GAO Urges Better Strategy For Protecting Control Systems - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


GAO Urges Better Strategy For Protecting Control Systems

The Department of Homeland Security says it has contacted private companies, academia, and other government agencies to address cybersecurity concerns.

Congressional auditors have recommended to Homeland Security Secretary Tom Ridge that the department develop and implement a strategy for coordinating with the private sector and other government agencies to improve security for control systems, such as the IT systems used to secure utility plants.

In a written response to the General Accounting Office report, which was publicly released Tuesday, Homeland Security undersecretary for information analysis and infrastructure protection Frank Libutti concurred, saying the department has initiated contact with private companies, academia, and other government agencies to address the cybersecurity concerns raised by the GAO.

Cyberattacks are on the rise. The GAO report noted that Carnegie Mellon University's CERT/Coordination Center, which counts such attacks, recorded nearly 13,000 security vulnerabilities that resulted from software flaws from 1995 through 2003. The number of computer-security incidents reported to CERT/CC also has risen dramatically--from 9,859 in 1999 to 82,094 in 2002 and to 137,529 in 2003.

And these are only the reported attacks, the GAO notes. As many as 80% of security incidents go unreported--in most cases because there were no indications of penetration or attack, the organization was unable to recognize that its systems had been penetrated, or it was reluctant to make a report, the GAO said, citing CERT officials.

According to the 47-page GAO report, several factors have contributed to the escalation of the risks of cyberattacks against control systems, in addition to general cyberthreats, which have been steadily increasing. These factors include the adoption of standardized technologies with known vulnerabilities and the increased connectivity of control systems to other systems. Control systems can be vulnerable to a variety of attacks, examples of which have already occurred. Successful attacks on control systems could have devastating consequences, such as endangering public health and safety, according to the GAO.

Securing control systems poses significant challenges, including limited specialized security technologies and lack of economic justification. The government, academia, and private industry have initiated efforts to strengthen the cybersecurity of control systems. The President's National Strategy to Secure Cyberspace established a role for the Department of Homeland Security to coordinate with these agencies to improve the cybersecurity of control systems. While some synchronization is occurring, GAO says, the department's coordination of these efforts could accelerate the development and implementation of more-secure systems.

The GAO also cited reports from the National Security Agency that said foreign governments have or are developing computer-attack capabilities--and that potential adversaries are acquiring a body of knowledge about U.S. systems and methods to attack these systems.

A National Infrastructure Protection Center report states that American law-enforcement and intelligence agencies had received indications that al-Qaida members had sought information about control systems from multiple Web sites, specifically on water-supply and wastewater-management practices in the United States and abroad. Since the Sept. 11, 2001, terrorist attacks, warnings of the potential for terrorist cyberattacks against U.S. critical infrastructures have increased. According to a study by a computer security organization, GAO says, during the second half of 2002 the highest rates of global computer attacks were for those aimed at companies that provide critical infrastructures such as power, energy, and financial services. Further, a study that surveyed more than 170 security professionals and other executives concluded that, across industries, respondents believe that a large-scale cyberattack in the United States will be launched against their industry by mid-2006.

"Without effective coordination of these efforts," writes Robert Dacey, the GAO's director of information-security issues, "there's a risk of delaying the development and implementation of more-secure systems to manage our critical infrastructures."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
How CIOs Can Advance Company Sustainability Goals
Lisa Morgan, Freelance Writer,  5/26/2021
IT Skills: Top 10 Programming Languages for 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/21/2021
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll