GAO Urges Better Strategy For Protecting Control Systems - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
News

GAO Urges Better Strategy For Protecting Control Systems

The Department of Homeland Security says it has contacted private companies, academia, and other government agencies to address cybersecurity concerns.

Congressional auditors have recommended to Homeland Security Secretary Tom Ridge that the department develop and implement a strategy for coordinating with the private sector and other government agencies to improve security for control systems, such as the IT systems used to secure utility plants.

In a written response to the General Accounting Office report, which was publicly released Tuesday, Homeland Security undersecretary for information analysis and infrastructure protection Frank Libutti concurred, saying the department has initiated contact with private companies, academia, and other government agencies to address the cybersecurity concerns raised by the GAO.

Cyberattacks are on the rise. The GAO report noted that Carnegie Mellon University's CERT/Coordination Center, which counts such attacks, recorded nearly 13,000 security vulnerabilities that resulted from software flaws from 1995 through 2003. The number of computer-security incidents reported to CERT/CC also has risen dramatically--from 9,859 in 1999 to 82,094 in 2002 and to 137,529 in 2003.

And these are only the reported attacks, the GAO notes. As many as 80% of security incidents go unreported--in most cases because there were no indications of penetration or attack, the organization was unable to recognize that its systems had been penetrated, or it was reluctant to make a report, the GAO said, citing CERT officials.

According to the 47-page GAO report, several factors have contributed to the escalation of the risks of cyberattacks against control systems, in addition to general cyberthreats, which have been steadily increasing. These factors include the adoption of standardized technologies with known vulnerabilities and the increased connectivity of control systems to other systems. Control systems can be vulnerable to a variety of attacks, examples of which have already occurred. Successful attacks on control systems could have devastating consequences, such as endangering public health and safety, according to the GAO.

Securing control systems poses significant challenges, including limited specialized security technologies and lack of economic justification. The government, academia, and private industry have initiated efforts to strengthen the cybersecurity of control systems. The President's National Strategy to Secure Cyberspace established a role for the Department of Homeland Security to coordinate with these agencies to improve the cybersecurity of control systems. While some synchronization is occurring, GAO says, the department's coordination of these efforts could accelerate the development and implementation of more-secure systems.

The GAO also cited reports from the National Security Agency that said foreign governments have or are developing computer-attack capabilities--and that potential adversaries are acquiring a body of knowledge about U.S. systems and methods to attack these systems.

A National Infrastructure Protection Center report states that American law-enforcement and intelligence agencies had received indications that al-Qaida members had sought information about control systems from multiple Web sites, specifically on water-supply and wastewater-management practices in the United States and abroad. Since the Sept. 11, 2001, terrorist attacks, warnings of the potential for terrorist cyberattacks against U.S. critical infrastructures have increased. According to a study by a computer security organization, GAO says, during the second half of 2002 the highest rates of global computer attacks were for those aimed at companies that provide critical infrastructures such as power, energy, and financial services. Further, a study that surveyed more than 170 security professionals and other executives concluded that, across industries, respondents believe that a large-scale cyberattack in the United States will be launched against their industry by mid-2006.

"Without effective coordination of these efforts," writes Robert Dacey, the GAO's director of information-security issues, "there's a risk of delaying the development and implementation of more-secure systems to manage our critical infrastructures."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Commentary
Study Proposes 5 Primary Traits of Innovation Leaders
Joao-Pierre S. Ruth, Senior Writer,  11/8/2019
Slideshows
Top-Paying U.S. Cities for Data Scientists and Data Analysts
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/5/2019
Slideshows
10 Strategic Technology Trends for 2020
Jessica Davis, Senior Editor, Enterprise Apps,  11/1/2019
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll