entitled 'Critical Infrastructure Protection: Multiple Efforts to
Secure Control Systems Are Under Way, but Challenges Remain' which was
released on October 17, 2007.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Testimony:
Before the Subcommittee on Emerging Threats, Cybersecurity, and Science
and Technology, Committee on Homeland Security, House of
Representatives:
For Release on Delivery:
Expected at 2:00 p.m. EDT:
Wednesday, October 17, 2007:
Critical Infrastructure Protection:
Multiple Efforts to Secure Control Systems Are Under Way, but
Challenges Remain:
Statement of Gregory C. Wilshusen:
Director, Information Security Issues:
GAO-08-119T:
GAO Highlights:
Highlights of GAO-08-119T, a testimony before the Subcommittee on
Emerging Threats, Cybersecurity, and Science and Technology, Committee
on Homeland Security, House of Representatives.
Why GAO Did This Study:
Control systems”computer-based systems that monitor and control
sensitive processes”perform vital functions in many of our nation‘s
critical infrastructures such as electric power generation,
transmission, and distribution; oil and gas refining; and water
treatment and distribution. The disruption of control systems could
have a significant impact on public health and safety, which makes
securing them a national priority.
GAO was asked to testify on portions of its report on control systems
security being released today. This testimony summarizes the cyber
threats, vulnerabilities, and the potential impact of attacks on
control systems; identifies private sector initiatives; and assesses
the adequacy of public sector initiatives to strengthen the cyber
security of control systems. To address these objectives, GAO met with
federal and private sector officials to identify risks, initiatives,
and challenges. GAO also compared agency plans to best practices for
securing critical infrastructures.
What GAO Found:
Critical infrastructure control systems face increasing risks due to
cyber threats, system vulnerabilities, and the serious potential impact
of attacks as demonstrated by reported incidents. Threats can be
intentional or unintentional, targeted or nontargeted, and can come
from a variety of sources. Control systems are more vulnerable to cyber
attacks than in the past for several reasons, including their increased
connectivity to other systems and the Internet. Further, as
demonstrated by past attacks and incidents involving control systems,
the impact on a critical infrastructure could be substantial. For
example, in 2006, a foreign hacker was reported to have planted
malicious software capable of affecting a water filtering plant‘s water
treatment operations. Also in 2006, excessive traffic on a nuclear
power plant‘s control system network caused two circulation pumps to
fail, forcing the unit to be shut down manually.
Multiple private sector entities such as trade associations and
standards setting organizations are working to help secure control
systems. Their efforts include developing standards and providing
guidance to members. For example, the electricity industry has recently
developed standards for cyber security of control systems and a gas
trade association is developing guidance for members to use encryption
to secure control systems.
Federal agencies also have multiple initiatives under way to help
secure critical infrastructure control systems, but more remains to be
done to coordinate these efforts and to address specific shortfalls.
Over the past few years, federal agencies have initiated efforts to
improve the security of critical infrastructure control systems.
However, there is as yet no overall strategy to coordinate the various
activities across federal agencies and the private sector. Further, the
Department of Homeland Security (DHS) lacks processes needed to address
specific weaknesses in sharing information on control system
vulnerabilities. Until public and private sector security efforts are
coordinated by an overarching strategy, there is an increased risk that
multiple organizations will conduct duplicative work. In addition,
until information-sharing weaknesses are addressed, DHS risks not being
able to effectively carry out its responsibility for sharing
information on vulnerabilities with the private and public sectors.
GAO Recommendations to DHS:
* Develop a strategy to guide efforts for securing control systems,
including agencies‘ responsibilities, as well as overall goals,
milestones, and performance measures.
* Establish a rapid and secure process for sharing sensitive control
system vulnerability information with critical infrastructure control
system stakeholders, including vendors, owners, and operators.
What GAO Recommends:
In its report, GAO recommends that DHS improve coordination of control
systems activities and information sharing (see table). DHS neither
agreed nor disagreed with these recommendations, but stated that it
would take them under advisement. The agency also discussed new
initiatives to develop plans and processes that are consistent with GAO
recommendations.
To view the full product, including the scope and methodology, click on
[hyperlink, http://GAO-08-119T]. For more information, contact Gregory
C. Wilshusen at wilshuseng@gao.gov or at (202) 512-6244.
[End of section]
Mr. Chairman and Members of the Subcommittee:
Thank you for the opportunity to join today's hearing on the cyber
threat to control systems. Control systems perform vital functions in
many of our nation's critical infrastructures, including electric power
generation, transmission, and distribution; oil and gas refining and
pipelines; water treatment and distribution; chemical production and
processing; railroads and mass transit; and manufacturing.
In 2003, the National Strategy to Secure Cyberspace[Footnote 1]
reported that the disruption of control systems could have significant
consequences for public health and safety and made securing these
systems a national priority. This strategy further states that both the
private and public sectors have a role in securing control systems and
directs the Department of Homeland Security (DHS), in coordination with
the Department of Energy (DOE) and other agencies, to work in
partnership with private industry in increasing awareness of the
importance of efforts to secure control systems, developing standards,
and improving policies with respect to control systems security.
As requested, our testimony summarizes portions of a report being
released today that discusses (1) the cyber threats, vulnerabilities,
and the potential impact of attacks on critical infrastructure control
systems; (2) private sector initiatives to strengthen the cyber
security of control systems; and (3) the adequacy of public sector
initiatives to strengthen the cyber security of control
systems.[Footnote 2] In preparing for this testimony, we relied on our
work supporting the report, which contains a detailed overview of our
scope and methodology. All the work on which this testimony is based
was performed in accordance with generally accepted government auditing
standards.
Results in Brief:
Critical infrastructure control systems face increasing risks due to
cyber threats, system vulnerabilities, and the serious potential impact
of attacks as demonstrated by reported incidents. Threats can be
intentional or unintentional, targeted or nontargeted, and can come
from a variety of sources. Control systems are more vulnerable to cyber
attacks than they were in the past for several reasons, including their
increased connectivity to other systems and the Internet. Further, as
demonstrated by past attacks and incidents involving control systems,
the impact on a critical infrastructure could be substantial. For
example, in 2006, a foreign hacker was reported to have planted
malicious software[Footnote 3] capable of affecting a water filtering
plant's water treatment operations; and, also in 2006, excessive
traffic on a nuclear power plant's control system network--possibly
caused by the failure of another control system device--caused two
circulation pumps to fail, forcing the unit to be shut down manually.
Multiple private sector entities such as trade associations and
standards setting organizations specific to the electric, chemical, oil
and gas, and water sectors are working to help secure control systems.
These entities are developing standards, providing guidance to members,
and hosting workshops on control systems security.
Over the past few years, federal agencies--including DHS, DOE, the
National Institute of Standards and Technology (NIST), and others--have
initiated efforts to improve the security of critical infrastructure
control systems. However, there is as yet no overall strategy to
coordinate the various control systems activities across federal
agencies and the private sector. Further, DHS lacks processes needed to
address specific weaknesses in sharing information on control system
vulnerabilities. Until public and private sector security efforts are
coordinated by an overarching strategy, there is an increased risk that
multiple organizations will conduct duplicative work and miss
opportunities to learn from other organizations' activities. In
addition, until information-sharing weaknesses are addressed, DHS risks
not being able to effectively carry out its responsibility for sharing
information on vulnerabilities with the private and public sectors.
Given the importance of these issues, in our report being released
today, we are making recommendations to the Secretary of the Department
of Homeland Security to (1) develop a strategy for coordinating control
systems security efforts and (2) enhance information sharing with
control systems stakeholders. In its comments on our report, DHS
neither agreed nor disagreed with these recommendations, but stated
that it would take them under advisement. The agency also discussed new
initiatives to develop plans and processes that are consistent with our
recommendations.
Background:
Critical infrastructures are physical or virtual systems and assets so
vital to the nation that their incapacitation or destruction would have
a debilitating impact on national and economic security and on public
health and safety. These systems and assets--such as the electric power
grid, chemical plants, and water treatment facilities--are essential to
the operations of the economy and the government. Recent terrorist
attacks and threats have underscored the need to protect our nation's
critical infrastructures. If vulnerabilities in these infrastructures
are exploited, our nation's critical infrastructures could be disrupted
or disabled, possibly causing loss of life, physical damage, and
economic losses.
Although the vast majority of our nation's critical infrastructures are
owned by the private sector, the federal government owns and operates
key facilities that use control systems, including oil, gas, water,
energy, and nuclear facilities.
Control Systems Are Used in Many Critical Infrastructures:
Control systems are computer-based systems that are used within many
infrastructures and industries to monitor and control sensitive
processes and physical functions. Typically, control systems collect
sensor measurements and operational data from the field, process and
display this information, and relay control commands to local or remote
equipment. Control systems perform functions that range from simple to
complex. They can be used to simply monitor processes--for example, the
environmental conditions in a small office building--or to manage the
complex activities of a municipal water system or a nuclear power
plant.
In the electric power industry, control systems can be used to manage
and control the generation, transmission, and distribution of electric
power. For example, control systems can open and close circuit breakers
and set thresholds for preventive shutdowns. The oil and gas industry
uses integrated control systems to manage refining operations at plant
sites, remotely monitor the pressure and flow of gas pipelines, and
control the flow and pathways of gas transmission. Water utilities can
remotely monitor well levels and control the wells' pumps; monitor
flows, tank levels, or pressure in storage tanks; monitor water quality
characteristics such as pH, turbidity, and chlorine residual; and
control the addition of chemicals to the water.
Installing and maintaining control systems requires a substantial
financial investment. DOE cites research estimating the value of the
control systems used to monitor and control the electric grid and the
oil and natural gas infrastructure at $3 billion to $4 billion.
[Footnote 4] The thousands of remote field devices represent an
additional investment of $1.5 billion to $2.5 billion. Each year, the
energy sector alone spends over $200 million for control systems,
networks, equipment, and related components and at least that amount in
personnel costs.
Control Systems: Types and Components:
There are two primary types of control systems: distributed control
systems and supervisory control and data acquisition (SCADA) systems.
Distributed control systems typically are used within a single
processing or generating plant or over a small geographic area, while
SCADA systems typically are used for large, geographically dispersed
operations. For example, a utility company may use a distributed
control system to manage power generation and a SCADA system to manage
its distribution.
A SCADA system is generally composed of six components: (1)
instruments, which sense conditions such as pH, temperature, pressure,
power level, and flow rate; (2) operating equipment, which includes
pumps, valves, conveyors, and substation breakers; (3) local
processors, which communicate with the site's instruments and operating
equipment, collect instrument data, and identify alarm conditions; (4)
short-range communication, which carry analog and discrete signals
between the local processors and the instruments and operating
equipment; (5) host computers, where a human operator can supervise the
process, receive alarms, review data, and exercise control; and (6)
long-range communications, which connect local processors and host
computers using, for example, leased phone lines, satellite, and
cellular packet data.
The Federal Government Plays a Critical Role in Helping Secure Critical
Infrastructures and Their Control Systems:
Several key federal plans focus on securing critical infrastructure
control systems. The National Strategy to Secure Cyberspace[Footnote 5]
calls for DHS and DOE to work in partnership with industry to develop
best practices and new technology to increase the security of critical
infrastructure control systems, to determine the most critical control
systems-related sites, and to develop a prioritized plan for short-term
cyber security improvements for those sites. In addition, DHS's
National Infrastructure Protection Plan[Footnote 6] specifically
identifies control systems as part of the cyber infrastructure,
establishes an objective of reducing vulnerabilities and minimizing the
severity of attacks on these systems, and identifies programs directed
at protecting control systems. Further, in May 2007, the critical
infrastructure sectors issued sector-specific plans to supplement the
National Infrastructure Protection Plan. Twelve sectors, including the
chemical, energy, water, information technology, postal, emergency
services, and telecommunications sectors, identified control systems
within their respective sectors. Of these, most identified control
systems as critical to their sector and listed efforts under way to
help secure them.
Critical Infrastructure Control Systems Face Increasing Risks Due to
Cyber Threats, Vulnerabilities, and the Potentially Serious Impact of
an Attack:
Cyber threats can be intentional and unintentional, targeted or
nontargeted, and can come from a variety of sources. Intentional
threats include both targeted and nontargeted attacks, while
unintentional threats can be caused by software upgrades or maintenance
procedures that inadvertently disrupt systems. A targeted attack is
when a group or individual specifically attacks a critical
infrastructure system and a nontargeted attack occurs when the intended
target of the attack is uncertain, such as when a virus, worm, or
malware is released on the Internet with no specific target.
There is increasing concern among both government officials and
industry experts regarding the potential for a cyber attack on a
national critical infrastructure, including the infrastructure's
control systems. The Federal Bureau of Investigation has identified
multiple sources of threats to our nation's critical infrastructures,
including foreign nation states engaged in information warfare,
domestic criminals, hackers, and virus writers, and disgruntled
employees working within an organization.
Control Systems Are Vulnerable to Cyber Attacks:
Control systems are vulnerable to flaws or weaknesses in system
security procedures, design, implementation, and internal controls.
When these weaknesses are accidentally triggered or intentionally
exploited, they could result in a security breach. Vulnerabilities
could occur in control systems' policies, platform (including hardware,
operating systems, and control system applications), or networks.
Federal and industry experts believe that critical infrastructure
control systems are more vulnerable today than in the past due to the
increased standardization of technologies, the increased connectivity
of control systems to other computer networks and the Internet,
insecure connections, and the widespread availability of technical
information about control systems. Further, it is not uncommon for
control systems to be configured with remote access through either a
dial-up modem or over the Internet to allow remote maintenance or
around-the-clock monitoring. If control systems are not properly
secured, individuals and organizations may eavesdrop on or interfere
with these operations from remote locations.
Reported Control Systems Incidents Reveal the Potential for Substantial
Impact:
Reported attacks and unintentional incidents involving critical
infrastructure control systems demonstrate that a serious attack could
be devastating. Although there is not a comprehensive source for
incident reporting, the following examples, reported in government and
media sources,[Footnote 7] demonstrate the potential impact of an
attack.
* Bellingham, Washington, gasoline pipeline failure. In June 1999,
237,000 gallons of gasoline leaked from a 16-inch pipeline and ignited
an hour and a half later, causing three deaths, eight injuries, and
extensive property damage. The pipeline failure was exacerbated by
poorly performing control systems that limited the ability of the
pipeline controllers to see and react to the situation.
* Maroochy Shire sewage spill. In the spring of 2000, a former employee
of an Australian software manufacturing organization applied for a job
with the local government, but was rejected. Over a 2-month period,
this individual reportedly used a radio transmitter on as many as 46
occasions to remotely break into the controls of a sewage treatment
system. He altered electronic data for particular sewerage pumping
stations and caused malfunctions in their operations, ultimately
releasing about 264,000 gallons of raw sewage into nearby rivers and
parks.
* CSX train signaling system. In August 2003, the Sobig computer virus
shut down train signaling systems throughout the East Coast of the
United States. The virus infected the computer system at CSX
Corporation's Jacksonville, Florida, headquarters, shutting down
signaling, dispatching, and other systems. According to an Amtrak
spokesman, 10 Amtrak trains were affected. Train service was either
shut down or delayed up to 6 hours.
* Los Angeles traffic lights. According to several published reports,
in August 2006, two Los Angeles city employees hacked into computers
controlling the city's traffic lights and disrupted signal lights at
four intersections, causing substantial backups and delays. The attacks
were launched prior to an anticipated labor protest by the employees.
* Harrisburg, Pennsylvania, water system. In October 2006, a foreign
hacker penetrated security at a water filtering plant. The intruder
planted malicious software that was capable of affecting the plant's
water treatment operations. The infection occurred through the Internet
and did not seem to be a direct attack on the control system.
* Browns Ferry power plant. In August 2006, two circulation pumps at
Unit 3 of the Browns Ferry, Alabama, nuclear power plant failed,
forcing the unit to be shut down manually. The failure of the pumps was
traced to excessive traffic on the control system network, possibly
caused by the failure of another control system device.
As control systems become increasingly interconnected with other
networks and the Internet, and as the system capabilities continue to
increase, so do the threats, potential vulnerabilities, types of
attacks, and consequences of compromising these critical systems.
The Private Sector Has Multiple Initiatives Under Way to Help Secure
Control Systems:
Industry-specific organizations in various sectors, including the
electricity, oil and gas, and water sectors, have initiatives under way
to help improve control system security, including developing standards
and publishing guidance. Our report being released today provides a
detailed list of industry initiatives; several of these initiatives are
described below.
* Electricity. In 2007, the North American Electric Reliability
Corporation began implementing cyber security reliability standards
that apply to control systems and the Institute of Electrical and
Electronics Engineers has several standards working groups addressing
issues related to control systems security in the industry.
* Oil and gas. The American Gas Association supported development of a
report that would recommend how to apply encryption to protect gas
utility control systems; and, over the past three years, the American
Petroleum Institute has published two standards related to pipeline
control systems integrity and security and the design and
implementation of control systems displays.
* Water. The water sector includes about 150,000 water, wastewater, and
storm water organizations at all levels of government and has worked
with the Environmental Protection Agency on development of the Water
Sector-Specific Plan, which includes some efforts on control systems
security. In addition, the Awwa Research Foundation is currently
working on two research projects related to the cyber security of water
utility SCADA systems.
Federal Agencies Have Multiple Initiatives to Help Secure Critical
Infrastructure Control Systems, but More Remains to Be Done:
Over the past few years, federal agencies--including DHS, DOE, and
others--have initiated efforts to improve the security of critical
infrastructure control systems. For example, DHS is sponsoring multiple
control systems security initiatives, including the Control System
Cyber Security Self Assessment Tool, an effort to improve control
systems' cyber security using vulnerability evaluation and response
tools, and the Process Control System Forum, to build relationships
with control systems' vendors and infrastructure asset owners.
Additionally, DOE sponsors control systems security efforts within the
electric, oil, and natural gas industries. These efforts include the
National SCADA Test Bed Program, which funds testing, assessments, and
training in control systems security, and the development of a road map
for securing control systems in the energy sector. Our report being
released today provides a more detailed list of initiatives being led
by federal agencies.
DHS, however, has not yet established a strategy to coordinate the
various control systems activities across federal agencies and the
private sector. In 2004, we recommended that DHS develop and implement
a strategy for coordinating control systems security efforts among
government agencies and the private sector.[Footnote 8] DHS agreed and
issued a strategy that focused primarily on DHS's initiatives. The
strategy does not include ongoing work by DOE, the Federal Energy
Regulatory Commission, NIST, and others. Further, it does not include
the various agencies' responsibilities, goals, milestones, or
performance measures. Until DHS develops an overarching strategy that
delineates various public and private entities' roles and
responsibilities and uses it to guide and coordinate control systems
security activities, the federal government and private sector risk
investing in duplicative activities and missing opportunities to learn
from other organizations' activities.
Further, DHS is responsible for sharing information with critical
infrastructure owners on control systems vulnerabilities, but lacks a
rapid, efficient process for disseminating sensitive information to
private industry owners and operators of critical infrastructures. An
agency official noted that sharing information with the private sector
can be slowed by staff turnover and vacancies at DHS, the need to brief
agency and executive branch officials and congressional staff before
briefing the private sector, and difficulties in determining the
appropriate classification level for the information. Until the agency
establishes an approach for rapidly assessing the sensitivity of
vulnerability information and disseminating it--and thereby
demonstrates the value it can provide to critical infrastructure
owners--DHS's ability to effectively serve as a focal point in the
collection and dissemination of sensitive vulnerability information
will continue to be limited. Without a trusted focal point for sharing
sensitive information on vulnerabilities, there is an increased risk
that attacks on control systems could cause a significant disruption to
our nation's critical infrastructures.
Implementation of GAO Recommendations Would Help Improve Federal
Control Systems Security Efforts:
Control systems are an essential component of our nation's critical
infrastructure and their disruption could have a significant impact on
public health and safety. Given the importance of control systems, in
our report being released today, we are recommending that the Secretary
of the Department of Homeland Security implement the following two
actions:[Footnote 9]
* develop a strategy to guide efforts for securing control systems,
including agencies' responsibilities, as well as overall goals,
milestones, and performance measures and:
* establish a rapid and secure process for sharing sensitive control
system vulnerability information with critical infrastructure control
system stakeholders, including vendors, owners, and operators.
In its comments on our report, DHS neither agreed nor disagreed with
these recommendations, but stated that it would take them under
advisement. The agency also discussed new initiatives to develop plans
and processes that are consistent with our recommendations.
In summary, past incidents involving control systems, system
vulnerabilities, and growing threats from a wide variety of sources
highlight the risks facing control systems. The public and private
sectors have begun numerous activities to improve the cyber security of
control systems. However, the federal government lacks an overall
strategy for coordinating public and private sector efforts. DHS also
lacks an efficient process for sharing sensitive information on
vulnerabilities with private sector critical infrastructure owners.
Until DHS completes the comprehensive strategy, the public and private
sectors risk undertaking duplicative efforts. Further, without a
streamlined process for advising private sector infrastructure owners
of vulnerabilities, DHS is unable to fulfill its responsibility as a
focal point for disseminating this information. If key vulnerability
information is not in the hands of those who can mitigate its
potentially severe consequences, there is an increased risk that
attacks on control systems could cause a significant disruption to our
nation's critical infrastructures.
Mr. Chairman, this concludes my statement. I would be happy to answer
any questions that you or members of the subcommittee may have at this
time.
If you have any questions on matters discussed in this testimony,
please contact me at (202) 512-6244, or by e-mail at
wilshuseng@gao.gov. Other key contributors to this testimony include
Scott Borre, Heather A. Collins, Neil J. Doherty, Vijay D'Souza, Nancy
Glover, Sairah Ijaz, Patrick Morton, and Colleen M. Phillips (Assistant
Director).
[End of section]
Footnotes:
[1] The White House, The National Strategy to Secure Cyberspace
(Washington, D.C.: February 2003).
[2] GAO, Critical Infrastructure Protection: Multiple Efforts to Secure
Control Systems Are Under Way, but Challenges Remain, GAO-07-1036
(Washington, D.C.: Oct. 17, 2007).
[3] "Malware" (malicious software) is defined as programs that are
designed to carry out annoying or harmful actions. They often
masquerade as useful programs or are embedded into useful programs so
that users are induced into activating them.
[4] Newton-Evans Research Company, Inc., World Market Study of SCADA,
Energy Management Systems and Distribution Management Systems in
Electrical Utilities: 2005-2007, (Ellicott City, Maryland: June 2005)
as cited in U.S. Department of Energy, Roadmap to Secure Control
Systems in the Energy Sector (Washington, D.C.: January 2006).
[5] The White House, The National Strategy to Secure Cyberspace.
[6] Department of Homeland Security, National Infrastructure Protection
Plan (Washington, D.C.: June 2006).
[7] See National Institute of Standards and Technology, Special
Publication 800-82 Guide to Supervisory Control and Data Acquisition
(SCADA) and Industrial Control Systems Security: Recommendations of the
National Institute of Standards and Technology, (Gaithersburg,
Maryland: September 2006); Los Angeles County District Attorneys Office
(da.co.la.ca.us/mr/010507a.htm), Two City Engineers Charged with
Allegedly Hacking Into City's Traffic Computer (Los Angeles,
California: Jan. 5, 2007); and ISA [hyperlink,
http://www.isa.org/content/contentgroups/news/2006/november29/hackers_hi
t_pennsylvania_water_system.htm], Hackers Hit Pennsylvania Water
System, (Research Triangle Park, North Carolina: Nov. 2, 2006).
[8] GAO, Critical Infrastructure Protection: Challenges and Efforts to
Secure Control Systems, GAO-04-354, (Washington, D.C.: Mar. 15, 2004).
[9] GAO-07-1036.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlin, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, DC 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, JarmonG@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, DC 20548:
Public Affairs:
Susan Becker, Acting Manager, BeckerS@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, DC 20548:
