Critical Infrastructure Protection
Challenges and Efforts to Secure Control Systems Gao ID: GAO-04-354 March 15, 2004Computerized control systems perform vital functions across many of our nation's critical infrastructures. For example, in natural gas distribution, they can monitor and control the pressure and flow of gas through pipelines. In October 1997, the President's Commission on Critical Infrastructure Protection emphasized the increasing vulnerability of control systems to cyber attacks. The House Committee on Government Reform and its Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census asked GAO to report on potential cyber vulnerabilities, focusing on (1) significant cybersecurity risks associated with control systems (2) potential and reported cyber attacks against these systems (3) key challenges to securing control systems and (4) efforts to strengthen the cybersecurity of control systems.
In addition to general cyber threats, which have been steadily increasing, several factors have contributed to the escalation of the risks of cyber attacks against control systems. These include the adoption of standardized technologies with known vulnerabilities and the increased connectivity of control systems to other systems. Control systems can be vulnerable to a variety of attacks, examples of which have already occurred. Successful attacks on control systems could have devastating consequences, such as endangering public health and safety. Securing control systems poses significant challenges, including limited specialized security technologies and lack of economic justification. The government, academia, and private industry have initiated efforts to strengthen the cybersecurity of control systems. The President's National Strategy to Secure Cyberspace establishes a role for DHS to coordinate with these entities to improve the cybersecurity of control systems. While some coordination is occurring, DHS's coordination of these efforts could accelerate the development and implementation of more secure systems. Without effective coordination of these efforts, there is a risk of delaying the development and implementation of more secure systems to manage our critical infrastructures.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-04-354, Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems
This is the accessible text file for GAO report number GAO-04-354
entitled 'Critical Infrastructure Protection: Challenges and Efforts to
Secure Control Systems' which was released on March 30, 2004.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
United States General Accounting Office:
GAO:
March 2004:
Critical Infrastructure Protection:
Challenges and Efforts to Secure Control Systems:
GAO-04-354:
GAO Highlights:
Highlights of GAO-04-354, a report to congressional requesters
Why GAO Did This Study:
Computerized control systems perform vital functions across many of our
nation‘s critical infrastructures. For example, in natural gas
distribution, they can monitor and control the pressure and flow of gas
through pipelines. In October 1997, the President‘s Commission on
Critical Infrastructure Protection emphasized the increasing
vulnerability of control systems to cyber attacks. The House Committee
on Government Reform and its Subcommittee on Technology, Information
Policy, Intergovernmental Relations and the Census asked GAO to report
on potential cyber vulnerabilities, focusing on (1) significant
cybersecurity risks associated with control systems (2) potential and
reported cyber attacks against these systems (3) key challenges to
securing control systems and (4) efforts to strengthen the
cybersecurity of control systems.
What GAO Found:
In addition to general cyber threats, which have been steadily
increasing, several factors have contributed to the escalation of the
risks of cyber attacks against control systems. These include the
adoption of standardized technologies with known vulnerabilities and
the increased connectivity of control systems to other systems. Common
control system components are illustrated in the graphic below. Control
systems can be vulnerable to a variety of attacks, examples of which
have already occurred. Successful attacks on control systems could have
devastating consequences, such as endangering public health and
safety.
Securing control systems poses significant challenges, including
limited specialized security technologies and lack of economic
justification. The government, academia, and private industry have
initiated efforts to strengthen the cybersecurity of control systems.
The President‘s National Strategy to Secure Cyberspace establishes a
role for DHS to coordinate with these entities to improve the
cybersecurity of control systems. While some coordination is occurring,
DHS‘s coordination of these efforts could accelerate the development
and implementation of more secure systems. Without effective
coordination of these efforts, there is a risk of delaying the
development and implementation of more secure systems to manage our
critical infrastructures.
What GAO Recommends:
GAO recommends that the Secretary of the Department of Homeland
Security (DHS) develop and implement a strategy for coordinating with
the private sector and other government agencies to improve control
system security, including an approach for coordinating the various
ongoing efforts to secure control systems. DHS concurred with GAO‘s
recommendation.
www.gao.gov/cgi-bin/getrpt?GAO-04-354.
To view the full product, including the scope and methodology, click
on the link above. For more information, contact Robert F. Dacey at
(202) 512-3317 or daceyr@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
What Are Control Systems?
Control Systems Are at Increasing Risk:
Cyber Threats to Control Systems:
Securing Control Systems Poses Significant Challenges:
Efforts to Strengthen the Cybersecurity of Control Systems Under Way,
but Lack Adequate Coordination:
Conclusions:
Recommendation for Executive Action:
Agency Comments:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Initiatives to Address Cybersecurity Challenges of Control
Systems:
Department of Homeland Security:
Department of Defense:
Department of Energy:
Environmental Protection Agency:
Food and Drug Administration:
National Institute of Standards and Technology and National Security
Agency:
Technical Support Working Group:
National Science Foundation:
National Academies:
Interagency Working Group on Information Technology Research and
Development:
North American Electric Reliability Council:
Electric Power Research Institute:
International Council on Large Electric Systems:
The Oil Pipeline Industry:
Gas Technology Institute and American Gas Association:
Chemical Sector Cybersecurity Program:
Instrumentation Systems and Automation Society:
International Electrotechnical Commission:
Institute of Electrical and Electronics Engineers:
Partnership for Critical Infrastructure Security:
CERT/CC and KEMA Consulting:
Process Control Systems Cyber Security Forum:
Appendix III: Comments from the Department of Homeland Security:
Table:
Table 1: Threats to Critical Infrastructures Observed by the FBI:
Figures:
Figure 1: Security Vulnerabilities, 1995-2003:
Figure 2: Computer Security Incidents, 1995-2003:
Figure 3: Typical Components of a Control System:
Abbreviations:
AGA: American Gas Association:
ANL: Argonne National Laboratory:
CERT/CC: CERT® Coordination Center:
CIDX: Chemical Industry Data Exchange:
CIGRE: International Council on Large Electric Systems:
CIP: Critical Infrastructure Protection:
CIPAG: Critical Infrastructure Protection Advisory Group:
DCS: Distributed Control Systems:
DHS: Department of Homeland Security:
DOD: Department of Defense:
DOE: Department of Energy:
EPA: Environmental Protection Agency:
EPRI: Electric Power Research Institute:
FBI: Federal Bureau of Investigation:
FDA: Food and Drug Administration:
FERC: Federal Energy Regulatory Commission:
IAIP: Information Analysis and Infrastructure Protection:
IEC: International Electrotechnical Commission:
IEEE: Institute of Electrical and Electronics Engineers:
ISA: Instrumentation Systems and Automation Society:
ISAC: Information Sharing and Analysis Center:
IT: Information Technology:
IT R&D: Information Technology Research and Development:
JPO-STC Joint Program Office for Special Technology Countermeasures:
NCSD: National Cyber Security Division:
NERC: North American Electric Reliability Council:
NIPC: National Infrastructure Protection Center:
NIST: National Institute of Standards and Technology:
NSA: National Security Agency:
NSF: National Science Foundation:
OEA: Office of Energy Assurance:
PCIS: Partnership for Critical Infrastructure Security:
PCSCS: Process Control Systems Cyber Security Forum:
PCSRF: Process Controls Security Requirements Forum:
PLC Programmable Logic Controller:
PNNL: Pacific Northwest National Laboratory:
RAM-W: Risk Assessment Methodology-Water:
RTU: remote terminal unit:
SCADA: Supervisory Control and Data Acquisition:
S&T: Science and Technology Directorate:
TSWG: Technical Support Working Group:
United States General Accounting Office:
Washington, DC 20548:
March 15, 2004:
The Honorable Tom Davis:
Chairman, Committee on Government Reform:
House of Representatives:
The Honorable Adam Putnam:
Chairman, Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census:
Committee on Government Reform:
House of Representatives:
Control systems--which include supervisory control and data acquisition
(SCADA) systems and distributed control systems[Footnote 1]--perform
vital functions across many of our nation's critical infrastructures,
including electric power generation, transmission, and distribution;
oil and gas refining and pipelines; water treatment and distribution;
chemical production and processing; railroads and mass transit; and
manufacturing. In October 1997, the President's Commission on Critical
Infrastructure Protection highlighted the risk of cyber attacks as a
specific point of vulnerability in our critical infrastructures,
stating that "the widespread and increasing use of SCADA systems for
control of energy systems provides increasing ability to cause serious
damage and disruption by cyber means.":
On October 1, 2003, we testified on the cybersecurity of control
systems before the Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census.[Footnote 2] Further, your
committee and subcommittee asked us to identify (1) significant
cybersecurity risks associated with control systems, (2) potential and
reported cyber attacks against these systems, (3) key challenges to
securing control systems, and (4) efforts to strengthen the
cybersecurity of control systems.
To address these objectives, we analyzed research studies and reports,
as well as prior GAO reports and testimonies on critical infrastructure
protection (CIP), information security, and national preparedness,
among others. We analyzed documents from and met with private-sector
and federal officials who had expertise in control systems and their
security. Our work was performed from July to December 2003, in
accordance with generally accepted government auditing standards.
Appendix I contains further details on our objectives, scope, and
methodology.
Results in Brief:
For several years, security risks have been reported in the control
systems on which many of the nation's critical infrastructures rely to
monitor and control sensitive processes and physical functions. In
addition to a steady increase in general cyber threats, several factors
have contributed to the escalation of risks specific to control
systems, including the (1) adoption of standardized technologies with
known vulnerabilities, (2) connectivity of control systems with other
networks, (3) insecure remote connections, and (4) widespread
availability of technical information about control systems.
Control systems can be vulnerable to a variety of types of cyber
attacks that could have devastating consequences--such as endangering
public health and safety; damaging the environment; or causing a loss
of production, generation, or distribution by public utilities. Control
systems have already been subject to a number of cyber attacks,
including attacks on a sewage treatment system in Australia in 2000
and, more recently, on a nuclear power plant in Ohio.
Securing control systems poses significant challenges. These include
the limitations of current security technologies in securing control
systems, the perception that securing control systems may not be
economically justifiable, and conflicting priorities within
organizations regarding the security of control systems.
Government, academia, and private industry have initiated several
efforts that are intended to improve the security of control systems.
These initiatives include efforts to promote the research and
development of new technologies, the development of requirements and
standards, an increased awareness and sharing of information, and the
implementation of effective security management programs. The
President's National Strategy to Secure Cyberspace establishes a role
for the Department of Homeland Security (DHS) to coordinate with the
private sector and other governments to improve the cybersecurity of
control systems. While some coordination is occurring, DHS's
coordination of these efforts could accelerate the development and
implementation of more secure systems. Without adequate coordination of
these efforts, there is a risk of delaying the development and
implementation of more secure systems to manage our critical
infrastructures.
We are recommending that the Secretary of DHS develop and implement a
strategy for coordinating with the private sector and other government
agencies to improve control system security, including developing an
approach for coordinating the various ongoing efforts to secure control
systems. This strategy should also be addressed in the comprehensive
national infrastructure plan that the department is tasked to complete
by December 2004.
In providing written comments on this draft report, DHS's
Undersecretary for the Information Analysis and Infrastructure
Protection Directorate concurred with our recommendation (see app.
III). DHS agreed that improving the security of control systems against
cyberattack is a high priority. We also received technical comments
from DHS that we have incorporated into the report, as appropriate.
Background:
Cyberspace Introduces Risks for Control Systems:
Dramatic increases in computer interconnectivity, especially in the use
of the Internet, continue to revolutionize the way our government, our
nation, and much of the world communicate and conduct business. The
benefits have been enormous. Vast amounts of information are now
literally at our fingertips, facilitating research on virtually every
topic imaginable; financial and other business transactions can be
executed almost instantaneously, often 24 hours a day, and electronic
mail, Internet Web sites, and computer bulletin boards allow us to
communicate quickly and easily with an unlimited number of individuals
and groups.
However, this widespread interconnectivity poses significant risks to
the government's and our nation's computer systems and, more important,
to the critical operations and infrastructures they support. For
example, telecommunications, power distribution systems, water
supplies, public health services, national defense (including the
military's warfighting capability), law enforcement, government
services, and emergency services all depend on the security of their
computer operations. If not properly controlled, the speed and
accessibility that create the enormous benefits of the computer age may
allow individuals and organizations to eavesdrop on or interfere with
these operations from remote locations for mischievous or malicious
purposes, including fraud or sabotage. Table 1 summarizes the key
threats to our nation's infrastructures, as observed by the Federal
Bureau of Investigation (FBI).
Table 1: Threats to Critical Infrastructures Observed by the FBI:
Threat: Criminal groups;
Description: There is an increased use of cyber intrusions by criminal
groups who attack systems for monetary gain.
Threat: Foreign intelligence services;
Description: Foreign intelligence services use cyber tools as part of
their information gathering and espionage activities.
Threat: Hackers;
Description: Hackers sometimes crack into networks for the thrill of
the challenge or for bragging rights in the hacker community. While
remote cracking once required a fair amount of skill or computer
knowledge, hackers can now download attack scripts and protocols from
the Internet and launch them against victim sites. Thus, while attack
tools have become more sophisticated, they have also become easier to
use.
Threat: Hacktivists;
Description: Hacktivism refers to politically motivated attacks on
publicly accessible Web pages or e-mail servers. These groups and
individuals overload e-mail servers and hack into Web sites to send a
political message.
Threat: Information warfare;
Description: Several nations are aggressively working to develop
information warfare doctrine, programs, and capabilities. Such
capabilities enable a single entity to have a significant and serious
impact by disrupting the supply, communications, and economic
infrastructures that support military power--impacts that, according to
the Director of Central Intelligence, can affect the daily lives of
Americans across the country.[A].
Threat: Insider threat;
Description: The disgruntled organization insider is a principal source
of computer crimes. Insiders may not need a great deal of knowledge
about computer intrusions because their knowledge of a victim system
often allows them to gain unrestricted access to cause damage to the
system or to steal system data. The insider threat also includes
outsourcing vendors.
Threat: Virus writers;
Description: Virus writers are posing an increasingly serious threat.
Several destructive computer viruses and "worms" have harmed files and
hard drives, including the Melissa macro virus, the Explore.Zip worm,
the CIH (Chernobyl) virus, Nimda, and Code Red.
Source: Federal Bureau of Investigation, unless otherwise indicated.
[A] Prepared statement of George J. Tenet, Director of Central
Intelligence, before the Senate Select Committee on Intelligence,
February 2, 2000.
[End of table]
Government officials remain concerned about attacks from individuals
and groups with malicious intent, such as crime, terrorism, foreign
intelligence gathering, and acts of war. According to the FBI,
terrorists, transnational criminals, and intelligence services are
quickly becoming aware of and using information exploitation tools such
as computer viruses, Trojan horses, worms, logic bombs, and
eavesdropping sniffers that can destroy, intercept, degrade the
integrity of, or deny access to data.[Footnote 3] In addition, the
disgruntled organization insider is a significant threat, because these
individuals often have knowledge about the organization and its system
that allows them to gain unrestricted access and inflict damage or
steal assets without knowing a great deal about computer intrusions. As
larger amounts of money and more sensitive economic and commercial
information are exchanged electronically, and as the nation's defense
and intelligence communities increasingly rely on standardized
information technology (IT), the likelihood increases that information
attacks will threaten vital national interests.
As the number of individuals with computer skills has increased, more
intrusion or "hacking" tools have become readily available and
relatively easy to use. A hacker can download tools from the Internet
and literally "point and click" to start an attack. Experts agree that
there has been a steady advance in the level of sophistication and
effectiveness of attack technology. Intruders quickly develop attacks
to exploit vulnerabilities that have been discovered in products, use
these attacks to compromise computers, and share them with other
attackers. In addition, they can combine these attacks with other forms
of technology to develop programs that automatically scan networks for
vulnerable systems, attack them, compromise them, and use them to
spread the attack even further.
From 1995 through 2003, the CERT‚ Coordination Center[Footnote 4]
(CERT/CC) reported 12,946 security vulnerabilities that resulted from
software flaws. Figure 1 illustrates the dramatic growth in security
vulnerabilities over these years. The growing number of known
vulnerabilities increases the potential for attacks by the hacker
community. Attacks can be launched against specific targets or widely
distributed through viruses and worms.
Figure 1: Security Vulnerabilities, 1995-2003:
[See PDF for image]
[End of figure]
Along with these increasing vulnerabilities, the number of computer
security incidents reported to CERT/CC has also risen dramatically--
from 9,859 in 1999 to 82,094 in 2002 and to 137,529 in 2003. And these
are only the reported attacks. The Director of the CERT Centers has
estimated that as much as 80 percent of actual security incidents goes
unreported, in most cases because (1) there were no indications of
penetration or attack, (2) the organization was unable to recognize
that its systems had been penetrated, or (3) the organization was
reluctant to report. Figure 2 shows the number of incidents that were
reported to the CERT/CC from 1995 through 2003.
Figure 2: Computer Security Incidents, 1995-2003:
[See PDF for image]
[End of figure]
According to the National Security Agency (NSA), foreign governments
already have or are developing computer attack capabilities, and
potential adversaries are developing a body of knowledge about U.S.
systems and methods to attack these systems. The National
Infrastructure Protection Center (NIPC) reported in January 2002 that a
computer belonging to an individual who had indirect links to Osama bin
Laden contained computer programs that indicated that the individual
was interested in the structural engineering of dams and other water-
retaining structures. The NIPC report also stated that U.S. law
enforcement and intelligence agencies had received indications that Al
Qaeda members had sought information about control systems from
multiple Web sites, specifically on water supply and wastewater
management practices in the United States and abroad.
Since the terrorist attacks of September 11, 2001, warnings of the
potential for terrorist cyber attacks against our critical
infrastructures have increased. For example, in his February 2002
statement for the Senate Select Committee on Intelligence, the Director
of Central Intelligence discussed the possibility of a cyber warfare
attack by terrorists.[Footnote 5] He stated that the September 11
attacks demonstrated the nation's dependence on critical infrastructure
systems that rely on electronic and computer networks. Further, he
noted that attacks of this nature would become an increasingly viable
option for terrorists as they and other foreign adversaries become more
familiar with these targets and the technologies required to attack
them. James Woolsey, a former Director of Central Intelligence, shares
this concern, and on October 29, 2003, in a speech before several
hundred security experts, he warned that the nation should be prepared
for continued terrorist attacks on our critical infrastructures.
Moreover, a group of concerned scientists warned President Bush in a
letter that "the critical infrastructure of the United States,
including electrical power, finance, telecommunications, health care,
transportation, water, defense and the Internet, is highly vulnerable
to cyber attack. Fast and resolute mitigating action is needed to avoid
national disaster." According to a study by a computer security
organization, during the second half of 2002, the highest rates of
global computer attacks were for those aimed at companies that provide
critical infrastructures such as power, energy, and financial
services.[Footnote 6] Further, a study that surveyed over 170 security
professionals and other executives concluded that, across industries,
respondents believe that a large-scale cyber attack in the United
States will be launched against their industry by mid-2006.
What Are Control Systems?
Control systems are computer-based systems that are used within many
infrastructures and industries to monitor and control sensitive
processes and physical functions. Typically, control systems collect
sensor measurements and operational data from the field, process and
display this information, and relay control commands to local or remote
equipment. In the electric power industry, control systems can manage
and control the generation, transmission, and distribution of electric
power--for example, by opening and closing circuit breakers and setting
thresholds for preventive shutdowns. Employing integrated control
systems, the oil and gas industry can control the refining operations
at a plant site, remotely monitor the pressure and flow of gas
pipelines, and control the flow and pathways of gas transmission. Water
utilities can remotely monitor well levels and control the wells'
pumps; monitor flows, tank levels, or pressure in storage tanks;
monitor water quality characteristics--such as pH, turbidity, and
chlorine residual; and control the addition of chemicals. Control
systems also are used in manufacturing and chemical processing. Control
systems perform functions that vary from simple to complex; they can be
used simply to monitor processes--for example, the environmental
conditions in a small office building--or to manage most activities in
a municipal water system or even a nuclear power plant.
In certain industries, such as chemical and power generation, safety
systems are typically implemented in order to mitigate a potentially
disastrous event if control and other systems should fail. In addition,
to guard against both physical attack and system failure, organizations
may establish backup control centers that include uninterruptible power
supplies and backup generators.
There are two primary types of control systems. Distributed Control
Systems (DCS) typically are used within a single processing or
generating plant or over a small geographic area. Supervisory Control
and Data Acquisition (SCADA) systems typically are used for large,
geographically dispersed distribution operations. For example, a
utility company may use a DCS to generate power and a SCADA system to
distribute it. Figure 3 illustrates the typical components of a control
system.
Figure 3: Typical Components of a Control System:
[See PDF for image]
Note: Remote/local stations can include one or more interfaces to allow
field operators to perform diagnostic and maintenance operations.
Sensors can measure level, pressure, flow, current, voltages, etc.,
depending on the infrastructure. Control equipment can be valves,
pumps, relays, circuit breakers, etc., also depending on the
infrastructure.
[End of figure]
A control system typically is made up of a "master" or central
supervisory control and monitoring station consisting of one or more
human-machine interfaces where an operator can view status information
about the remote/local sites and issue commands directly to the system.
Typically, this station is located at a main site, along with
application servers and an engineering workstation that is used to
configure and troubleshoot the other components of the control system.
The supervisory control and monitoring station typically is connected
to local controller stations through a hard-wired network or to a
remote controller station through a communications network--which could
be the Internet, a public switched telephone network, or a cable or
wireless (e.g., radio, microwave, or Wi-Fi[Footnote 7]) network. Each
controller station has a remote terminal unit (RTU), a programmable
logic controller (PLC), or some other controller that communicates with
the supervisory control and monitoring station.
The control system also includes sensors and control equipment that
connect directly with the working components of the infrastructure--for
example, pipelines, water towers, or power lines. The sensor takes
readings from the infrastructure equipment--such as water or pressure
levels, electrical voltage or current--and sends a message to the
controller. The controller may be programmed to determine a course of
action and send a message to the control equipment instructing it what
to do--for example, to turn off a valve or dispense a chemical. If the
controller is not programmed to determine a course of action, the
controller communicates with the supervisory control and monitoring
station and relays instructions back to the control equipment. The
control system also can be programmed to issue alarms to the operator
when certain conditions are detected. Handheld devices, such as
personal digital assistants, can be used to locally monitor controller
stations. Experts report that technologies in controller stations are
becoming more intelligent and automated and are able to communicate
with the supervisory central monitoring and control station less
frequently, thus requiring less human intervention.
Control Systems Are at Increasing Risk:
Historically, security concerns about control systems were related
primarily to protecting them against physical attack and preventing the
misuse of refining and processing sites or distribution and holding
facilities. However, more recently, there has been a growing
recognition that control systems are now vulnerable to cyber attacks
from numerous sources, including hostile governments, terrorist groups,
disgruntled employees, and other malicious intruders.
In October 1997, the President's Commission on Critical Infrastructure
Protection discussed the potential damaging effects on the electric
power and oil and gas industries of successful attacks on control
systems.[Footnote 8] Moreover, in 2002, the National Research Council
identified "the potential for attack on control systems" as requiring
"urgent attention."[Footnote 9] In the first half of that year,
security experts reported that 70 percent of energy and power companies
experienced at least one severe cyber attack. In February 2003, the
President clearly demonstrated concern about "the threat of organized
cyber attacks capable of causing debilitating disruption to our
Nation's critical infrastructures, economy, or national security,"
noting that "disruption of these systems can have significant
consequences for public health and safety" and emphasizing that the
protection of control systems has become "a national
priority."[Footnote 10]
Several factors have contributed to the escalation of risk to control
systems, including (1) the adoption of standardized technologies with
known vulnerabilities, (2) the connectivity of control systems to other
networks, (3) insecure remote connections, and (4) the widespread
availability of technical information about control systems.
Control Systems Are Adopting Standardized Technologies with Known
Vulnerabilities:
In the past, proprietary hardware, software, and network protocols made
it difficult to understand how control systems operated--and therefore
how to hack into them. Today, however, to reduce costs and improve
performance, organizations have been transitioning from proprietary
systems to less expensive, standardized technologies such as
Microsoft's Windows, Unix-like operating systems, and the common
networking protocols used by the Internet. These widely-used,
standardized technologies have commonly known vulnerabilities, and
sophisticated and effective exploitation tools are widely available and
relatively easy to use. As a consequence, both the number of people
with the knowledge to wage attacks and the number of systems subject to
attack have increased. Also, common communication protocols and the
emerging use of extensible markup language (commonly referred to as
XML) can make it easier for a hacker to interpret the content of
communications among the components of a control system.
Control Systems Are Connected to Other Networks:
Enterprises often integrate their control systems with their enterprise
networks. This increased connectivity has significant advantages,
including providing decision makers with access to real-time
information and allowing engineers to monitor and control the process
control system from different points on the enterprise network. In
addition, the enterprise networks are often connected to the networks
of strategic partners and to the Internet. Furthermore, control systems
are increasingly using wide area networks and the Internet to transmit
data to their remote or local stations and individual devices. This
convergence of control networks with public and enterprise networks
potentially creates further security vulnerabilities in control
systems. Unless appropriate security controls are deployed in both the
enterprise network and the control system network, breaches in
enterprise security can affect the operation of control systems.
Insecure Connections Exacerbate Vulnerabilities:
Vulnerabilities in control systems are exacerbated by insecure
connections. Organizations often leave access links--such as dial-up
modems to equipment and control information--open for remote
diagnostics, maintenance, and examination of system status. If such
links are not protected with authentication or encryption, the risk
increases that hackers could use these insecure connections to break
into remotely controlled systems. Also, control systems often use
wireless communications systems, which are especially vulnerable to
attack, or leased lines that pass through commercial telecommunications
facilities. Without encryption to protect data as it flows through
these insecure connections or authentication mechanisms to limit
access, there is little to protect the integrity of the information
being transmitted.
Information about Infrastructures and Control Systems Is Publicly
Available:
Public information about infrastructures and control systems is readily
available to potential hackers and intruders. The availability of this
infrastructure and vulnerability data was demonstrated last year by a
George Mason University graduate student who, in his dissertation,
reportedly mapped every business and industrial sector in the American
economy to the fiber-optic network that connects them, using material
that was available publicly on the Internet--and not classified.
In the electric power industry, open sources of information--such as
product data and educational videotapes from engineering associations-
-can be used to understand the basics of the electrical grid. Other
publicly available information--including filings of the Federal Energy
Regulatory Commission (FERC), industry publications, maps, and material
available on the Internet--is sufficient to allow someone to identify
the most heavily loaded transmission lines and the most critical
substations in the power grid. Many of the electric utility officials
who were interviewed for the National Security Telecommunications
Advisory Committee's Information Assurance Task Force's Electric Power
Risk Assessment expressed concern over the amount of information about
their infrastructure that is readily available to the public.
In addition, significant information on control systems is publicly
available--including design and maintenance documents, technical
standards for the interconnection of control systems and RTUs, and
standards for communication among control devices--all of which could
assist hackers in understanding the systems and how to attack them.
Moreover, there are numerous former employees, vendors, support
contractors, and other end users of the same equipment worldwide who
have inside knowledge about the operation of control systems.
Security experts have stated that an individual with very little
knowledge of control systems could gain unauthorized access to a
control system with the use of a port scanning tool and a factory
manual that can be easily found on the Internet and that contains the
system's default password. As noted in the following discussion, many
times these default passwords are never changed.
Cyber Threats to Control Systems:
There is a general consensus--and increasing concern--among government
officials and experts on control systems about potential cyber threats
to the control systems that govern our critical infrastructures. As
components of control systems increasingly make vital decisions that
were once made by humans, the potential effect of a cyber attack
becomes more devastating. Cyber threats could come from numerous
sources ranging from hostile governments and terrorist groups to
disgruntled employees and other malicious intruders. Based on
interviews and discussions with representatives from throughout the
electric power industry, the Information Assurance Task Force of the
National Security Telecommunications Advisory Committee concluded that
an organization with sufficient resources, such as a foreign
intelligence service or a well-supported terrorist group, could conduct
a structured attack on the electric power grid electronically, with a
high degree of anonymity, and without having to set foot in the target
nation.
In July 2002, NIPC reported that the potential for compound cyber and
physical attacks, referred to as "swarming attacks," is an emerging
threat to the critical infrastructure of the United States. As NIPC
reports, the effects of a swarming attack include slowing or
complicating the response to a physical attack. For instance, a cyber
attack that disabled the water supply or the electrical system, in
conjunction with a physical attack, could deny emergency services the
necessary resources to manage the consequences of the physical attack-
-such as controlling fires, coordinating response, and generating
light.
According to the National Institute of Standards and Technology (NIST),
cyber attacks on energy production and distribution systems--including
electric, oil, gas, and water treatment, as well as on chemical plants
containing potentially hazardous substances--could endanger public
health and safety, damage the environment, and have serious financial
implications such as loss of production, generation, or distribution by
public utilities; compromise of proprietary information; or liability
issues. When backups for damaged components are not readily available
(e.g., extra-high-voltage transformers for the electric power grid),
such damage could have a long-lasting effect.
Control Systems Can Be Vulnerable to Cyber Attacks:
Entities or individuals with malicious intent might take one or more of
the following actions to successfully attack control systems:
* disrupt the operation of control systems by delaying or blocking the
flow of information through control networks, thereby denying
availability of the networks to control system operators;
* make unauthorized changes to programmed instructions in PLCs, RTUs,
or DCS controllers, change alarm thresholds, or issue unauthorized
commands to control equipment, which could potentially result in damage
to equipment (if tolerances are exceeded), premature shutdown of
processes (such as prematurely shutting down transmission lines), or
even disabling control equipment;
* send false information to control system operators either to disguise
unauthorized changes or to initiate inappropriate actions by system
operators;
* modify the control system software, producing unpredictable results;
and:
* interfere with the operation of safety systems.
In addition, in control systems that cover a wide geographic area, the
remote sites often are not staffed and may not be physically monitored.
If such remote systems are physically breached, attackers could
establish a cyber connection to the control network.
Department of Energy (DOE) and industry researchers have speculated on
how the following potential attack scenario could affect control
systems in the electricity sector. Using war dialers[Footnote 11] to
find modems connected to the programmable circuit breakers of the
electric power control system, hackers could crack passwords that
control access to the circuit breakers and could change the control
settings to cause local power outages and even damage equipment. A
hacker could lower settings from, for example, 500 amperes[Footnote 12]
to 200 on some circuit breakers; normal power usage would then
activate, or "trip," the circuit breakers, taking those lines out of
service and diverting power to neighboring lines. If, at the same time,
the hacker raised the settings on these neighboring lines to 900
amperes, circuit breakers would fail to trip at these high settings,
and the diverted power would overload the lines and cause significant
damage to transformers and other critical equipment. The damaged
equipment would require major repairs that could result in lengthy
outages.
Control system researchers at DOE's national laboratories have
developed systems that demonstrate the feasibility of a cyber attack on
a control system at an electric power substation where high-voltage
electricity is transformed for local use. Using tools that are readily
available on the Internet, they are able to modify output data from
field sensors and take control of the PLC directly in order to change
settings and create new output. These techniques could enable a hacker
to cause an outage, thus incapacitating the substation.
Experts in the water industry consider control systems to be among the
primary vulnerabilities of drinking water systems. A technologist from
the water distribution sector has demonstrated how an intruder could
hack into the communications channel between the control center of a
water distribution pump station and its remote units, located at water
storage and pumping facilities, to either block messages or send false
commands to the remote units. Moreover, experts are concerned that
terrorists could, for example, trigger a cyber attack to release
harmful amounts of water treatment chemicals, such as chlorine, into
the public's drinking water.
Cyber Attacks on Control Systems Have Been Reported:
Experts in control systems have verified numerous incidents that have
affected control systems. Reported attacks include the following:
* In 1994, the computer system of the Salt River Project, a major water
and electricity provider in Phoenix, Arizona, was breached.
* In March 1997, a teenager in Worcester, Massachusetts, remotely
disabled part of the public switching network, disrupting telephone
service for 600 residents and the fire department and causing a
malfunction at the local airport.
* In the spring of 2000, a former employee of an Australian company
that develops manufacturing software applied for a job with the local
government, but was rejected. Over a 2-month period, the disgruntled
rejected employee reportedly used a radio transmitter on as many as 46
occasions to remotely hack into the controls of a sewage treatment
system and ultimately release about 264,000 gallons of raw sewage into
nearby rivers and parks.
* In the spring of 2001, hackers mounted an attack on systems that were
part of a development network at the California Independent System
Operator, a facility that is integral to the movement of electricity
throughout the state.
* In August 2003, the Nuclear Regulatory Commission confirmed that in
January 2003, the Microsoft SQL Server worm--otherwise known as
Slammer--infected a private computer network at the Davis-Besse nuclear
power plant in Oak Harbor, Ohio, disabling a safety monitoring system
for nearly 5 hours. In addition, the plant's process computer failed,
and it took about 6 hours for it to become available again. Slammer
reportedly also affected communications on the control networks of at
least five other utilities by propagating so quickly that control
system traffic was blocked.
In addition, in 1997, the Department of Defense (DOD) undertook the
first systematic exercise to determine the nation's and DOD's
vulnerability to cyberwar. During a 2-week military exercise known as
Eligible Receiver, staff from NSA used widely available tools to show
how to penetrate the control systems that are associated with providers
of electric power to DOD installations. Other assessments of control
systems at DOD installations have demonstrated vulnerabilities and
identified risks in the installations' network and operations.
Securing Control Systems Poses Significant Challenges:
The control systems community faces several challenges to securing
control systems against cyber threats. These challenges include (1) the
limitations of current security technologies in securing control
systems, (2) the perception that securing control systems may not be
economically justifiable, and (3) the conflicting priorities within
organizations regarding the security of control systems.
Lack of Specialized Security Technologies for Control Systems:
According to industry experts, existing security technologies, as well
as strong user authentication and patch management practices, are
generally not implemented in control systems because control systems
usually have limited processing capabilities, operate in real time, and
are typically not designed with cybersecurity in mind.
Existing security technologies such as authorization, authentication,
encryption, intrusion detection, and filtering of network traffic and
communications, require more bandwidth, processing power, and memory
than control system components typically have. Controller stations are
generally designed to do specific tasks, and they often use low-cost,
resource-constrained microprocessors. In fact, some control system
devices still use the Intel 8088 processor, which was introduced in
1978. Consequently, it is difficult to install current security
technologies without seriously degrading the performance of the control
system.
For example, complex passwords and other strong password practices are
not always used to prevent unauthorized access to control systems, in
part because this could hinder a rapid response to safety procedures
during an emergency. As a result, according to experts, weak passwords
that are easy to guess, shared, and infrequently changed are reportedly
common in control systems, including the use of default passwords or
even no password at all.
In addition, although modern control systems are based on standard
operating systems, they are typically customized to support control
system applications. Consequently, vendor-provided software patches
may be either incompatible with the customized version of the operating
system or difficult to implement without compromising service by
shutting down "always-on" systems or affecting interdependent
operations. Another constraint on deploying patches is that support
agreements with control system vendors often require the vendor's
approval before the user can install patches. If a patch is installed
in violation of the support agreement, the vendor will not take
responsibility for potential impacts on the operations of the system.
Moreover, because a control system vendor often requires that it be the
sole provider of patches, if the vendor delays in providing patches,
systems remain vulnerable without recourse.
Information security organizations have noted that a gap exists between
currently available security technologies and the need for additional
research and development to secure control systems. Research and
development in a wide range of areas could lead to more effective
technologies. For example, although technologies such as robust
firewalls and strong authentication can be employed to better segment
control systems from external networks, research and development could
help to address the application of security technologies to the control
systems themselves. Other areas that have been noted for possible
research and development include identifying the types of security
technologies needed for different control system applications,
determining acceptable performance trade-offs, and recognizing attack
patterns for use in intrusion detection systems.
Industry experts have identified challenges in migrating system
components to newer technologies while maintaining uninterrupted
operations. Upgrading all the components of a control system can be a
lengthy process, and the enhanced security features of newly installed
technologies--such as their ability to interpret encrypted messages--
may not be able to be fully utilized until all devices in the system
have been replaced and the upgrade is complete.
Securing Control Systems May Not Be Perceived as Economically
Justifiable:
Experts and industry representatives have indicated that organizations
may be reluctant to spend more money to secure control systems.
Hardening the security of control systems would require industries to
expend more resources, including acquiring more personnel, providing
training for personnel, and potentially prematurely replacing current
systems, which typically have a lifespan of about 20 years.
Several vendors suggested that since there have been no reports of
significant disruptions caused by cyber attacks on U.S. control
systems, industry representatives believe the threat of such an attack
is low. While incidents have occurred, to date there is no formalized
process for collecting and analyzing information about control systems
incidents, thus further contributing to the skepticism of control
systems vendors. We have previously recommended that the government
work with the private sector to improve the quality and quantity of
information being shared among industries and government about attacks
on the nation's critical infrastructures.[Footnote 13] As we discuss in
appendix II, establishing such a process is currently under study.
Until industry users of control systems have a business case to justify
why additional security is needed, there may be little market incentive
for the private sector to develop and implement more secure control
systems. We have previously reported that consideration of further
federal government efforts is needed to provide appropriate incentives
for nonfederal entities to enhance their efforts to implement CIP--
including protection of control systems. Without appropriate
consideration of public policy tools, such as regulation, grants, and
tax incentives, private-sector participation in sector-related CIP
efforts may not reach its full potential.[Footnote 14]
Organizational Priorities Conflict:
Finally, several experts and industry representatives indicated that
the responsibility for securing control systems typically includes two
separate groups: (1) IT security personnel and (2) control system
engineers and operators. IT security personnel tend to focus on
securing enterprise systems, while control system engineers and
operators tend to be more concerned with the reliable performance of
their control systems. These experts indicate that, as a result, those
two groups do not always fully understand each other's requirements and
so may not collaborate to implement secure control systems.
These conflicting priorities may perpetuate a lack of awareness of IT
security strategies that could be deployed to mitigate the
vulnerabilities of control systems without affecting their performance.
Although research and development will be necessary to develop
technologies to secure individual control system devices, existing IT
security technologies and approaches could be implemented as part of a
secure enterprise architecture to protect the perimeters of, and access
to, control system networks. Existing IT security technologies include
firewalls, intrusion-detection systems, encryption, authentication,
and authorization. IT security approaches include segmenting control
system networks and testing continuity plans to ensure safe and
continued operation.
To reduce the vulnerabilities of its control system, officials from one
company formed a team composed of IT staff, process control engineers,
and manufacturing employees. This team worked collaboratively to
research vulnerabilities and to test fixes and workarounds.
Efforts to Strengthen the Cybersecurity of Control Systems Under Way,
but Lack Adequate Coordination:
Government, academia, and private industry have independently initiated
multiple efforts and programs focused on some of the key areas that
should be addressed to strengthen the cybersecurity of control systems.
Appendix II describes initiatives to secure control systems in greater
detail. These key areas--and illustrative examples of ongoing efforts
in these areas--include the following:
* Research and development of new security technologies to protect
control systems. Both federal and nonfederal entities have initiated
efforts to develop encryption methods for securing communications on
control system networks and field devices. Moreover, DOE is planning to
establish a National SCADA Test Bed to test control system
vulnerabilities.
* Development of requirements and standards for control system
security. Several entities are working to develop standards that
increase the security of control systems. The Process Controls Security
Requirements Forum (PCSRF), established by NIST and NSA, is working to
define a common set of information security requirements for control
systems. In addition, the North American Electric Reliability Council
(NERC) is preparing to draft a standard that will include security
requirements for control systems.
* Increased awareness of security and sharing of information about the
implementation of more secure architectures and existing security
technologies. To promote awareness of control system vulnerabilities,
DOE has created security programs, trained teams to conduct security
reviews, and developed cybersecurity courses. The Instrumentation
Systems and Automation Society (ISA) has reported on the known state of
the art of cybersecurity technologies as they are applied to the
control systems environment, to clearly define what technologies can
currently be deployed.
* Implementation of effective security management programs, including
policies and guidance that consider control system security. Both
federal and nonfederal entities have developed guidance to mitigate the
security vulnerabilities of control systems. DOE's 21 Steps to Improve
Cyber Security of SCADA Networks provides guidance for improving the
security of control systems and establishing underlying management
processes and policies to help organizations improve the security of
control system networks.
In previous reports, we have recommended the development of a
comprehensive and coordinated national plan to facilitate the federal
government's CIP efforts. This plan should clearly delineate the roles
and responsibilities of federal and nonfederal CIP entities, define
interim objectives and milestones, set time frames for achieving
objectives, and establish performance measures.
The President in his homeland security strategies and Congress in
enacting the Homeland Security Act designated DHS as responsible for
developing a comprehensive national infrastructure plan. The plan is
expected to inform DHS on budgeting and planning for CIP activities and
on how to use policy instruments to coordinate among government and
private entities to raise the security of our national infrastructures
to appropriate levels. According to Homeland Security Presidential
Directive 7 (HSPD 7), issued December 17, 2003, DHS is to develop this
formalized plan by December 2004.
In February 2003, the President's National Strategy to Secure
Cyberspace established a role for DHS to coordinate with other
government agencies and the private sector to improve the cybersecurity
of control systems. DHS's recommended role includes:
* ensuring that there is broad awareness of the vulnerabilities in
control systems and the consequences of exploiting these
vulnerabilities,
* developing best practices and new technologies to strengthen the
security of control systems, and:
* identifying the nation's most critical control system sites and
developing a prioritized plan for ensuring cyber security at those
sites.
In addition, the President's strategy recommends that DHS work with the
private sector to promote voluntary standards efforts and the creation
of security policy for control systems.
DHS recently began to focus on the range of activities that are under
way among the numerous entities that are working to address these
areas. In October 2003, DHS's Science and Technology Directorate
initiated a study to determine the current state of security of control
systems. In December 2003, DHS established the Control Systems Section
within the Protective Security Division of its Information Analysis and
Infrastructure Protection (IAIP) Directorate. The objectives of this
section are to identify computer-controlled systems that are vital to
infrastructure functions, evaluate the potential threats to these
systems, and develop strategies that mitigate the consequences of
attacks. In addition, IAIP's National Cyber Security Division (NCSD) is
currently planning to develop a methodology for conducting cyber
assessments across all critical infrastructures, including control
systems. The objectives of this effort include defining specific goals
for the assessments and, based on their results, developing sector-
specific recommendations to mitigate vulnerabilities. They also plan to
examine processes, technology, and available policy, procedures, and
guidance. Because these efforts have only recently been initiated, DHS
has not yet developed a strategy for implementing the functions
mentioned above.
As previously discussed, many government and nongovernment entities are
spearheading various initiatives to address the challenge of
implementing cybersecurity for the vital systems that operate our
nation's critical infrastructures. While some coordination is
occurring, both federal and nonfederal control systems experts have
expressed their concern that these efforts are not being adequately
coordinated among government agencies, the private sector, and
standards-setting bodies. DHS's coordination of these efforts could
accelerate the development and implementation of more secure systems to
manage our critical infrastructures. In contrast, insufficient
coordination could contribute to:
* delays in the general acceptance of security requirements and the
adoption of successful practices for control systems,
* failure to address gaps in the research and development of
technologies to better secure control systems,
* impediments to standards-creating efforts across industries that
could lead to less expensive technological solutions, and:
* reduced opportunities for efficiency that could be gained by
leveraging ongoing work.
Conclusions:
The systems that monitor and control the sensitive processes and
physical functions of the nation's critical infrastructures are at
increasing risk from threats of cyber attacks. Securing these systems
poses significant challenges. Numerous federal agencies, critical
infrastructure sectors, and standards-creating bodies are leading
various initiatives to address these challenges. While some
coordination is occurring, the cybersecurity of our critical
infrastructures' control systems could benefit from greater
collaboration among all entities. DHS's implementation of its
responsibilities outlined in the National Strategy to Secure Cyberspace
as well as the coordination of ongoing efforts among the government,
industries, and standards-creating bodies could accelerate progress in
securing these critical systems.
Recommendation for Executive Action:
We recommend that the Secretary of the Department of Homeland Security
develop and implement a strategy for coordinating with the private
sector and other government agencies to improve control system
security, including an approach for coordinating the various ongoing
efforts to secure control systems. This strategy should also be
addressed in the comprehensive national infrastructure plan that the
department is tasked to complete by December 2004.
Agency Comments:
DHS's Under Secretary for IAIP transmitted the department's written
comments on a draft of this report (see app. III). In his written
comments, the Under Secretary concurred with our recommendation and
stated that DHS agrees that improving the security of control systems
against cyberattack is a high priority. He stated that DHS has engaged
with the private sector, academia, and other government entities on
this matter as required by HSPD 7. The Under Secretary further noted
that DHS is utilizing IAIP's Protective Services Division and NCSD
collectively to address both the physical and cyber aspects of control
systems security. We also received technical comments from DHS that we
have incorporated into the report, as appropriate.
As agreed with your staff, unless you publicly announce the contents of
this report earlier, we plan no further distribution of it until 30
days from the date of this report. At that time, we will send copies of
this report to other interested congressional committees and the heads
of the agencies discussed in this report, as well as to the private-
sector participants and other relevant agencies. We will also make
copies available to others upon request. In addition, the report will
be available at no charge on the GAO Web site at http://www.gao.gov.
Should you or your offices have questions on matters discussed in this
report, please contact me at (202) 512-3317 or Elizabeth Johnston,
Assistant Director, at (202) 512-6345. We can also be reached by e-mail
at daceyr@gao.gov or johnstone@gao.gov, respectively. Key contributors
to this report were Shannin Addison, Joanne Fiorino, Alison Jacobs, and
Tracy Pierson.
Signed by:
Robert F. Dacey:
Director, Information Security Issues:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
Our objectives were to assess (1) the significant cybersecurity risks
associated with control systems, (2) potential and reported cyber
attacks against these systems, (3) key challenges to securing control
systems, and (4) efforts to strengthen the cybersecurity of control
systems.
We analyzed research studies and reports as well as prior GAO reports
and testimonies on critical infrastructure protection (CIP) information
security, and national preparedness, among others, to obtain
information regarding the risks and vulnerabilities of control systems.
We analyzed documents from and met with manufacturers, users, and
federal officials with expertise in control systems and their security
to identify the challenges to securing control systems. Finally, we
analyzed documents from and met with representatives from control
systems manufacturing companies, industry users, and federal officials
from the Departments of Homeland Security, Defense, and Energy, to
identify ongoing initiatives to strengthen the security of control
systems. We also reviewed and analyzed technical reports by standards
groups to assess the status of efforts to develop guidance and
standards for securing control systems.
Our work was conducted from July 2003 to December 2003, in accordance
with generally accepted government auditing standards.
[End of section]
Appendix II: Initiatives to Address Cybersecurity Challenges of
Control Systems:
Following are key initiatives that are aimed at strengthening the
security of control systems. They are led by government, academia, and
private in:
Department of Homeland Security:
The Department of Homeland Security (DHS) has created a National Cyber
Security Division (NCSD) within its Information Analysis and
Infrastructure Protection (IAIP) Directorate to identify, analyze, and
reduce cyber threats and vulnerabilities; disseminate threat warning
information; coordinate incident response; and provide technical
assistance in continuity of operations and recovery planning. IAIP
coordinates the federal government's initiatives on critical
infrastructure assurance and promotes national outreach and awareness
campaigns about CIP. On the basis of work conducted by the U.S.-Canada
Power Outage Task Force, NCSD is currently in the process of creating a
series of recommended preventive measures to better secure the control
systems that manage North America's electric power grid.
In October 2003, DHS's Science and Technology Directorate (S&T)
initiated a study of the nation's critical infrastructures to determine
which sectors use control systems, what cybersecurity risks they face,
and which industry players are focusing on mitigating these risks. The
study, which focuses on control system security, will reach out to two
or three representatives from each sector in an attempt to determine
what items to include in DHS S&T's research agenda. In addition, S&T
recently issued a solicitation to small businesses seeking research
proposals for projects focusing on securing control systems. The
objectives of this program will be to (1) develop a concept and formal
design to better protect SCADA systems by reducing their
vulnerabilities to cyber and physical attacks across industry sectors,
(2) test the design, and (3) refine the design and perform
qualification tests to validate the design and its performance.
In December 2003, DHS established the Control Systems Section within
the Protective Security Division of its IAIP Directorate. The
objectives of this section are to identify computer-controlled systems
that are vital to critical infrastructure functions, evaluate the
potential threats to these systems, and develop strategies that can
mitigate the consequences of attacks.
IAIP's NCSD is currently planning to develop a methodology for
conducting cyber assessments across all critical infrastructures,
including control systems. The objectives of this effort include
defining specific goals for the assessments and, based on results,
developing sector-specific recommendations to mitigate
vulnerabilities. NCSD also plans to examine processes, technology, and
available policy, procedures, and guidance. NCSD has identified a
number of its additional efforts, including recently hiring personnel
with expertise in control systems.
Department of Defense:
The Department of Defense's (DOD) Joint Program Office for Special
Technology Countermeasures (JPO-STC) has performed vulnerability
assessments on control systems, including the areas of awareness,
integration, physical testing, analytic testing, and analysis. JPO-STC
coordinates its assessments with those performed by the U.S. Army's
First Information Operations Command. The Army's assessments are
conducted as part of installation assessments to (1) analyze potential
risks to the installation network from SCADA infrastructures and (2)
assess the vulnerabilities of SCADA systems that could negatively
affect installation operations.
Department of Energy:
Under the sponsorship of the Department of Energy's (DOE) Office of
Energy Assurance (OEA), the National Laboratories have conducted
studies of the vulnerabilities of the control systems that are used in
the nation's critical infrastructures, and they have developed guidance
to help mitigate some of these vulnerabilities. In September 2002, DOE
and the President's Critical Infrastructure Protection Board released
21 Steps to Improve Cyber Security of SCADA Networks. These steps
provide guidance for improving the security of control systems and
establishing underlying management processes and policies to help
organizations improve the security of their control networks. Moreover,
OEA is creating the DOE Critical Infrastructure Security Standards
Working Group to accelerate the implementation and quality of security
standards for those systems that control the energy infrastructure.
This working group is also charged with the responsibility of
facilitating, coordinating, leveraging, influencing, and leading
industrial and government standards-setting activities. We describe in
the next section the specific activities related to securing control
systems that DOE sponsors at the National Laboratories.
Idaho National Engineering and Environmental Laboratory, Sandia
National Laboratories, and National Energy Technology Laboratory:
Plans are under way to establish the National SCADA Test Bed, which
will be used to facilitate research by testing control system
vulnerabilities and proposed hardware and software security features.
By teaming with industry, the test bed is expected to become a full-
scale infrastructure testing facility for control systems that will
allow for testing and validating industry products including computer
controls, communications, and field systems; developing new tools to
determine the vulnerabilities of control systems; and testing new
standards and protocols. Initially focused on the electricity sector,
the test bed will now also include the oil and natural gas pipelines
sectors. There are plans to include other federal agencies in test bed
activities in the future. Funding constraints have delayed the
implementation of the initial phases of the plans.
Pacific Northwest National Laboratory:
According to DOE, the Pacific Northwest National Laboratory (PNNL) has
been integrally involved since 1994 in DOE activities that are
associated with CIPincluding leading an Electric Power Research
Institute research project to characterize the cybersecurity of
electric utility systems; providing technical input to the President's
Commission on Critical Infrastructure Protection in 1996; starting a
multilaboratory vulnerability assessment program in 1997; and
participating on the DOE Critical Infrastructure Protection Task Force
in 1998. These efforts draw from expertise working with the electric
utility industry, which was later embodied in the formation of the
North American Electric Reliability Council (NERC) Critical
Infrastructure Protection Forum in 2000. PNNL supports a variety of
clients that are involved in the security of control systems.
Sandia National Laboratories:
For the last six years, Sandia has been involved in various activities
to address the security of control systems in our critical
infrastructures. Laboratory employees are creating methodologies for
assessing risks and have performed vulnerability assessments of control
systems within the electric power, oil and gas, transportation, water/
wastewater, nuclear power, and manufacturing industries. To promote
awareness of control system vulnerabilities, Sandia's staff has created
security programs, trained teams to conduct security reviews, developed
a threat scenario demonstration system, and developed cybersecurity
courses to train those involved in the operation and protection of
critical infrastructures. Sandia is also working with standards bodies
to include information security in communications protocols.
At Sandia's SCADA Security Development Laboratory, industry can test
and improve the security of its SCADA architectures, systems, and
components. Sandia also has initiatives under way to advance
technologies that strengthen control systems through the use of
intrusion detection, encryption/authentication, secure protocols,
system and component vulnerability analysis, secure architecture design
and analysis, and intelligent self-healing infrastructure technology.
Argonne National Laboratory:
According to DOE, staff at Argonne National Laboratory (ANL) are
conducting vulnerability assessments of control systems in the oil and
gas industry. ANL is also developing a database that includes
information from the vendor and user communities in the various energy
sectors regarding the different control system operating systems, and
it is evaluating these operating systems to determine their
vulnerabilities. The lab is cataloguing various control system failures
and their impacts and evaluating them for correlations in order to
gather requirements that can be turned into solutions.
Los Alamos National Laboratory:
In collaboration with Sandia, Los Alamos has established the National
Infrastructure Simulation and Analysis Center, which provides modeling
and simulation capabilities for the analysis of critical
infrastructures, including the electricity, oil, and gas sectors. Under
the Homeland Security Act, the functions of the center were transferred
to DHS.
Environmental Protection Agency:
Sandia National Laboratories has also collaborated with the
Environmental Protection Agency (EPA) and industry groups to develop a
risk assessment methodology for assessing the vulnerability of water
systems in major U.S. cities.
In June 2000, the American Water Works Association Research Foundation,
in collaboration with Sandia, began a project to develop a
vulnerability assessment methodology for utilities to use to assess the
physical and cyber vulnerabilities of their infrastructures and develop
plans to minimize the risks they identify. The first version of the
Risk Assessment Methodology-Water (RAM-W) was released in November
2001.
In addition, EPA has provided vulnerability assessment training to many
water utilities. In accordance with EPA's water security strategy,
security vulnerability self-assessment guides for systems serving fewer
than 100,000 people have been issued.
All water systems serving more than 3,300 users are required by
law[Footnote 15] to conduct assessments of their water facilities
against the threat of sabotage or other malicious acts. These water
systems are also required to prepare or revise an emergency response
plan incorporating the results of the assessment within 6 months of its
completion. EPA is responsible for ensuring that the water systems have
met these requirements.
Food and Drug Administration:
In August of 1997, part 11 of Title 21 of the Code of Federal
Regulations (21 CFR part 11) became effective. It provides criteria for
the use of electronic records and electronic signatures in complying
with the Food and Drug Administration's (FDA) reporting requirements
for all agencies covered by FDA. In addition, the regulations require
companies to limit system access to authorized individuals, use
authority checks, and enforce appropriate controls over systems
documentation.
The food and pharmaceutical industries use control systems in their
manufacturing processes--for example, to track information about
products, including histories of operator actions, process measurement,
raw materials used, and equipment status, and to generate reports based
on this information. Therefore, to ensure the security of this vital
information, 21 CFR part 11 requires the authentication of electronic
signatures and electronic records in systems used in these industries,
including control systems.
National Institute of Standards and Technology and National Security
Agency:
The National Institute of Standards and Technology (NIST) and the
National Security Agency (NSA) have organized the Process Controls
Security Requirements Forum (PCSRF) to establish security
specifications that can be used in the procurement, development, and
retrofit of industrial control systems. PCSRF's membership includes
representatives from the water, electric, chemical, and petrochemical
industries; U.S. government laboratories and organizations; and vendors
of control systems.
PCSRF's immediate goal is to increase the security of control systems
through the definition and application of a common set of information
security requirements for these systems. This work will be based on
NIST's and NSA's work to develop the Common Criteria standard (ISO
15408) for IT security evaluation. In addition, the forum has created
and is currently using a process control cybersecurity test bed to
validate standards for control system security. The forum also plans to
develop protection profiles from the security requirements that new
industrial control systems and equipment will be built to. PCSRF is
working to collaborate with other existing activities such as the
Instrumentation Systems and Automation Society's efforts to establish
standards and recommended practices for implementing secure control
systems.
Technical Support Working Group:
The multiagency Technical Support Working Group (TSWG) is supporting
several projects that are aimed at enhancing the securing of control
systems. One project, the SCADA Security Kit, would develop a self-help
security kit (e.g., checklist and operator guide) and a CD/video
training program. This project has been approved, but it is not yet
funded. In addition, TSWG continues to sponsor the work being conducted
by the gas industry to develop an encryption standard, which we discuss
in more detail later. TSWG is also working with DHS, DOE, and NIST to
further develop aspects of the National Test Bed.
National Science Foundation:
The National Science Foundation (NSF) is studying research and
development areas related to the security of control systems in order
to decide which ones to pursue.
In September 2002, NSF, in collaboration with the White House Office of
Science and Technology Policy, organized a workshop to gather industry
input about long-term research needs for CIP. A particular focus of the
workshop was on securing control systems. Participants from academia,
industry, and government conducted a research needs assessment of
security technologies. The recommendations resulting from this workshop
are expected to lead to a research and development road map for secure
control systems. Examples of topics in this road map are (1)
architectures and systems concepts for authority management and (2)
adaptation of security technologies such as encryption, authentication,
and intrusion detection for real-time control.
In October 2003, NSF sponsored a workshop to explore the information
infrastructure vulnerabilities of control systems. The workshop brought
together a multidisciplinary team of experts on SCADA and IT from
industry, academia, and government to identify both the near-term
technology solutions and the longer-term research needed to secure the
nation's infrastructure. The output of the workshop is a set of four
prioritized, cross-cutting research and development topics:
(1) standards and methodology, (2) modeling and analysis, (3) next
generation platforms, and (4) automated sensing of infrastructure
anomalies. In addition, follow-on activities were recommended to drive
the development solutions and their transfer to our critical
infrastructures.
Finally, on December 3, 2003, NSF announced a new program that will
fund up to three research center-level collaborations between industry
and academia, as well as individual and team awards to foster ideas and
train people in cybersecurity to protect the nation's critical
infrastructures.
National Academies:
The National Academies established a committee of the nation's top
engineering, medical, scientific, and policy experts to help the
federal government use science and technology strategically to develop
a counterterrorism program plan. Shortly after the September 11
attacks, the committee began identifying current threats to the United
States, researching the most common vulnerabilities to these threats,
and determining strategic opportunities for science and technology to
contribute to combating terrorism in both the short and long terms. The
committee's study evolved into the report Making the Nation Safer: the
Role of Science and Technology in Countering Terrorism, published in
September 2002.
Interagency Working Group on Information Technology Research and
Development:
In November 2002, the Interagency Working Group on Information
Technology Research and Development (IT R&D) of the National Science
and Technology Council, Executive Office of the President, charged the
Networking and IT R&D Grand Challenges Task Force with identifying a
set of science, engineering, and societal challenges that will require
innovations in IT R&D. High Confidence Infrastructure Control Systems
is one of the 16 grand challenges that the task force identified.
North American Electric Reliability Council:
Designated by DOE as the electricity sector's information sharing and
analysis center (ISAC) coordinator for CIP, the North American Electric
Reliability Council (NERC) receives security data from the electricity
sector; analyzes the data with input from DHS, other federal agencies,
and other critical infrastructure sector ISACs; and disseminates threat
indications, analyses, and warnings. NERC has also formed the Critical
Infrastructure Protection Advisory Group (CIPAG), which guides security
activities and conducts security workshops to raise the awareness of
cyber and physical security in the electricity sector. A Process
Control Systems Security Task Force within CIPAG specifically addresses
the security of electricity control systems.
In response to the Federal Energy Regulatory Commission's June 2002
Standard Market Design notice of public rulemaking, which included
cybersecurity standards for the electricity sector, the NERC board of
trustees adopted a 1-year urgent action Cyber Security Standard on
August 13, 2003. The intent of this cybersecurity standard is to
provide a minimal level of assurance that key entities responsible for
the reliability of the bulk electric systems of North America--
specifically, reliability coordinators and control area operators--
identify and protect critical cyber assets that control or could impact
the reliability of their systems. The standard includes such
requirements as policies, controls, physical security, training, and
recovery plans. However, it does not apply to control systems or
electronic relays (i.e., RTUs or PLCs) that are installed in generation
plants, transmission substations, or distribution substations. NERC is
currently preparing a standards authorization request (i.e., a scope
document), that will be used to solicit NERC board approval to begin
drafting of the permanent standard. A number of industry organizations
expect that this will require the compliance of control systems and
electronic relays. Members of the NERC Balloting Body, made up of
representatives of electricity organizations from each of the 10 NERC
regions, will be able to vote on the draft standard, and, if they
approve it, the board of trustees will vote to adopt it. A NERC
representative estimates that the permanent standard would not be
formally adopted until 2005. For compliance purposes, the standard is
not expected to apply to electricity distribution assets or
organizations.
Electric Power Research Institute:
The Electric Power Research Institute (EPRI) has released Scoping Study
on Security Processes and Impacts, a guide to help utilities identify
vulnerabilities in their communications systems and link their
associated risks to appropriate levels of security countermeasures. In
addition, EPRI has launched mock attacks on the control systems of
electric utilities to probe for weaknesses and has subsequently
provided utilities with reports on their own potential vulnerabilities.
EPRI has also provided other members with reports on their potential
vulnerabilities and insights on security best practices. The institute
is also working on a method to protect the SCADA network directly by
identifying anomalous commands that are caused by malicious activities
or human error in time to allow operators to take corrective action.
EPRI next plans to partner with a major computer vendor to develop ways
to secure grid communications, such as by encrypting data at both the
control-system network and field-device levels.
International Council on Large Electric Systems:
The International Council on Large Electric Systems (CIGRE) is a
nonprofit international association based in France. It has established
several study committees to promote and facilitate the international
exchange of knowledge in the electrical industry by identifying best
practices and developing recommendations. Three of its study committees
focus on control systems. The objectives of the Substations Committee
include the adoption of technological advances in equipment and systems
to achieve increased reliability and availability. The System Operation
and Control Committee focuses on the technical capabilities needed for
the secure and economical operation of existing power systems, and it
includes within its scope functionalities to assess security, which
support control centers and operators. The Information Systems and
Telecommunication for Power Systems Committee monitors emerging
technologies in the industry and evaluates their possible impact. In
addition, it focuses on the security requirements of the information
systems and services of control systems. The technical activities of
these committees are carried out by working groups that produce reports
and technical brochures for publication.
The Oil Pipeline Industry:
The oil pipeline industry is currently developing an industry standard
for the protection of control functions and control systems. This
standard will focus on communications including the confidentiality of
protocols, encryption of data, and access controls such as firewall
services and intrusion detection systems. According to a representative
from the oil pipeline industry, the standard will provide guidance on
managing the sharing of SCADA information while maintaining security,
including defining information classification levels and control of
access. It will address how to provide for the interchange of data.
In addition, the industry is working on issues related to standards for
control systems with other organizations, such as the American Gas
Association, the Instrument Society of America, and the Institute of
Electrical and Electronics Engineers.
Gas Technology Institute and American Gas Association:
Sponsored by the federal government's Technical Support Working Group,
the Gas Technology Institute and the American Gas Association (AGA)
have researched a number of potential encryption methods to prevent
hackers from accessing natural gas companies' control systems. This
research has led to the development of a proposed industry standard for
encryption. The proposed standard provides energy utilities with a set
of standards for protocols, equipment, and procedures to protect the
transmission of control systems communications through the data
transfer process. Efforts to develop this standard have been under way
since October 2001. According to the department head of gas supply
operations at AGA, the testing and final release of the proposed
standard is targeted for the second quarter of 2004.
Chemical Sector Cybersecurity Program:
The Chemical Sector Cybersecurity Program is a forum of 13 trade
associations and serves as the ISAC for the chemical sector. Part of
this program, the Chemical Industry Data Exchange (CIDX), has
established the Cyber-Security Practices, Standards and Technology
Initiative to identify immediate opportunities to improve the base
level of cybersecurity within the chemical industry. The objective of
this initiative is to address the practices and standards for both
business systems and manufacturing control systems.
In May of 2003, CIDX completed and issued the first version of its
Guidance for Directing Cybersecurity in the Chemical Sector. In
coordinating with prior work that had been issued by the American
Chemistry Council, this guidance provides information on cybersecurity
applicability, sample strategies, and available resources. Currently,
this document focuses on the security of business systems rather than
control systems; however, in the near future, CIDX plans to incorporate
issues specific to control systems in this document. In addition, CIDX
has plans to start developing prescriptive guidance regarding the risk
level for control systems.
In September of 2003, CIDX issued an additional guidance document,
Cybersecurity Vulnerability Assessment Methodology Guidance. This
document compares several methodologies for assessing cybersecurity
vulnerabilities. The objective was to find one methodology that
performed well in addressing cybersecurity for both business systems
and control systems; however, it was discovered that while a given
methodology may work well for either the business environment or
control systems, it may not work well for both. In addition, CIDX is
working to align the chemical industry's initiatives to enhance the
security of control systems with the ongoing initiatives at the
Instrumentation Systems and Automation Society, NIST, and the American
Chemistry Council.
Instrumentation Systems and Automation Society:
The Instrumentation Systems and Automation Society's (ISA)
Manufacturing and Control Systems Security Standards Committee (also
referred to as the SP99 committee) is composed of representatives from
many industries, including water/wastewater, fossil fuels, nuclear
energy, food and beverages, pharmaceuticals, chemicals,
petrochemicals; U.S. government labs and organizations; and automotive
and educational institutions.
The committee is working to establish standards and recommended
practices, write technical reports, and develop other information that
will define procedures and methodologies for developing, assessing, and
implementing effective security practices for manufacturing and control
systems and for assessing cybersecurity performance. The committee's
guidance is directed toward those responsible for designing,
implementing, or managing control systems, as well as toward users,
system integrators, security practitioners, and control systems
manufacturers and suppliers. Its focus is on improving the
confidentiality, integrity, and availability of control systems and
their components and providing criteria for procuring and implementing
secure control systems.
Two technical reports are expected to be released in March of this
year. The first report, Security Technologies for Manufacturing and
Control Systems (ISA-TR99.00.01), is intended to document the known
state of the art of cybersecurity technologies as they are applied to
the control systems environment, to clearly define what can reasonably
be deployed today, and to define areas where more research is needed.
The purpose of the second report, Integrating Electronic Security into
the Manufacturing and Control Systems Environment (ISA-TR99.00.02), is
to present a consistent approach for developing, implementing, and
operating a program that addresses security for control systems. Plans
have been made to create a joint project team with ISA and the
International Electrotechnical Commission (IEC) to disseminate ISA's
technical reports through the IEC.
Future activities of the committee include updating its technical
reports; continuing to develop a complete standard for manufacturing
and control systems security; developing control systems security
requirements; developing common language and reference models; and
formalizing liaisons and interfaces to government, standards-creating
organizations, technical organizations, and other groups working in the
area of control systems cybersecurity.
International Electrotechnical Commission:
The International Electrotechnical Commission (IEC) is a standards
organization that prepares and publishes international standards for
all electrical, electronic, and related technologies. These standards
serve as a basis for creating national standards and as references for
drafting international tenders and contracts. IEC's members include
manufacturers, providers, distributors, vendors, consumers, users, all
levels of governmental agencies, professional societies, trade
associations, and standards developers from over 60 countries.
IEC's Technical Committee 65 has been chartered to produce standards
for process control. In September 2003, the committee announced its
decision to address the cybersecurity of communications for the
measurement and control of industrial processes. This new work
encompasses technologies such as firewalls, routers, cryptographic
security of communications, and authentication technologies. As
mentioned previously, plans have been made for IEC and ISA to create a
joint project team to advance their efforts to secure control systems.
IEC's Technical Committee 57 is working to develop standards for
control systems and control system components, including communications
and end devices such as RTUs. It is also establishing data and
communication security and communications standards for substations.
Institute of Electrical and Electronics Engineers:
The Institute of Electrical and Electronics Engineers (IEEE) is
developing standards for defining, specifying, and analyzing control
systems in the electric power industry. In addition, IEEE has developed
recommended practices for communication between remote terminal units
and intelligent electronic devices in a substation. IEEE is also
working on a project to develop a standard for substation integrated
protection, control, and data acquisition communications. The project
will define standards for communications requirements and will specify
message delivery time between intelligent electronic devices.
Partnership for Critical Infrastructure Security:
The Partnership for Critical Infrastructure Security (PCIS) is
comprised of government agencies and private-sector associations that
represent each of the critical infrastructure sectors. The partnership
coordinates cross-sector initiatives to support CIP by identifying
legislative issues that affect such initiatives and by raising
awareness of issues in CIP. PCIS has had a control systems working
group whose goal has been to raise awareness of control system security
and to discuss the existing initiatives to improve the security of
control systems.
CERT/CC and KEMA Consulting:
CERT/CC at Carnegie Mellon and KEMA Consulting are leading an
initiative to establish E-CERT, a team to collect and analyze
information about cybersecurity incidents in control systems within the
nation's critical infrastructures, assess their effects, and share the
results with industry. Already initiated, the first step consists of
conducting a scoping study and developing a white paper to determine
how to manage vulnerabilities and incidents. KEMA and CERT/CC plan to
enlist expertise from the control system community and establish an
ongoing rapport with control system vendors. Plans are for DOE, DHS,
and private industry groups to fund the team. While this effort, thus
far, has been focusing on the energy sector, the issues are applicable
to other sectors.
Process Control Systems Cyber Security Forum:
The Process Control Systems Cyber Security Forum (PCSCS) is a joint
effort of KEMA Consulting and LogOn Consulting, Inc. Formed in 2003,
PCSCS is an annual program to study the cybersecurity issues
surrounding the effective operation of control systems. It focuses on
issues, challenges, threats, vulnerabilities, best practices, lessons
learned, and solutions. It currently holds workshops and seminars on
control system cybersecurity via the Internet, offers consulting
services, and publishes bulletins and white papers aimed at helping
those in the process control environment to share information and
address the issues they are facing in securing their control systems.
[End of section]
Appendix III: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security
Washington, DC 20528:
February 26, 2004:
MEMORANDUM FOR: ROBERT F. DACEY:
DIRECTOR, INFORMATION SECURITY SERVICES L ACCOUNTING OFFICE:
FROM:
Frank Libutti
Under Secretary:
Information Analysis and Infrastructure Protection Directorate:
Department of Homeland Security:
Signed for Frank Libutti:
SUBJECT: Department of Homeland Security Response to Draft GAO Report
(GAO-04-354) Critical Infrastructure Protection Challenges and Efforts
to Secure Control Systems:
The Department of Homeland Security (DHS) concurs with the
recommendation noted in your draft report, and appreciates the
opportunity to comment.
DHS agrees that improving the security of control systems against the
risk of cyber attacks is a high priority. DHS has engaged with the
private sector, academia, and other government entities on this matter,
and will continue to do so as outlined in Homeland Security
Presidential Directive/HSPD-7. Consistent with the National Strategy
for the Physical Protection of Critical Infrastructure and Key Assets
and the National Strategy to Secure Cyberspace, we are addressing
control systems from both a physical and cyber perspective utilizing
the capabilities of our Protective Security Division and National Cyber
Security Division collectively.
We understand that our proposed changes to the text of the report have
been reviewed and incorporated. We look forward to receiving your final
report, and we will review it within the specified timeframe of sixty
days after receipt.
If you or your staff have any questions or need additional information,
please contact me or my Chief of Staff, John P. Chase, at 202-282-8141.
[End of section]
FOOTNOTES
[1] Control systems are computer-based systems that are used by many
infrastructures and industries to monitor and control sensitive
processes and physical functions. Typically, control systems collect
sensor measurements and operational data from the field, process and
display this information, and relay control commands to local or remote
equipment. There are two primary types of control systems. Distributed
Control Systems (DCS) typically are used within a single processing or
generating plant or over a small geographic area. Supervisory Control
and Data Acquisition (SCADA) systems typically are used for large,
geographically dispersed distribution operations.
[2] U.S. General Accounting Office, Critical Infrastructure Protection:
Challenges in Securing Control Systems, GAO-04-140T (Washington, D.C.:
Oct. 1, 2003).
[3] Virus: a program that "infects" computer files, usually executable
programs, by inserting a copy of itself into the file. These copies are
usually executed when the "infected" file is loaded into memory,
allowing the virus to infect other files. Unlike the computer worm, a
virus requires human involvement (usually unwitting) to propagate.
Trojan horse: a computer program that conceals harmful code. A Trojan
horse usually masquerades as a useful program that a user would wish to
execute. Worm: an independent computer program that reproduces by
copying itself from one system to another across a network. Unlike
computer viruses, worms do not require human involvement to propagate.
Logic bomb: in programming, a form of sabotage in which a programmer
inserts code that causes the program to perform a destructive action
when some triggering event occurs, such as termination of the
programmer's employment. Sniffer: synonymous with packet sniffer. A
program that intercepts routed data and examines each packet in search
of specified information, such as passwords transmitted in clear text.
[4] The CERT/CC is a center of Internet security expertise at the
Software Engineering Institute, a federally funded research and
development center operated by Carnegie Mellon University.
[5] Testimony of George J. Tenet, Director of Central Intelligence,
before the Senate Select Committee on Intelligence, February 6, 2002.
[6] Symantec, Symantec Internet Security Threat Report: Attack Trends
for Q3 and Q4 2002 (February 2003).
[7] Wi-Fi (short for wireless fidelity) is the popular term for a high-
frequency wireless local area network.
[8] President's Commission on Critical Infrastructure Protection,
Critical Foundations: Protecting America's Infrastructures
(Washington, D.C.: October 1997).
[9] The National Research Council, Making the Nation Safer: the Role of
Science and Technology in Countering Terrorism (Washington, D.C.:
December 2002).
[10] The White House, The National Strategy to Secure Cyberspace
(Washington, D.C.: February 2003).
[11] War dialers are simple personal computer programs that dial
consecutive phone numbers looking for modems.
[12] An ampere is a unit of measurement for electric current.
[13] U.S. General Accounting Office, Critical Infrastructure
Protection: Challenges for Selected Agencies and Industry Sectors,
GAO-03-233 (Washington, D.C.: Feb. 28, 2003).
[14] U.S. General Accounting Office, Homeland Security: Information
Sharing Responsibilities, Challenges, and Key Management Issues,
GAO-03-1165T (Washington, D.C.: Sept. 17, 2003).
[15] The Public Health Security and Bioterrorism Preparedness and
Response Act of 2002 (P.L. 107-188, June 12, 2002) amended the Safe
Drinking Water Act to require each community water system serving more
than 3,300 individuals to conduct an assessment of the system's
vulnerability to terrorist attacks or other deliberate acts to
compromise a safe and dependable drinking water supply. Under the law,
EPA is to develop protocols to protect the assessments from
unauthorized disclosure. The law also establishes deadlines, based on
system size, for these systems to certify to EPA that they have
conducted a vulnerability assessment and to submit to EPA a copy of the
assessment.
GAO's Mission:
The General Accounting Office, the investigative arm of Congress,
exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. General Accounting Office
441 G Street NW,
Room LM Washington,
D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.
General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.
20548:
