GAO Urges Better Strategy For Protecting Control Systems - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


GAO Urges Better Strategy For Protecting Control Systems

The Department of Homeland Security says it has contacted private companies, academia, and other government agencies to address cybersecurity concerns.

Congressional auditors have recommended to Homeland Security Secretary Tom Ridge that the department develop and implement a strategy for coordinating with the private sector and other government agencies to improve security for control systems, such as the IT systems used to secure utility plants.

In a written response to the General Accounting Office report, which was publicly released Tuesday, Homeland Security undersecretary for information analysis and infrastructure protection Frank Libutti concurred, saying the department has initiated contact with private companies, academia, and other government agencies to address the cybersecurity concerns raised by the GAO.

Cyberattacks are on the rise. The GAO report noted that Carnegie Mellon University's CERT/Coordination Center, which counts such attacks, recorded nearly 13,000 security vulnerabilities that resulted from software flaws from 1995 through 2003. The number of computer-security incidents reported to CERT/CC also has risen dramatically--from 9,859 in 1999 to 82,094 in 2002 and to 137,529 in 2003.

And these are only the reported attacks, the GAO notes. As many as 80% of security incidents go unreported--in most cases because there were no indications of penetration or attack, the organization was unable to recognize that its systems had been penetrated, or it was reluctant to make a report, the GAO said, citing CERT officials.

According to the 47-page GAO report, several factors have contributed to the escalation of the risks of cyberattacks against control systems, in addition to general cyberthreats, which have been steadily increasing. These factors include the adoption of standardized technologies with known vulnerabilities and the increased connectivity of control systems to other systems. Control systems can be vulnerable to a variety of attacks, examples of which have already occurred. Successful attacks on control systems could have devastating consequences, such as endangering public health and safety, according to the GAO.

Securing control systems poses significant challenges, including limited specialized security technologies and lack of economic justification. The government, academia, and private industry have initiated efforts to strengthen the cybersecurity of control systems. The President's National Strategy to Secure Cyberspace established a role for the Department of Homeland Security to coordinate with these agencies to improve the cybersecurity of control systems. While some synchronization is occurring, GAO says, the department's coordination of these efforts could accelerate the development and implementation of more-secure systems.

The GAO also cited reports from the National Security Agency that said foreign governments have or are developing computer-attack capabilities--and that potential adversaries are acquiring a body of knowledge about U.S. systems and methods to attack these systems.

A National Infrastructure Protection Center report states that American law-enforcement and intelligence agencies had received indications that al-Qaida members had sought information about control systems from multiple Web sites, specifically on water-supply and wastewater-management practices in the United States and abroad. Since the Sept. 11, 2001, terrorist attacks, warnings of the potential for terrorist cyberattacks against U.S. critical infrastructures have increased. According to a study by a computer security organization, GAO says, during the second half of 2002 the highest rates of global computer attacks were for those aimed at companies that provide critical infrastructures such as power, energy, and financial services. Further, a study that surveyed more than 170 security professionals and other executives concluded that, across industries, respondents believe that a large-scale cyberattack in the United States will be launched against their industry by mid-2006.

"Without effective coordination of these efforts," writes Robert Dacey, the GAO's director of information-security issues, "there's a risk of delaying the development and implementation of more-secure systems to manage our critical infrastructures."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Why 2021 May Turn Out to be a Great Year for Tech Startups
John Edwards, Technology Journalist & Author,  2/24/2021
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll