Oil and natural gas facilities, power plants and other critical U.S. infrastructure face increasing risks from cyber threats, system vulnerabilities and the potential impact from the attacks, according to a report by the Government Accountability Office (GAO).
The report, which was requested by Congress, reviewed control systems, which are the computer-based systems that monitor and control sensitive processes and physical functions in many of the nation's critical infrastructures, including electric power, oil and gas, water treatment and chemical production (GAO-07-2036). The GAO's "Critical Infrastructure Protection" report found a lot of problems in its review -- and the potential for more.
"Threats can be intentional or unintentional, targeted or nontargeted, and can come from a variety of sources," the GAO noted. "Control systems are more vulnerable to cyber attacks than in the past for several reasons, including their increased connectivity to other systems and the Internet. Further, as demonstrated by past attacks and incidents involving control systems, the impact on a critical infrastructure could be substantial."
Incidents that have affected critical infrastructure over the last 10 years include:
According to the GAO, industry generally has not implemented existing security technologies because of limited computer processing capabilities, the need for real-time operation and the lack of consideration for cybersecurity in the original system's design. And it will take some time before these issues are resolved by federal regulators and the private sector, said the GAO.
Currently, committees within the American Gas Association are working on several things to protect infrastructure, including ways to apply encryption to protect gas utility control systems. And the American Petroleum Institute has published two standards to guide operators in controlling information on pipeline control systems. The North American Electric Reliability Corp. also began implementing cybersecurity reliability standards in June, and utilities have to be fully compliant with the standards by 2010.
Several hurdles remain. Organizational changes -- both private and federal -- hinder some efforts because there is "difficulty in developing a compelling business case for investing in control systems security and differing priorities of information security personnel and control systems engineers," GAO noted. Coordinating federal efforts with those of the private sector also will be a time-consuming process.
"[T]here is as yet no overall strategy to coordinate the various activities across federal agencies and the private sector," said the GAO. "Until public and private sector security efforts are coordinated by an overarching strategy and specific information sharing shortfalls are addressed, there is an increased risk that multiple organizations will conduct duplicative work and miss opportunities to fulfill their critical missions."
To read the report, visit www.gao.gov.
©Copyright 2007 Intelligence Press Inc. All rights reserved. The preceding news report may not be republished or redistributed, in whole or in part, in any form, without prior written consent of Intelligence Press, Inc.