Congressional auditors have recommended to Homeland Security Secretary Tom Ridge that the department develop and implement a strategy for coordinating with the private sector and other government agencies to improve security for control systems, such as the IT systems used to secure utility plants.
In a written response to the General Accounting Office report, which was publicly released Tuesday, Homeland Security undersecretary for information analysis and infrastructure protection Frank Libutti concurred, saying the department has initiated contact with private companies, academia, and other government agencies to address the cybersecurity concerns raised by the GAO.
Cyberattacks are on the rise. The GAO report noted that Carnegie Mellon University's CERT/Coordination Center, which counts such attacks, recorded nearly 13,000 security vulnerabilities that resulted from software flaws from 1995 through 2003. The number of computer-security incidents reported to CERT/CC also has risen dramatically--from 9,859 in 1999 to 82,094 in 2002 and to 137,529 in 2003.
And these are only the reported attacks, the GAO notes. As many as 80% of security incidents go unreported--in most cases because there were no indications of penetration or attack, the organization was unable to recognize that its systems had been penetrated, or it was reluctant to make a report, the GAO said, citing CERT officials.
According to the 47-page GAO report, several factors have contributed to the escalation of the risks of cyberattacks against control systems, in addition to general cyberthreats, which have been steadily increasing. These factors include the adoption of standardized technologies with known vulnerabilities and the increased connectivity of control systems to other systems. Control systems can be vulnerable to a variety of attacks, examples of which have already occurred. Successful attacks on control systems could have devastating consequences, such as endangering public health and safety, according to the GAO.
Securing control systems poses significant challenges, including limited specialized security technologies and lack of economic justification. The government, academia, and private industry have initiated efforts to strengthen the cybersecurity of control systems. The President's National Strategy to Secure Cyberspace established a role for the Department of Homeland Security to coordinate with these agencies to improve the cybersecurity of control systems. While some synchronization is occurring, GAO says, the department's coordination of these efforts could accelerate the development and implementation of more-secure systems.
The GAO also cited reports from the National Security Agency that said foreign governments have or are developing computer-attack capabilities--and that potential adversaries are acquiring a body of knowledge about U.S. systems and methods to attack these systems.
A National Infrastructure Protection Center report states that American law-enforcement and intelligence agencies had received indications that al-Qaida members had sought information about control systems from multiple Web sites, specifically on water-supply and wastewater-management practices in the United States and abroad. Since the Sept. 11, 2001, terrorist attacks, warnings of the potential for terrorist cyberattacks against U.S. critical infrastructures have increased. According to a study by a computer security organization, GAO says, during the second half of 2002 the highest rates of global computer attacks were for those aimed at companies that provide critical infrastructures such as power, energy, and financial services. Further, a study that surveyed more than 170 security professionals and other executives concluded that, across industries, respondents believe that a large-scale cyberattack in the United States will be launched against their industry by mid-2006.
"Without effective coordination of these efforts," writes Robert Dacey, the GAO's director of information-security issues, "there's a risk of delaying the development and implementation of more-secure systems to manage our critical infrastructures."