GAO Urges Better Strategy For Protecting Control Systems - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News

GAO Urges Better Strategy For Protecting Control Systems

The Department of Homeland Security says it has contacted private companies, academia, and other government agencies to address cybersecurity concerns.

Congressional auditors have recommended to Homeland Security Secretary Tom Ridge that the department develop and implement a strategy for coordinating with the private sector and other government agencies to improve security for control systems, such as the IT systems used to secure utility plants.

In a written response to the General Accounting Office report, which was publicly released Tuesday, Homeland Security undersecretary for information analysis and infrastructure protection Frank Libutti concurred, saying the department has initiated contact with private companies, academia, and other government agencies to address the cybersecurity concerns raised by the GAO.

Cyberattacks are on the rise. The GAO report noted that Carnegie Mellon University's CERT/Coordination Center, which counts such attacks, recorded nearly 13,000 security vulnerabilities that resulted from software flaws from 1995 through 2003. The number of computer-security incidents reported to CERT/CC also has risen dramatically--from 9,859 in 1999 to 82,094 in 2002 and to 137,529 in 2003.

And these are only the reported attacks, the GAO notes. As many as 80% of security incidents go unreported--in most cases because there were no indications of penetration or attack, the organization was unable to recognize that its systems had been penetrated, or it was reluctant to make a report, the GAO said, citing CERT officials.

According to the 47-page GAO report, several factors have contributed to the escalation of the risks of cyberattacks against control systems, in addition to general cyberthreats, which have been steadily increasing. These factors include the adoption of standardized technologies with known vulnerabilities and the increased connectivity of control systems to other systems. Control systems can be vulnerable to a variety of attacks, examples of which have already occurred. Successful attacks on control systems could have devastating consequences, such as endangering public health and safety, according to the GAO.

Securing control systems poses significant challenges, including limited specialized security technologies and lack of economic justification. The government, academia, and private industry have initiated efforts to strengthen the cybersecurity of control systems. The President's National Strategy to Secure Cyberspace established a role for the Department of Homeland Security to coordinate with these agencies to improve the cybersecurity of control systems. While some synchronization is occurring, GAO says, the department's coordination of these efforts could accelerate the development and implementation of more-secure systems.

The GAO also cited reports from the National Security Agency that said foreign governments have or are developing computer-attack capabilities--and that potential adversaries are acquiring a body of knowledge about U.S. systems and methods to attack these systems.

A National Infrastructure Protection Center report states that American law-enforcement and intelligence agencies had received indications that al-Qaida members had sought information about control systems from multiple Web sites, specifically on water-supply and wastewater-management practices in the United States and abroad. Since the Sept. 11, 2001, terrorist attacks, warnings of the potential for terrorist cyberattacks against U.S. critical infrastructures have increased. According to a study by a computer security organization, GAO says, during the second half of 2002 the highest rates of global computer attacks were for those aimed at companies that provide critical infrastructures such as power, energy, and financial services. Further, a study that surveyed more than 170 security professionals and other executives concluded that, across industries, respondents believe that a large-scale cyberattack in the United States will be launched against their industry by mid-2006.

"Without effective coordination of these efforts," writes Robert Dacey, the GAO's director of information-security issues, "there's a risk of delaying the development and implementation of more-secure systems to manage our critical infrastructures."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
News
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
Slideshows
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
News
Northwestern Mutual CIO: Riding Out the Pandemic
Jessica Davis, Senior Editor, Enterprise Apps,  10/7/2020
Register for InformationWeek Newsletters
Video
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll