b'<html>\n<title> - SCADA SYSTEMS AND THE TERRORIST THREAT: PROTECTING THE NATION\'S CRITICAL CONTROL SYSTEMS</title>\n<body><pre>[House Hearing, 109 Congress]\n[From the U.S. Government Printing Office]\n\n\n \n                    SCADA SYSTEMS AND THE TERRORIST\n                    THREAT: PROTECTING THE NATION\'S\n                        CRITICAL CONTROL SYSTEMS\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               before the\n\n                        SUBCOMMITTEE ON ECONOMIC\n                        SECURITY, INFRASTRUCTURE\n                     0PROTECTION, AND CYBERSECURITY\n\n                                with the\n\n                       SUBCOMMITTEE ON EMERGENCY\n                 PREPAREDNESS, SCIENCE, AND TECHNOLOGY\n\n                                 of the\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED NINTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            OCTOBER 18, 2005\n\n                               __________\n\n                           Serial No. 109-45\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n[GRAPHIC] [TIFF OMITTED] TONGRESS.#13\n\n                                     \n  Available via the World Wide Web: http://www.gpoaccess.gov/congress/\n                               index.html\n\n\n                               __________\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n31-506                      WASHINGTON : 2007\n_____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd0900012007\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                   Peter T. King, New York, Chairman\n\nDon Young, Alaska                    Bennie G. Thompson, Mississippi\nLamar S. Smith, Texas                Loretta Sanchez, California\nCurt Weldon, Pennsylvania            Edward J. Markey, Massachusetts\nChristopher Shays, Connecticut       Norman D. Dicks, Washington\nJohn Linder, Georgia                 Jane Harman, California\nMark E. Souder, Indiana              Peter A. DeFazio, Oregon\nTom Davis, Virginia                  Nita M. Lowey, New York\nDaniel E. Lungren, California        Eleanor Holmes Norton, District of \nJim Gibbons, Nevada                  Columbia\nRob Simmons, Connecticut             Zoe Lofgren, California\nMike Rogers, Alabama                 Sheila Jackson-Lee, Texas\nStevan Pearce, New Mexico            Bill Pascrell, Jr., New Jersey\nKatherine Harris, Florida            Donna M. Christensen, U.S. Virgin \nBobby Jindal, Louisiana              Islands\nDave G. Reichert, Washington         Bob Etheridge, North Carolina\nMichael McCaul, Texas                James R. Langevin, Rhode Island\nCharlie Dent, Pennsylvania           Kendrick B. Meek, Florida\nGinny Brown-Waite, Florida\n\n                                 ______\n\n   Subcommittee on Economic Security, Infrastructure Protection, and \n                             Cybersecurity\n\n                Daniel E. Lungren, California, Chairman\n\nDon Young, Alaska                    Loretta Sanchez, California\nLamar S. Smith, Texas                Edward J. Markey, Massachusetts\nJohn Linder, Georgia                 Norman D. Dicks, Washington\nMark E. Souder, Indiana              Peter A. DeFazio, Oregon\nMike Rogers, Alabama                 Zoe Lofgren, California\nStevan Pearce, New Mexico            Sheila Jackson-Lee, Texas\nKatherine Harris, Florida            Bill Pascrell, Jr., New Jersey\nBobby Jindal, Louisiana              James R. Langevin, Rhode Island\nPeter T. King, New York (Ex          Bennie G. Thompson, Mississippi \nOfficio)                             (Ex Officio)\n\n                                 ______\n\n     SUBCOMMITTE ON EMERGENCY PREPAREDNESS, SCIENCE, AND TECHNOLOGY\n\n                 Dave G. Reichert, Washington, Chairman\n\nLamar S. Smith, Texas                Bill Pascrell, Jr., New Jersey\nCurt Weldon, Pennsylvania            Loretta Sanchez, California\nRob Simmons, Connecticut             Norman D. Dicks, Washington\nMike Rogers, Alabama                 Jane Harman, California\nStevan Pearce, New Mexico            Nita M. Lowey, New York\nKatherine Harris, Florida            Eleanor Holmes Norton, District of \nMichael McCaul, Texas                Columbia\nCharlie Dent, Pennsylvania           Donna M. Christensen, U.S. Virgin \nGinny Brown-Waite, Florida           Islands\nPeter T. King, New York (Ex          Bob Etheridge, North Carolina\nOfficio)                             Bennie G. Thompson, Mississippi \n                                     (Ex Officio)\n\n                                  (II)\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               STATEMENTS\n\nThe Honorable Daniel E. Lungren, a Representative in Congress \n  From the State of California, and Chairman, Subcommittee on \n  Economic Security, Infrastructure Protection, and \n  Cybersecurity:\n  Oral Statement.................................................     1\n  Prepared Statement.............................................     1\nThe Honorable Loretta Sanchez, a Representative in Congress From \n  the State of California, and Ranking Member, Subcommittee on \n  Economic Security, Infrastructure Protection, and Cybersecurity     2\nThe Honorable Dave G. Reichert, a Representative in Congress From \n  the State of Washington, and Chairman, Subcommittee on \n  Emergency Preparedness, Science, and Technology:\n  Oral Statement.................................................     2\n  Prepared Statement.............................................     3\nThe Honorable Bill Pascrell, Jr., a Representative in Congress \n  From the State of New Jersey, and Ranking Member, Subcommittee \n  on Emergency Preparedness, Science and Technology:\n  Prepared Statement.............................................     3\nThe Honoralee Peter T. King, a Representative in Congress From \n  the State of New York, and Chairman, Committee on Homeland \n  Security:\n  Prepared Statement.............................................     4\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Ranking Member, Committee on \n  Homeland Security:\n  Oral Statement.................................................     5\n  Prepared Statement.............................................    58\nThe Honorable Donna M. Christensen, a Delegate in Congress From \n  the U.S. Virgin Islands........................................    67\nThe Honorable Norman D. Dicks, a Representative in Congress From \n  the State Washington...........................................    68\nThe Honorable Bob Etheridge, a Representative in Congress From \n  the State of North Carolina....................................    65\nThe Honorable Sheila Jackson-Lee, a Representative in Congress \n  From the State of Texas........................................    64\nThe Honorable Eleanor Holmes Norton, a Delegate in Congress From \n  the District of Columbia.......................................    62\nThe Honorable Stevan Pearce, a Representative in Congress From \n  the State of New Mexico........................................    56\nThe Honorable Ginny Brown-Waite, a Representative in Congress \n  From the State of Florida......................................    60\n\n                               Witnesses\n\nDr. K.P. Ananth, Associate Laboratory Director--National and \n  Homeland Security, Idaho National Laboratory:\n  Oral Statement.................................................    24\n  Prepared Statement.............................................    25\nMr. Alan Paller, Director of Research, The SANS Institute:\n  Oral Statement.................................................    40\n  Prepared Statement.............................................    42\nMr. Donald ``Andy\'\' Purdy, Acting Director, National Cyber \n  Security Division, U.S. Department of Homeland Security:\n  Oral Statement.................................................     6\n  Prepared Statement.............................................     7\nDr. William Rush, Institute Physicist, Gas Technology Institute:\n  Oral Statement.................................................    31\n  Prepared Statement.............................................    33\nMr. Larry Todd, Director, Security, Safety and Law Enforcement \n  Bureau of Reclamation, U.S. Department of the Interior:\n  Oral Statement.................................................    14\n  Prepared Statement.............................................    15\nDr. Sam Varnado, Director of Information Operations Center, \n  Sandia National Laboratory:\n  Oral Statement.................................................    16\n  Prepared Statement.............................................    18\n\n                                APPENDIX\n\nDr. K.P. Ananth Responses to the Honorable Daniel E. Lungren \n  Questions......................................................    71\nMr. Donald ``Andy\'\' Purdy Responses to the Honorable Bennie G. \n  Thompson Questions.............................................    81\nMr. Larry Todd Responses to the Honorable Bennie G. Thompson \n  Questions......................................................    86\nDr. Sam Varnado Responses to the Honorable Bennie G. Thompson \n  Questions......................................................    89\n\n\n                    SCADA SYSTEMS AND THE TERRORIST\n                    THREAT: PROTECTING THE NATION\'S\n                        CRITICAL CONTROL SYSTEMS\n\n                              ----------                              \n\n\n                       Tuesday, October 18, 2005\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n                         Subcommittee on Economic Security,\n              Infrastructure Protection, and Cybersecurity,\n                                                   with the\n                                  Subcommittee on Emergency\n                     Preparedness, Science, and Technology,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 4 p.m., in Room \n311, Cannon House Office Building, Hon. Dan Lungren [chairman \nof the Subcommittee on Economic Security, Infrastructure \nProtection, and Cybersecurity] presiding.\n    Present: Representatives Lungren, Reichert, Pearce, Brown-\nWaite, Pascrell, Thompson, Dicks, Norton, Jackson-Lee, \nChristensen, Etheridge and Sanchez.\n    Mr. Lungren. The joint hearing of the Committee on Homeland \nSecurity Subcommittee on Economic Security, Infrastructure \nProtection and Cybersecurity and the Subcommittee on Emergency \nPreparedness, Science and Technology will come to order. The \nsubcommittees are meeting today in joint session to hear \ntestimony on supervisory control and data acquisition systems, \nbetter known as SCADA systems, in the effort to protect these \ncritical control systems from terrorist attack.\n    We have been informed that we will have votes starting at \napproximately 4:30, and as a result, we are going to have a \nmajor interruption. We have six major witnesses here on a very \nimportant matter, so I am going to not give my opening \nstatement. It will be included as a part of the record. And \nthen we will proceed.\n\n       Prepared Opening Statement of the Honorable Daniel Lungren\n\n    Good morning and I would like to welcome everyone to this joint \nhearing of the Committee on Homeland Security\'s Subcommittee on \nEconomic Security, Infrastructure Protection, and Cybersecurity and the \nSubcommittee on Emergency Preparedness, Science & Technology. I thank \nChairman Reichert and Ranking Member Pascrell for agreeing to hold this \njointly, as this critical issue has far reaching impacts.\n    We convene today to focus on the protection of control systems at \nour Nation\'s critical infrastructure. Control systems are utilized in a \nwide variety of industries--such as electrical generation and \ndistribution, oil and gas systems, traffic signals and other \ntransportation supervision, water management (including dams), and \nmanufacturing industries. These control systems are commonly referred \nto as SCADA systems.\n    These computer terminals have the ability to give supervisory \ncontrol to a central user over separate and often disparate functions \nor processes. Further, SCADA systems collect information from remote \nlocations and coalesce it into one location.\n    Now what does this actually mean? Simply put, a manufacturing \nfacility or any of the forementioned facilities incorporate many \ndifferent processes and functions. To safely, securely, and efficiently \nrun the facility, companies must be able to monitor and adjust these \nprocesses simultaneously. Before SCADA systems, workers would be placed \nthroughout a facility and manually monitor and adjust the various \nsystems. SCADA systems bring monitoring and control of these functions \ninto one centralized location, making it easier and more efficient to \nrun these processes.\n    At the same time, these systems present serious security \nchallenges. Because these terminals control crucial systems within our \ncritical infrastructure and are often connected to networks and can be \nremotely accessed, they present an attractive means for those wishing \nto cause harm and confusion.\n    Securing SCADA systems is similar to securing all of our cyber \ninfrastructure; however, the consequences are potentially very \ndifferent. Minimally, adversaries could target SCADA systems through \ncyber networks, utilizing common cyber attack methods to render the \nSCADA systems unusable. This could slow down, stop, or endanger the \nfunctions of the facility. This would result in not only serious \nproblems at that facility but potential cascading effects on other \nfacilities or processes that are dependent on the attacked facility. \nEven worse, terrorists could utilize SCADA systems for their own \nsinister motives--causing a pipeline to burst, opening flood gates on \ndams, or shutting down our electric supply, all without ever gaining \naccess to the facility.\n    Part of this hearing will be to understand the function of these \nsystems within the greater picture of our critical infrastructure and \nto understand the general vulnerabilities, consequences, and \ninterdependencies of these systems. Although there are literally \nthousands of SCADA systems across the U.S., not all of these control \nsystems involve industries or facilities that would be considered high \nrisk.\n    The threat to these systems has long been recognized and the \nFederal government, the private sector, and this country\'s best minds \nhave been working for years to address it. The second part of this \nhearing then, is to understand what progress has been made--at all \nlevels--to address these vulnerabilities.\n    We have a diverse panel of experts today, representing the Federal \ngovernment, the National Labs, the dam industry, the gas industry, and \nthe cyber industry. I look forward to hearing from all of you about \nyour ongoing efforts, and your views on what we need to do to further \nassist you in addressing SCADA security.\n    I am especially interested in hearing about the status of securing \nour dams. We have seen recently in New Orleans what can happen when \nnature overwhelms us, even with days of advance notice. The potential \nconsequences of an unanticipated attack could be far worse.\n    Again, I thank all of our witnesses for being here. I now recognize \nthe Ranking Member of the Subcommittee, the Gentle Lady from California \nMs. Sanchez, for any opening statement she\'d like to make.\n\n    Mr. Lungren. The Chair would recognize the Ranking Minority \nMember of the Subcommittee on Economic Security, Infrastructure \nProtection and Cybersecurity, the gentlelady from California \nMs. Sanchez, for any statement she may make.\n    Ms. Sanchez. Thank you, Mr. Chairman. And considering I am \nunder the weather today and we are pushed against votes, I, \ntoo, will hold my opening statement and submit it for the \nrecord so that we can hear from the witnesses today. Thank you.\n    Mr. Lungren. I thank the gentlelady, and her prepared \nstatement will be made a part of the record.\n    The Chair would now recognize the Chairman of the \nSubcommittee on Emergency Preparedness, Science and Technology, \nthe gentleman from Washington Mr. Reichert, for any statement \nhe may make.\n    Mr. Reichert. Thank you, Mr. Chairman. I, too, will \nwithhold boring you to death with my opening statement, and we \nwill ask\nthat it be placed in the record. Thank you, and welcome to the \nwitnesses today.\n    [The information follows:]\n\n       Prepared Opening Statement of the Honorable David Reichert\n\n    Thank you, Chairman Lungren. I would also like to welcome everyone, \nespecially our witnesses, to this joint hearing.\n    We are here today to discuss a topic that affects our everyday \nlives, although many of us are never aware of it. Process and control \nsystems and the operations that they manage are critical to our Nation. \nThey enable us to have everything from clean drinking water and fuel \nfor our cars to electricity in our homes.\n    As a former law enforcement officer, I know firsthand that \nprevention is the best way to save lives and protect property. So, I am \nparticularly interested in our Nation/s efforts to secure these \nsystems.\n    But, I also recognize that we can not expect to prevent every \nattack, especially in an environment as open and free-flowing as \ncyberspace. And, as we have seen in the aftermath of Hurricane Katrina, \nour ability to recover from an incident--whether natural or manmade--\ncan be just as important as our ability to detect and prevent it from \nhappening in the first place.\n    Part of the mission of the Department of Homeland Security\'s \nNational Cyber Security Division is to ``establish a National \nCyberspace Response System.\'\' Ideally, such a system will rapidly \nidentify and respond to cyber incidents and help mitigate against any \ndamage caused by malicious cyberspace activities.\n    So far, we have fortunately not yet experienced a serious cyber \nattack directed at the control systems that manage our Nation\'s \nelectrical grid, dams, and other critical plants. Undoubtedly, at some \npoint, our luck will run out. That is precisely why we must continue to \nemphasize prevention and response and develop more robust SCADA \nsoftware technology.\n    I am, therefore, keenly interested in learning more about the \nvulnerabilities of our SCADA systems, what the NCSD--in partnership \nwith the National labs and the private sector--has done to address such \nvulnerabilities, and the additional steps that need to be taken to \nestablish and implement a cyber response system.\n    Again, I want to thank all our witnesses for being with us today. I \nlook forward to your testimony on this important issue.\n    Thank you, Mr. Chairman, and I yield back the balance of my time.\n\n    Mr. Lungren. All members of the committee--the Chairman \nwould recognize the Ranking Minority Member of the Subcommittee \non Emergency Preparedness, Science and Technology, the \ngentleman from New Jersey Mr. Pascrell, for any statement he \nmight make. I would just inform the gentleman that we have all \nwaived our statements, but the gentleman may proceed as he \nwishes.\n    Mr. Pascrell. I will waive it.\n    Mr. Lungren. Your statement will be made--a prepared \nstatement will be made a part of the record.\n    [The information follows:]\n\n         Prepared Statement of the Honorable Bill Pascrell, Jr.\n\n    I want to thank Chairman Lungren and Chairman Reichert for holding \na hearing on an issue of vital importance to our national security.\n    Indeed, protecting America\'s critical control systems is a topic \nthat, I believe, has not received the attention it deserves. We know \nthat vulnerabilities within these systems are abundant, and we know \nthat the threat of a terrorist attack against these systems is real.\n    Congress needs to engage in robust analysis and oversight in this \nrealm; we need to help ensure the security of the various control \nsystems that are used in critical infrastructure--and I am heartened \nthat today two Homeland Security subcommittees are leading the charge.\n    Obviously this is something that affects all of us. But as a \nresident of New Jersey, I must say that this issue particularly \nresonates with me.\n    There are a number of areas in my state, for example, that contain \nkey assets on which the region\'s economy and community functioning \ndepend--including critical utilities that provide gas, electric power, \nwater and telecommunications services.\n    A cyber attack on one of New Jersey\'s four nuclear power plants, or \n100 chemical sites, for example, has the potential to be absolutely \ndevastating. Not only in terms of lives lost, but also in the regional \nand national economic destruction it could bring forth. This is \nserious, serious business.\n    Back in 2002, the National Infrastructure Protection Center \nreported that a computer belonging to an individual who had links to \nOsama bin Laden contained programs that clearly showed the individual\'s \ninterest in the structural engineering of various critical \ninfrastructures.\n    It also indicated that al-Qa\'ida members had sought information \nabout control systems from multiple websites.\n    With this knowledge, one would assume that Washington would take \nevery appropriate step, take every possible measure, and institute \nevery conceivable action to ensure that critical infrastructure would \nbe greater protected.\n    Inexplicably, this doesn\'t seem to be the case.\n    In fact, DHS as a whole has been slow in completing its critical \ninfrastructure protection policies.\n    In December 2003, President Bush issued Presidential Directive 7, \nestablishing a national policy for federal departments and agencies to \nprioritize critical infrastructure. DHS was charged with developing the \nNational Infrastructure Protection Plan (N.I.P.P.) to serve as the \nguide for protecting infrastructure.\n    The N.I.P.P. was due in December 2004. In February 2005, an \n``Interim plan\'\' was issued, setting a deadline of November 2005 for \nthe final plan. According to the GAO, the interim plan was incomplete: \nit lacked both national-level milestones and sector-specific security \nplans.\n    The plan remains incomplete to this day. We can\'t even get \nproposals ready in a timely matter. This is unconscionable.\n    I\'m also seriously concerned that the Department is not devoting \nenough manpower to this threat. According to an August 12th response by \nDHS to a request made by committee staff, there was only one full time \nemployee staffed exclusively to control system projects at the National \nCyber Security Division in the department.\n    One person. Surely it takes more than a single, lonely individual \nto effectively coordinate the public and private efforts in the control \nsystems field?\n    The fact is this: the threats and dangers to control systems are \nincreasing.\n    Standardized technologies currently being used have commonly known \nvulnerabilities allowing for easy exploitation. The connectivity of \ncontrol systems to other networks offers additional beaches in \nsecurity. Widespread public availability of technical information about \ncontrol systems continues to present a serious risk.\n    And the federal government isn\'t ready.\n    I look forward to the testimony from our witnesses today, and I \nhope that this hearing is the first in a series of actions our \ncommittee takes to ensure that control systems are as safe as they \npossibly can be.\n\n    Mr. Lungren. All Members are reminded that opening \nstatements may be submitted for the record.\n    [The information follows:]\n\n         Prepared Opening Statement of the Honorable Peter King\n\n    Thank you. And thanks to our witnesses for appearing before these \nSubcommittees today.\n    As Chairman Lungren pointed out-SCADA systems are an integral part \nof our critical infrastructure. These real time control systems operate \nour major industries that we rely on everyday, including our gas, \nwater, electric and oil facilities. They are integral parts of our \nefficient operation of these industries- and our National economy. \nSCADA systems control integral and vital processes of our \ninfrastructure with potential significant physical and public health \nand ramifications if they are shut down or misused. SCADA systems are \npart of the larger issue of cybersecurity and a vital component of \ncritical infrastructure protection.\n    Because these systems are connected to the internet or our \ntelephone network--these systems can be remotely accessed, and they are \neasily penetrated. These systems were created decades ago and were \ndesigned before security was as great a concern as it is now. Many \nsystems are not protected by basic security features, such as passwords \nor firewalls.\n    The good news is that there have been no reported terrorist cyber-\nattacks on domestic critical infrastructure control systems that have \nresulted in significant damage. This does not indicate that it is not \npossible or that terrorists are not interested in these \nvulnerabilities. There are reports that al-Qa\'ida computers found in \nAfghanistan contained information on structural analysis programs for \ndams and that these computers were used to search for information on \nSCADA systems specifically.\n    There have been cases of non-terrorist individuals breaking into \ncontrol systems and in some cases causing damage including an instance \nin Australia, in 2000 where a malicious former employee remotely \naccessed the control system of a sewage plant and discharged almost \n265,000 gallons of sewage into the local environment.\n    There are two things that we need to see happen. We need to be \nworking with industry and the National Labs to develop new secure \nsystems that can be put in as replacements or for new industries. But \nwe can not expect all of the owners and operators of SCADA systems to \nincur the expensive cost of replacing existing control systems. Rather, \nthe second thing we need to see- is procedures and protocols developed \nand distributed that can improve the security of these critical \nsystems. Utilizing encryption, installing security software on outdated \nsystems, training and educating employees on basic security procedures, \nthese things can be done to reduce the vulnerabilities without entirely \nreplacing the systems themselves.\n    I look forward to hearing from this panel on their thoughts on \nthese issues and what they have done specifically to improve the \nsecurity of the existing SCADA systems and the new SCADA systems being \nproduced. I know that DHS has worked with the National Labs and the \nDept. of Energy to develop programs to test existing systems, to model \ninterdependencies and vulnerabilities--but it is also evident that the \nprivate sector has not waited for the Federal government to provide \nguidance. I look forward to hearing from our private sector witnesses \nas well, as to their efforts to secure this vital component of our \nNational infrastructure.\n    Thank you again, and I look forward to your testimony and the \nopportunity to ask you questions.\n\n     Prepared Opening Statement of the Honorable Bennie G. Thompson\n\n    Thank you Mr. Chairman, Ranking Member Sanchez. I am glad we are \nhere today to consider this important issue.\n    SCADA systems perform vital functions in running much of our \nindustrial and critical infrastructure processes.\n    As technology continues to develop, this country will become more \nreliant on computerized control systems to perform these vital \nmonitoring functions.\n    It is imperative that the Congress and this Administration act \nquickly to solve the serious security problems that plague SCADA and \ncontrol systems.\n    The possibilities of a terrorist breaching a SCADA system are \nincredibly frightening.\n    Nuclear power plants--like the one located in Port Gibson, \nMississippi, in my District--can potentially be at risk.\n    Electric grids, water management systems, and oil and gas control \nsystems are also all at risk. Attacks can result in unquantifiable \nlosses of infrastructure, money, and lives.\n    The risks to control systems posed by a natural disaster, like \nHurricane Katrina, must also be considered.\n    The hurricane shut down the electrical grid along the Gulf Coast, \nthereby forcing two critical pipelines to shut down.\n    We\'re all still paying at the gas pump partially because of that \nfailure.\n    we spent the time, money, and energy building our critical \ninfrastructure systems; we must now spend the time, money, and energy \nto protect them.\n    As you all know, protecting SCADA and control systems requires a \ncommitment from two entities.\n    The private sector must continue to identify current security \nrisks, modify and adopt new encryption standards, and create new \ntechnologies to secure future systems.\n    It\'s also important for us here in Congress to determine what role \nthe federal government should play.\n    Should we provide incentives for SCADA systems to comply with best \npractices? Should we establish new guidelines for existing SCADA \nsystems?\n    Should we use the leverage the federal government has when buying \nSCADA systems for itself in order to create changes across the market, \nas Mr. Paller will testify about today?\n    In terms of current federal efforts, I am particularly concerned \nabout what the National Cyber Security Division at DHS is doing right \nnow.\n    I am glad that the director of the NCSD is here today to answer \nsome of those questions. Mr. Purdy, for example, I also want to hear \nmore about what the NCSD is doing to help DHS complete the cyber \nsecurity portions of the National Infrastructure Protection Plan. A \nfinal version of the NIPP was due last December. we are still waiting \nfor it.\n    I look forward to hearing from the members of this panel on all of \nthese issues.\n    Thank you Mr. Chairman.\n\n    Mr. Lungren. We are pleased to have a distinguished panel \nof witnesses before us today on this important topic. The Chair \nwould recognize Mr. Donald ``Andy\'\' Purdy, the Acting Director \nof the National Cyber Security Division of the U.S. Department \nof Homeland Security, to testify.\n    I would just mention to all of you we are under the gun, I \nam sorry about that, because of votes that we are going to \nhave. I would ask you to please restrict your oral statements \nto 5-minutes, and your prepared statements will be made a part \nof the record.\n\n STATEMENT OF DONALD ``ANDY\'\' PURDY, ACTING DIRECTOR, NATIONAL \n CYBER SECURITY DIVISION, U.S. DEPARTMENT OF HOMELAND SECURITY\n\n    Mr. Purdy. Good afternoon, Chairman Lungren and \ndistinguished members of the committee. My name is Andy Purdy. \nI am the Acting Director of the Department of Homeland \nSecurity\'s National Cyber Security Division. I am pleased to \nappear before you today to share with you the work of NCSD to \naddress one of the significant threats to our cyberspace and \ncritical infrastructure, industrial control systems. In my \ntestimony today I will focus on our Control Systems Security \nProgram.\n    To carry out our mission and related responsibilities under \nthe National Infrastructure Protection Plan, we have identified \ntwo overarching priorities: to build an effective national \ncyberspace response system and implement a cyber risk \nmanagement program for critical infrastructure protection of \nwhich our control systems effort is an important risk \nmitigation effort.\n    The interdependency between physical and cyber \ninfrastructures is particularly acute in the use of control \nsystems as integral operating components by many of our \ncritical infrastructures. To assure immediate attention is \ndirected to protect these systems, we have established a \nControl Systems Security Program to coordinate efforts among \nFederal, State and local governments, as well as control \nsystems owners, operators and vendors, to improve control \nsystem security within and across all critical infrastructure \nsectors. As a key component of the program, in August, 2004, we \nestablished a U.S. Computer Emergency Readiness Team Control \nSystems Security Center in partnership with Idaho and Sandia \nNational Laboratories and other Department of Energy national \nlaboratories. The center\'s mission is to reduce the risk of \ncyberattacks on control systems, and it partners with control \nsystems industry associations, universities, vendors and \nindustry experts.\n    Our program encompasses five goals. First we seek to \nenhance the US-CERT capabilities for control systems security \nto coordinate incident management, provide timely situational \nawareness information, assess vulnerabilities, encourage \nvoluntary reporting and manage vulnerability and threat \nreduction activities.\n    Our second goal is to reduce control system cyber \nvulnerabilities in critical infrastructure. We have developed \nthe draft protection framework for identifying protection \nmeasures and comparing them against existing security \nstandards. In addition, the framework includes a self-\nassessment tool developed to allow owners and operators to \nperform on-site assessments against the database of categorized \nsecurity requirements. We will soon pilot the tool with \nmultiple infrastructure sectors and will assist selected \ncontrol systems owners and operators in using the tool at their \nsites.\n    Our third goal is to bridge industry and governmental \nefforts through participation in working groups, standards \ndevelopment bodies and user conferences. In partnership with \nthe Department of Homeland Security Science and Technology \nDirectorate, we chair the Process Control System Forum, which \nincludes industry, academia and government representatives. It \nis designed to accelerate the development of technology that \nwill enhance the security, safety and reliability of control \nsystems, including legacy installations.\n    Our fourth goal is to develop control systems security \nawareness and create a self-sustaining security culture within \nthe control systems community. A key element is our awareness \nworkshop program, which we began in May of this year and will \nhave completed approximately eight workshops by the end of this \nyear.\n    Our final goal is to make strategic recommendations for \nimprovements to future generation secure control systems and \nsecurity products. We have responsibility for developing \nrequirements for cybersecurity R&D projects to inform our \nScience and Technology Directorate\'s research priorities, and \nwe coordinate with S&T in the development of new technologies \nfor securing control systems and networks.\n    We have a robust effort underway with our partners to \naddress the security of control systems through our Control \nSystem Security Program. The efforts of our center toward \nrealizing the program goals has moved the ball forward in this \narena by increasing the control systems communities\' awareness \nof the need for cybersecurity and helping to provide them the \ntools and resources to secure their control systems. We \ncontinue to further these strategic goals through advancement \nof our key initiatives.\n    We are committed to achieving success in meeting our goals \nand objectives, but we recognize we cannot do it alone. We will \ncontinue to meet and work with industry representatives, our \ngovernment counterparts, academia and State and local \ngovernment to formulate and enhance partnerships needed for \nproductive collaboration, and leverage the efforts of all so we \nas a Nation are more secure in cyberspace and in our critical \ninfrastructure.\n    Again, thank you for the opportunity to testify to you \ntoday, and I look forward to answering your questions.\n    Mr. Lungren. Thank you very much, Mr. Purdy.\n    [The statement of Mr. Purdy follows:]\n\n             Prepared Statement of Donald (Andy) Purdy, Jr.\n\n    Good morning Chairman King and distinguished members of the \nCommittee. My name is Andy Purdy, and I am the Acting Director of the \nDepartment of Homeland Security\'s National Cyber Security Division \n(NCSD). I am delighted to appear before you today to share with you the \nwork of the NCSD to address one of the significant threats to our \ncyberspace and critical infrastructure--industrial control systems.\n    In my testimony today, I will provide an overview of NCSD\'s mission \nand goals, priorities, and partnerships, with a particular focus on our \nControl Systems Security Program. The Control Systems Security Program \naddresses the cyber security of industrial control systems that run the \noperational processes within the nation\'s critical infrastructure.\n\nDHS and Critical Infrastructure Protection\n    Over the course of the past several months Secretary Chertoff \nconducted a systematic evaluation of the Department\'s operations. On \nJuly 13th, Secretary Chertoff announced the results of that evaluation \nand outlined his six point agenda for the path ahead for the \nDepartment. As part of this agenda, the Secretary announced several \nDepartmental organizational changes. Among these was the creation of a \nnew Preparedness Directorate which would house a newly created office \nof the Assistant Secretary for Cyber Security and Telecommunications. \nAccording to Secretary Chertoff, ``Securing our cyber systems is \ncritical not only to ensure a way of life to which we\'ve grown \naccustomed, but more importantly to protect the vast infrastructure \nthese systems support and operate.\'\'\n    Currently, the Office of Infrastructure Protection (IP), located \nwithin the Information Analysis and Infrastructure Protection (IAIP) \nDirectorate, is responsible for all critical infrastructure and key \nresource protection. The Office of Infrastructure Protection has four \ncomponent divisions: (1) the Infrastructure Coordination Division \n(ICD), (2) the Protective Security Division (PSD), (3) the National \nCommunications System (NCS), and (4) the National Cyber Security \nDivision (NCSD).\n    In December 2003, President Bush issued Homeland Security \nPresidential Directive 7: Critical Infrastructure Identification, \nPrioritization, and Protection (HSPD-7), which established a national \npolicy for federal departments and agencies to identify and prioritize \nUnited States critical infrastructure and key resources and to protect \nthem from terrorist attacks. Among other things, HSPD-7 identified \nseventeen (17) \\1\\ critical infrastructure and key resource sectors and \nassigned responsibility for each to a Sector Specific Agency (SSA), \nwith DHS serving as the overall program coordinator.\n---------------------------------------------------------------------------\n    \\1\\ The NIPP identifies the following Critical Infrastructure \nSectors and Key Resources: Food and Agriculture; Public Health and \nHealthcare; Drinking Water and Wastewater; Energy; Banking and Finance; \nNational Monuments and Icons; Defense Industrial Base; Information \nTechnology; Telecommunications; Chemical; Transportation Systems; \nEmergency Services; Postal and Shipping; Dams; Government Facilities; \nCommercial Facilities; Nuclear Reactors, Materials, and Waste.\n---------------------------------------------------------------------------\n    Additionally, HSPD-7 set forth how DHS should address critical \ninfrastructure protection, including development of a ``summary of \nactivities to be undertaken in order to: define and prioritize, reduce \nthe vulnerability of, and coordinate the protection of critical \ninfrastructure and key resources.\'\'\\2\\ To meet this mandate, IP \ndeveloped the interim National Infrastructure Protection Plan (NIPP), a \nplan that is to serve as the guide for addressing critical \ninfrastructure and key resource protection. It sets forth a risk \nmanagement framework for public and private sector stakeholders to work \ntogether to identify, prioritize, and conduct vulnerability assessments \nof critical assets and key resources in each sector. It also includes \nthe identification of interdependencies of critical assets and key \nresources both within and across the sectors as well as providing \npriority protective measures that owners and operators of such assets \nshould undertake to secure them. Recognizing that more that 85 percent \nof the critical infrastructure is owned and operated by the private \nsector and that the development of public-private partnership is \nparamount to securing our nation\'s assets, private sector-led Sector \nCoordinating Councils (SCCs) are being established to work with their \nappropriate SSA via Government Coordinating Councils (GCC), which \nrepresent the government agencies that have a role in protecting the \nrespective sectors.\n---------------------------------------------------------------------------\n    \\2\\ Homeland Security Presidential Directive 7, December 17, 2003; \nhttp://www.whitehouse.gov/news/releases/2003/12/20031217-5.html.\n---------------------------------------------------------------------------\n    Currently, the Office of Infrastructure Protection is finalizing \nthe NIPP and it is expected to be released later this year. This \nfinalized document will refine the public-private partnership model and \na process for protecting our critical infrastructures from physical or \ncyber attack or natural disasters.\n\nDHS and Cyber Security\n    In June 2003, in response to the President\'s National Strategy to \nSecure Cyberspace, the Department of Homeland Security created the NCSD \nas a national focal point for cyber security. The national strategy \nestablished the following five national priorities for securing \ncyberspace:\nPriority I:A National Cyberspace Security Response System\nPriority II: A National Cyberspace Security Threat and Vulnerability \nReduction Program\nPriority III: A National Cyberspace Security Awareness and Training \nProgram\nPriority IV: Securing Government\'S Cyberspace\nPriority V: National Security and International Cyberspace Security \nCooperation\n    Given today\'s interconnected environment and DHS\'s integrated risk-\nbased approach to critical infrastructure protection, NCSD\'s mission is \nto work collaboratively with public, private, and international \nentities to secure cyberspace and America\'s cyber assets. To meet that \nmission, NCSD developed a Strategic Plan that establishes a set of \ngoals with specific objectives for each goal, and milestones associated \nwith each objective. The Strategic Plan goals, which are closely \naligned with the Strategy, HSPD-7, the NIPP, and the Cyber Annex to the \nrecently announced National Response Plan, are as follows:\n        1. Establish a National Cyberspace Response System to prevent, \n        detect, respond to, and reconstitute rapidly after cyber \n        incidents;\n        2. Work with public and private sector representatives to \n        reduce vulnerabilities and minimize severity of cyber attacks;\n        3. Promote a comprehensive awareness plan to empower all \n        Americans to secure their own parts of cyberspace;\n        4. Foster adequate training and education programs to support \n        the Nation\'s cyber security needs;\n        5. Coordinate with the intelligence and law enforcement \n        communities to identify and reduce threats to cyberspace; and\n        6. Build a world class organization that aggressively advances \n        its cyber security mission and goals in partnership with its \n        public and private stakeholders.\n    To meet these goals, NCSD is organized into four operating branches \nto address the various aspects of the risk management structure: (1) \nU.S. Computer Emergency Readiness Team (US-CERT) Operations to manage \nthe 24x7 threat watch, warning, and response capability that can \nidentify emerging threats and vulnerabilities and coordinate responses \nto major cyber incidents; (2) Strategic Initiatives to manage \nactivities to advance cyber security in critical infrastructure \nprotection, control systems security, software development, training \nand education, exercises, and standards and best practices; (3) \nOutreach and Awareness to manage outreach, cyber security awareness, \nand partnership efforts to disseminate information to key \nconstituencies and build collaborative actions with key stakeholders; \nand (4) Law Enforcement and Intelligence to coordinate with and share \ninformation between these communities and NCSD\'s other constituents in \nthe private sector, public sector, academia, and others, and also to \ncoordinate DHS efforts within interagency response and mitigation of \ncyber security incidents. Together, these branches make up NCSD\'s \nframework to address the cyber security challenges across our key \nstakeholder groups and build communications, collaboration, and \nawareness to further our collective capabilities to detect, recognize, \nattribute, respond to, mitigate, and reconstitute after cyber attacks.\n    The Strategy, HSPD-7, and the interim NIPP provide NCSD with a \nclear operating mission and national coordination responsibility. To \ncarry out this mission and its related responsibilities, NCSD has \nidentified two overarching priorities: to build an effective national \ncyberspace response system and to implement a cyber risk management \nprogram for critical infrastructure protection. Our focus on these two \npriorities and related programs addresses the overarching NIPP Risk \nManagement methodology and establishes the framework for securing \ncyberspace today and a foundation for addressing cyber security for the \nfuture.\n    Within the second priority, in addition to fulfilling our NIPP role \nas the Sector Specific Agency for the Information Technology (IT) \nSector and providing cross-sector cyber security guidance to all \nsectors, NCSD undertakes a cyber risk mitigation approach focused on \nthree key areas. These include the Internet Disruption Working Group, \nthe Software Assurance Program, and the Control Systems Security \nProgram.\n\nNCSD and Control Systems Cyber Security\n    The interdependency between physical and cyber infrastructures is \nhardly more acute than in the use of control systems as integral \noperating components by many of our critical infrastructures. ``Control \nSystems\'\' is a generic term applied to hardware, firmware, \ncommunications, and software used to perform vital monitoring and \ncontrolling functions of sensitive processes and enable automation of \nphysical systems. Specific types of control systems include Supervisory \nControl and Data Acquisition (SCADA) systems, Process Control Systems \n(PCS), and Distributed Control Systems (DCS).\n    Examples of the critical infrastructure processes and functions \nthat control systems monitor and control include energy transmission \nand distribution, pipelines, water and pumping stations, \ntelecommunications, chemical processing, pharmaceutical production, \nrail and light rail, manufacturing, and food production. Increasingly, \nthese control systems are implemented with remote access and \nconnections to open networks such as corporate intranets and the \nInternet. Older control systems that operated with manual components, \nvacuum actuators, and proprietary software are rapidly being upgraded \nwith modern computer systems. These sophisticated IT tools are making \nour critical infrastructure assets more automated, more productive, \nmore efficient, and more innovative, but they also may expose many of \nthose physical assets to physical consequences from new, cyber-related \nthreats and vulnerabilities.\n    Control systems represent an attractive target for malicious actors \nfor several reasons. First, they provide a possible avenue for \ninflicting physical, environmental, or economic harm to the nation from \na distance. Second, relatively mature attacking tools have been \ndeveloped and are available on the Internet. Finally, these tools can \nbe used with little technical expertise to attack control systems that \nare accessible from the Internet.\n    To assure immediate attention is directed to protect these systems, \nNCSD established the Control Systems Security Program to coordinate \nefforts among federal, state, and local governments, as well as control \nsystem owners, operators, and vendors to improve control system \nsecurity within and across all critical infrastructure sectors.\n    The Program incorporates five highly integrated goals to address \nthe issues and challenges associated with control systems security.\n        1. Coordinate control system incident management, provide \n        timely situational awareness information for control systems, \n        assess control system vulnerabilities, encourage voluntary \n        reporting, and manage control system vulnerability and threat \n        reduction activities by enhancing the US-CERT\'s capabilities \n        for control systems security;\n        2. Reduce control system cyber vulnerabilities in Critical \n        Infrastructure by establishing a proactive environment for risk \n        reduction and security assessments, to evaluate systems, and to \n        work with control systems owner/operators and vendors to \n        resolve vulnerabilities;\n        3. Bridge industry and governmental efforts through \n        participation in working groups, standards development bodies, \n        and user conferences to build cooperative and trusted \n        relationships and enhance control systems security efforts;\n        4. Develop control systems security awareness and create a \n        self-sustaining security culture within the control systems \n        community; and\n        5. Make strategic recommendations as to the funding, \n        development, and testing of next-generation secure control \n        systems and security products.\n\nGoal 1--Enhance US-CERT capabilities for control systems cyber security\n    Our control systems activities support NCSD\'s overall efforts to \naddress cyber security across critical infrastructure sectors over the \nlong term, as well as the US-CERT\'s capability in the management, \nresponse, and handling of incidents and vulnerabilities, and mitigation \nof threat actions specific to critical control systems functions. NCSD \nestablished the US-CERT Control Systems Security Center (CSSC) in \npartnership with Idaho National Laboratory (INL) and other Department \nof Energy (DOE) National Laboratories \\3\\ in August, 2004. Through the \nuse of Cooperative Research and Development Agreements (CRADA\'s) and \nother mutually benefiting agreements, the CSSC also incorporates \npartners from control systems industry associations, universities, \nvendors, and industry experts. The CSSC mission is to reduce the risk \nof cyber attacks on control systems, and as such, it provides \nfacilities and expertise to support the reduction of risk in critical \ninfrastructure through site and system assessments, demonstrations for \neducation and awareness, risk assessment and risk analysis, adversarial \nawareness, and coordination among the national laboratories.\n---------------------------------------------------------------------------\n    \\1\\ Pacific Northwest, Los Alamos, Argonne, Sandia, Lawrence \nLivermore and Savannah River\n---------------------------------------------------------------------------\n    Through its partnerships and technological improvement efforts for \nsystems and facilities, the CSSC has been maturing response \ncapabilities to support US-CERT with control system expertise. The CSSC \ncontinues to work with the US-CERT in enhancing their ability to \nprovide initial control system guidance and expertise, and a CSSC \nlimited access secure portal (https://us-cert.esportals.net/) has been \nestablished for information coordination and dissemination of cyber \nthreat and vulnerability alerts. A web site is under development to \nshare control systems security information with our cyber security \npartners and the control systems community. The web site, which will be \navailable in FY06, will also provide information, resources, and links \nfor owners and operators to effectively defend their control systems. A \n``Tier II\'\' support function will further support US-CERT by leveraging \nCSSC partners in incident response and vulnerability handling, and \nperforming in-depth evaluation of specific attacks or exploits and \ndetermining the impact on various operating systems, components, and \nvendor systems.\n    In FY06, CSSC will explore the need for establishing a trusted \nthird-party within academia to serve as a voluntary reporting center to \nencourage open communication among the private sector regarding \nemerging control system threats and exploits. As such, the CSSC is \ndeveloping a control systems incident management support tool to \nenhance US-CERT cyber threat notification efforts. It is designed for \nuse when a new vulnerability is detected and will enable the \nidentification of critical infrastructure at greatest risk to an \nidentified threat, thereby enabling the CSSC to rapidly notify the \nfacilities at the greatest risk. Owners and operators can then \nimplement protective measures as appropriate to reduce that risk and \nmitigate damage to their systems. It is important to note that the \neffectiveness of the tool is dependent on the acquisition of current \nowner/operator system data. NCSD continues to work with Sector Specific \nAgencies to obtain data from the various sectors necessary to utilize \nthe tool and maximize its benefits.\n\n    Goal 2--Reduce control system vulnerabilities in critical \ninfrastructure\n    To reduce control system vulnerabilities in our critical \ninfrastructure, CSSC developed a draft cyber security protection \nframework for identifying control systems security protection measures \nand comparing them against existing security standards. The cyber \nsecurity protection framework, which is based on the Common Criteria \nand an Industrial Control System Security Protection Profile developed \nby the National Institute of Standards and Technology, supports NCSD\'s \nmission to reduce cyber security risk within control systems. The \nframework provides a systematic methodology for assessing the cyber \nsecurity posture of control systems. It is designed to reduce the \nburden on owners and operators by providing them with a means to select \nprotective measures that apply to their specific architecture and \noperating environment and reduce their respective risk.\n    Application of the framework methodology results in a risk-based \nset of security measures. Risk is defined by DHS as Risk = Threat x \nVulnerability x Consequence. To calculate quantitative values for risk, \none must define the system of interest, establish attack-defense-\nfailure scenarios, and consider the consequences of a successful \nattack. Then, protection measures are identified to reduce risk. The \noverall goal is to provide a quantitative, traceable, and supportable \nvalue of risk.\n    As part of this framework, the CSSC also has capabilities at INL to \nperform vulnerability assessments of control systems. For example, the \nCSSC leverages the National SCADA Test Bed funded by DOE and operated \nin partnership with Sandia National Laboratories. Linkages with these \ntest beds and assessment facilities provides the CSSC with incoming and \noutgoing data traffic and communication channels necessary for the \nreplication of control systems (e.g., PCS, SCADA) and components. These \ntesting capabilities also support quick mock-ups of control systems \nand/or components to evaluate existing threats, vulnerabilities, and \nincidents as they are reported to the US-CERT.\n    The CSSC utilizes a unique ``plug and play\'\' patching system that \nallows engineers to assess systems or components in an environment \nsimulating the conditions found in industry to include multiple \ncommunication pathways and live incoming and outgoing control systems \nspecific data traffic. This allows for in-depth assessments of control \nsystems in a near true-to-life environment. The CSSC is working with \ncommercial vendors and DOE to complete assessments of three different \ncontrol systems to identify cyber vulnerabilities, reverse engineer \nexploits, and provide solutions to secure vendor systems. A code-based \nanalysis has also been conducted in cooperation with a vendor/\nmanufacturer to identify possible vulnerabilities and recommendations \nto secure the system.\n    Our adversaries are developing tools to hack into and take over \ncontrol systems, and we need greater collective awareness of those \ncapabilities to understand specific threats to and vulnerabilities of \nour control systems. As such, CSSC tracks information on current \ncontrol systems security trends and threats, review and assesses new \nvulnerabilities and exploits as they are discovered or reported, and \nconducts analysis to better understand adversarial tools and \ncapabilities. The CSSC considers specific exploit assessment scenarios \non control systems and ``reverse engineers\'\' exploits to provide \nsolutions to industry before an exploit is made public.\n    The cyber security protection framework also leverages best \npractices from industry for securing control systems against cyber \nattacks and organizes them so the control systems community can \nidentify specific solutions to their security vulnerabilities. As part \nof the framework, implementation tools, such as a ``self-assessment \ntool,\'\' have also been developed to allow owners and operators of \nindustrial control systems to perform on-site self-assessments against \na database of categorized security requirements. Each security \nrequirement is supported by recommendations for meeting the requirement \nand mitigating vulnerabilities within the architecture of that \nparticular control system. As new vulnerabilities emerge and associated \nsolutions are developed, the framework of security requirements will \nexpand and new protection solutions will be made available to the \ncontrol system community. The protection framework provides categorized \nand graded guidance, component by component, for improving cyber \nsecurity of control systems.\n    The draft security protection framework and its associated \nimplementation tools are ready for validation. NCSD will soon pilot the \nself-assessment tool with multiple infrastructure sectors and will \nassist selected control system owners and operators in using the tool \nat their sites. This effort will help owners and operators identify \nsecurity vulnerabilities within their systems, recommend solutions for \nreducing the risk of successful cyber attacks, and prioritize risk \nreduction efforts. The pilot effort will also allow NCSD to validate \nand enhance the self-assessment tool for future, widespread roll-out \nacross the control system community. NCSD is also working with PSD and \nother Sector Specific Agencies to ensure that concepts from the cyber \nsecurity protection framework are integrated into risk and \nvulnerability assessments across the sectors. For example, NCSD is \nworking closely with the American Society of Mechanical Engineers and \nPSD to incorporate cyber into the Risk Analysis and Management for \nCritical Asset Protection (RAMCAP) framework.\n\n    Goal 3--Bridge industry and governmental efforts through \nparticipation in working groups, standards development bodies, and user \nconferences\n    A primary objective of NCSD\'s Control Systems Security Program is \nto coordinate efforts among Federal, State, and local governments, as \nwell as control system owners, operators, and vendors to improve \ncontrol systems security within and across all critical infrastructure \nsectors.\n    In partnership with DHS\' Science and Technology (S&T) Directorate, \nNCSD chairs the Process Control System Forum (PCSF). The PCSF includes \nindustry, academia, and government representatives and is designed to \naccelerate the development of technology that will enhance the \nsecurity, safety, and reliability of control systems, including legacy \ninstallations.\n    In addition to the PCSF, the CSSC works to enhance private sector \nawareness through participation in industry association meetings, user \ngroups, and standards coordination work groups. For example, most \nrecently, representatives from CSSC participated in a Railroad \nAssociation meeting in Annapolis, Maryland, the Pacific Northwest \nEconomic Region 15th Summit, and the Interagency Forum for \nInfrastructure Protection in Portland, Washington. At all of these \ngatherings, attendees were provided with an overview of the CSSC \nprogram, capabilities, and with information on how they can participate \nand take advantage of what the CSSC program has to offer, including \nalert and informational bulletins, self-assessment and risk reduction \ncalculation tools.\n    CSSC has also established relationships with a number of industry \npartners, including partnerships designed to facilitate initial \nassessments and develop risk reduction plans in various industry \nsectors. Our private industry partners provide experience in \nunderstanding vulnerabilities and operational perspectives, and bring \nestablished contacts within the control systems community. \nSpecifically, they provide CSSC with control system expertise from \nvarious critical infrastructure sector perspectives; expertise and \nfeedback on assessment tools; subject matter expertise regarding \ndevelopment of security requirements and best practices; assessment, \nresearch, and risk assessment capabilities; and contacts and \nopportunities to interface with sectors.\n    CSSC is also working with control system vendors to provide \nequipment for assessments to be conducted at CSSC facilities. They \nassist in identifying vulnerabilities based on their experience and \nwork to resolve vulnerabilities in next generation and legacy systems \nas a result of assessments performed against their systems. A number of \nindustries (e.g., oil and gas, chemical, petro-chemical, electrical, \npower generation plant automation [coal, hydro, and gas fired plants], \nand transportation) are contributing to these CSSC efforts to reduce \ncyber vulnerabilities in control systems. Partnerships with members of \nthe control system community are designed to help NCSD better assist \nowners and operators secure their systems.\n\n    Goal 4--Enhance control systems security awareness\n    The NCSD is engaged in several activities designed to increases \nawareness and provide the tools and products necessary to enable the \ncritical infrastructures and key resources to secure their control \nsystems against cyber threats. A key element is CSSC\'s awareness \nworkshop program.\n    Our ``threat-brief, demonstration, and mitigations\'\' workshop has \nbeen well received by the control systems community. The first workshop \nwas held in May, 2005 at a PCSF meeting in Dallas, Texas. Since then \nadditional workshops have been held in Bellevue, Washington and Idaho \nFalls, Idaho. We anticipate that by late 2005, approximately eight \nworkshops will have been conducted. The workshops include a brief \noverview of the threat picture, a cyber vulnerability demonstration, \nand a discussion of mitigation steps. NCSD has found that cyber \nvulnerability demonstrations are an effective method to show the impact \nthat cyber attacks can have on their control systems and operations and \nthat cyber security is essential to protect them.\n\n    Goal 5--Make strategic recommendations for improvements to future \ngeneration secure control systems and security products\n    Cyber-related research and development (R&D) is vital to improving \nthe resiliency of the Nation\'s critical infrastructures. This difficult \nstrategic challenge requires a coordinated and focused effort from \nacross the Federal Government, State and local governments, the private \nsector, and academia to advance the security of critical cyber systems.\n    Two components within DHS share responsibility for cyber R&D. The \nScience & Technology (S&T) Directorate serves as the primary agent \nresponsible for executing cyber security R&D programs. NCSD has \nresponsibility for developing requirements for cyber security R&D \nprojects. NCSD supports the overall DHS R&D mission by identifying \nareas for cyber innovation and coordinating with S&T. NCSD collects, \ndevelops, and submits cyber security R&D requirements to provide input \nto the federal cyber security R&D community and specifically to inform \nthe DHS S&T Directorate\'s cyber security research priorities. NCSD \ncoordinates with S&T on the development of new technologies for \nsecuring SCADA systems and networks.\n    NCSD\'s Control Systems Security Program identifies R&D cyber \nsecurity requirements for legacy and next generation control systems \nand security products through US-CERT CSSC operational activities such \nas incident management, site and system assessments, and analyses. As \ndifficult problems which would benefit from advanced technological \nsolutions are discovered, requirements are identified and forwarded to \ncontrol systems vendors and DHS S&T for new R&D projects. Best \npractices, common vulnerabilities, and requirements for security \nstandards are also shared with the control systems community to promote \nenhanced security for legacy and new control systems.\n    DHS S&T manages the Congressionally directed funding for the \nInstitute for Information Infrastructure Protection (I3P). The I3P is a \nnational research consortium composed of more than two dozen research \nentities, including academic institutions, non-profits, federally \nfunded labs, and FFRDCs. In early 2005, the I3P launched a major \ninitiative focused on addressing the vulnerabilities of SCADA systems \nin the oil and gas industry.\n\nMoving Forward\n    NCSD has a robust effort underway to address the security of \ncontrol systems through our Control Systems Security Program. The \nefforts of the CSSC toward realizing the five goals the Program sets \nforth, including the enhancement of capabilities, initiatives to reduce \nvulnerabilities, and establishment of partnerships, has moved the ball \nforward in this arena by increasing the control system communities\' \nawareness of the need for control systems cyber security and providing \nthem the tools and resources to secure their control systems.\n    Many activities are planned for the near future including:\n        <bullet> Developing and finalizing the CSSC portal and web site \n        to enhance capabilities and encourage greater information \n        exchange with the control system community.\n        <bullet> Supporting vulnerability assessments to determine the \n        cyber security posture of legacy and next generation control \n        systems at critical sites. Assessments will identify critical \n        components threat vectors, and misconfigurations in hardware, \n        applications, and network topologies within our current \n        infrastructure and recommend protective measures. This \n        information will aid in determining the level of compliance \n        with current best practices and control system protection \n        framework requirements.\n        <bullet> Continuing to integrate CSSC activities, skills, and \n        capabilities to identify particular high risk cyber \n        vulnerabilities. Specifically, for FY06 high-risk system \n        vulnerabilities will be identified in at least two critical \n        infrastructure sectors and then security enhancements to \n        mitigate those vulnerabilities will be identified. Other site \n        assessments will be supported as appropriate to identify cyber \n        risks to control systems.\n        <bullet> Encouraging the voluntary implementation of security \n        measures. The CSSC will accomplish this through development of \n        a ``Business Case,\'\' beginning in FY06. Development of a \n        business case will demonstrate cost-benefit where the cost will \n        be represented as the cost of implementing countermeasures and \n        benefit will be the reduction of risk. Risk analysis is the \n        basis for the business case.\n        <bullet> Continuing to work with PSD and other Sector Specific \n        Agencies to integrate cyber security and control systems \n        security efforts into risk and vulnerability assessment efforts \n        such as Comprehensive Reviews, the Vulnerability Identification \n        Self Assessment Tool, and the Risk Analysis and Management for \n        Critical Asset Protection.\n        <bullet> Continuing to participate in forums and meetings to \n        raise awareness while conducting targeted outreach activities \n        in sectors and with senior executives to not only pilot and \n        validate our control systems protection framework and tools but \n        also to create an understanding among control system owners and \n        operators of the need for and importance of security.\n    We are committed to achieving success in meeting our goals and \nobjectives, but we cannot do it alone. We will continue to meet with \nindustry representatives, our government counterparts, academia, and \nstate and local representatives to formulate the partnerships needed \nfor productive collaboration and leverage the efforts of all, so we, as \na nation, are more secure in cyberspace and in our critical \ninfrastructures.\n    Again, thank you for the opportunity to testify before you today. I \nwould be happy to answer any questions you have.\n\n    Mr. Lungren. The Chair would now recognize Mr. Larry Todd, \nthe Director of Security, Safety and Law Enforcement for the \nBureau of Reclamation, U.S. Department of Interior, to testify.\n\n STATEMENT OF LARRY TODD, DIRECTOR OF SECURITY, SAFETY AND LAW \n  ENFORCEMENT, BUREAU OF RECLAMATION, U.S. DEPARTMENT OF THE \n                            INTERIOR\n\n    Mr. Todd. Thank you, Mr. Chairman and distinguished members \nof the subcommittee. I am pleased to appear before you today to \ntell you about the security of the control systems used by the \nBureau of Reclamation.\n    Reclamation uses SCADA systems as tools to enable us to \nmeet our mission of water delivery, power generation, flow \nmonitoring and water regulation. SCADA is used to control \noutlet works, valves at dams, to control hydroelectric \ngenerators and associated circuit breaker switches and \ntransformers, and to control pumps and gates on water delivery \nsystems and canals. However, we do not use SCADA controls to \noperate the spillway gates, nor for flood control operations.\n    Reclamation has a number of security features built into \nthe SCADA operation. For instance, no SCADA system is attached \nto the Internet, and therefore, the systems cannot be accessed \nby the Internet. There are software controls within SCADA \nsystems to protect against unauthorized operation, and on some \nfacilities we have mechanical controls that prevent operation \nbeyond set parameters. In addition, Reclamation regularly tests \nto ensure the connectivity does not exist.\n    To help identify physical and cyber vulnerabilities, \nReclamation uses independent organizations to evaluate our \nsecurity posture. We have had numerous investigations by the \nInspector General\'s Office, and they report that the SCADA \nsystems are operating in relative safety from potential \ncatastrophic cybersecurity threats.\n    In summary, Reclamation recognizes that SCADA plays a key \nrole in protecting critical infrastructure components. Where we \nemploy SCADA systems, we believe we have taken responsible \nsteps to ensure their security and safe operation. We also will \nemploy better assessment and protection tools as they become \navailable.\n    Thank you for this opportunity to describe Reclamation\'s \nuse of SCADA. I would be pleased to answer any questions the \ncommittee may have.\n    Mr. Lungren. Thank you very much, Mr. Todd.\n    [The statement of Mr. Todd follows:]\n\n                    Prepared Statement of Larry Todd\n\n    Mr. Chairman, my name is Larry Todd, and until recently I served as \nthe Director of Security, Safety, and Law Enforcement for the U.S. \nBureau of Reclamation. Established in 1902, Reclamation is known \nprimarily for the dams, power plants, and canals we have built and \noperate in seventeen western States. Reclamation is our Nation\'s \nlargest wholesaler of water, and its second largest producer of \nhydroelectric power. I am pleased to appear before you today to tell \nyou about the security of the control systems used by the Bureau of \nReclamation.\n\nReclamation\'s Supervisory Control and Data Acquisition (SCADA) Systems\n    Reclamation employs SCADA systems as tools to enable us to meet our \nmission obligations of providing essential services and commodities. \nThese obligations include electric power generation, flood monitoring, \nwater regulation, and water delivery. To accomplish these goals, \nReclamation controls water release gates and valves at dams; \nhydroelectric generators, circuit breakers, switches and transformers \nat power plants; and pumps and gates on waterways and canals.\n    Reclamation\'s SCADA systems collect information about our \nfacilities through transducers, converting information such as gate \nposition, reservoir level, hydroelectric generator output, and water \nflow to electrical signals for processing in the SCADA system\'s \ncomputers. Once in the computers, the information is examined for any \nunusual characteristics, such as whether it exceeds an expected value. \nWhen information does not meet expectations, alarms may be triggered to \ninform operations staff of the situation, enabling them to take \ncorrective actions. Reclamation\'s major SCADA control centers are \nmanned at all times, enabling operations staff to react to both normal \noperations and emergency situations 24 hours a day and 365 days a year.\n    Along with collecting information, Reclamation\'s SCADA systems also \nfacilitate our operations staff\'s reaction to normal and abnormal \noperational needs. They do this by supporting the supervised remote \ncontrol of our facilities. By providing the operations staff with \ninformation about the facility, informed decisions can be made quickly \nand the appropriate actions taken. The SCADA systems computers help to \nsupervise these decisions by ensuring that they meet safe operational \ncriteria.\n\nProtecting Reclamation\'s SCADA Systems\n    The focus of security efforts has changed since SCADA systems were \nfirst employed by Reclamation. In those early years SCADA design \nfocused almost entirely on the operational integrity of the SCADA \nsystems. In all cases where SCADA systems were permitted to control \nequipment, the safety and reliability of the control was examined and \nappropriate improvement measures were engineered and incorporated. This \nsupported safer equipment operation and permitted the disabling of \nSCADA control if necessary. This was done to protect the equipment and \nto ensure the safety of the public and Reclamation personnel in the \nevent of a SCADA malfunction. These safety measures acted independently \nfrom the SCADA system to ensure that the failure of the SCADA system \ndid not adversely affect the safety measures. If the safety of SCADA \ncontrol actions could not be ensured, additional steps were taken to \nlimit the degree of SCADA control or the control was not enabled. \nReclamation still follows these practices in implementing its SCADA \nsystems, providing a significant measure of operation security for its \nSCADA controlled facilities.\n    From the very beginning of Reclamation\'s use of SCADA systems, we \nhave maintained a policy of not connecting our SCADA systems to our \nadministrative networks. Today we adhere to that policy in all but the \nmost unusual of situations. All connections to SCADA systems are \nminimized. Reclamation does not connect its SCADA systems to the \nInternet and routinely tests to ensure that such connectivity does not \nexist. Wherever practical, connections to our SCADA systems do not use \nInternet-like protocols, instead employing simple, limited capability, \nserial protocols. Those connections that must be present and that use \nInternet-like protocols are protected by firewalls and intrusion \ndetection systems. Reclamation has adopted ``best practices\'\' and \nfollows the cyber security guidance outlined by the National Institute \nof Standards and Technology (NIST) in their Special Publications.\n    In addition, Reclamation has evaluated and improved both personnel \nand physical security at our SCADA facilities. We perform background \nchecks on key personnel and have ``hardened\'\' our facilities and \ncontrol rooms through the addition of various access controls. This \nincludes the access to our SCADA system control consoles.\n    To help identify physical and cyber vulnerabilities within the \norganization, Reclamation has invited independent organizations, \nincluding some represented by other panel members, to evaluate our \nsecurity posture. We have also supported numerous investigations by our \nInspector General\'s Office, some of which included limited penetration \ntesting of our SCADA systems. The Inspector General\'s FY05 management \nreport concluded that ``the SCADA systems are operating in relative \nsafety from potentially catastrophic cyber-security threats.\'\' To \nmaintain these results, we are continuously evaluating and implementing \nprudent and practical security improvements.\n\nActions to Improve SCADA Security\n    Despite our security successes so far, Reclamation believes we can \nstill take additional steps to improve the security of our SCADA \nsystems. These steps, specifically identified and addressed in internal \ndocuments, will create more rigorous testing processes, improve and \nincrease the frequency of security assurance reviews, and establish \nmore comprehensive security planning targets. We also favor additional \nsteps to improve the coordination of SCADA security efforts at both the \nFederal and private sector levels. Close coordination will assure \nconsistency of Federal and private sector standards and security \nguidance, and could also help ensure that an appropriately rigorous \nsecurity baseline is established for SCADA systems employed in \ndifferent industry segments, depending on the significance of the \ninfrastructure monitored or controlled.\n\nIn Summary\n    Reclamation recognizes that it plays a key role in protecting \ncritical infrastructure components, including dams, waterways, water \nresources, and electrical generation capability. Where we employ SCADA \nsystems to facilitate the control of these components, we believe we \nhave taken responsible steps to ensure their security and safe \noperation. We recognize that cyber security, as it applies to both \nadministrative and SCADA systems, requires continuous monitoring and \ndiligence. We believe our security program meets the challenges of \nthese requirements, but look forward to contributing to and employing \nbetter development, assessment, and protection tools and techniques as \nthey become available.\n\n    Mr. Lungren. The Chair would now recognize Mr. Sam Varnado, \nthe Director of Information Operations Center at the Sandia \nNational Laboratory, to testify.\n\n  STATEMENT OF SAM VARNADO, DIRECTOR, INFORMATION OPERATIONS \n               CENTER, SANDIA NATIONAL LABORATORY\n\n    Mr. Varnado. Thank you, Mr. Chairman and distinguished \nmembers of this committee. I am Sam Varnado from Sandia \nNational Laboratories, with laboratories in both California and \nNew Mexico.\n    First let me applaud the work the committee is doing. It is \nvery important to the well-being of our citizens and to the \nnational security. I am pleased to be part of it.\n    Today we are going to discuss SCADA systems. We are \nconcerned about these systems. We are very worried about them \nbecause successful cyberattacks on these systems could lead to \nserious consequences, which include loss of life, destruction \nof equipment that is hard to replace, environmental insult and \neconomic loss.\n    Let me give you one example. Mr. Chairman, in June of 1982, \na huge explosion occurred in the Siberian wilderness in the \nformer Soviet Union. The yield was estimated at 3 kilotons in \nthat explosion. In his book At the Abyss: An Insider\'s History \nof the Cold War, Thomas Reed attributes the monumental \nexplosion and resulting fire to a cyberattack on the SCADA \nsystem that controlled the Trans-Siberian pipeline. According \nto Mr. Reed, the pipeline software that ran the pumps, turbines \nand valve settings was programmed to produce pressures far \nbeyond those acceptable to the pipeline joints and wells. He \nfurther states that the malevolent software in this case was \nwhat we call today a Trojan. It had been implanted in the host \nsoftware by a foreign intelligence service. This episode \nillustrates the physical damage that can be created by \nattacking a cybersystem.\n    SCADA systems are the soft underbelly of our infrastructure \nprotection strategy in this country. The older stand-alone \nlegacy SCADA systems are highly vulnerable. Some of these \nvulnerabilities are listed in my written statement. But today \nthe trend is to replace those older systems with control \nsystems that use the Internet as the backbone. From a security \nstandpoint, this will make matters worse for the following \nreasons: First, U.S. computer networks are under daily attack, \nand adversaries are becoming more sophisticated. We are seeing \nstructured, well-resourced attacks that are designed to steal \ninformation or disrupt and/or deny processes. For example, the \nrecent Super Slammer, which was a fast worm, infected 60 \npercent of DOD\'s NIPRNet computers in 8 minutes.\n    Improvements in attack methods, particularly by \nsophisticated threats such as terrorist and nation states, are \noutpacing our activities in defensive countermeasures. The \ncontest between the attackers and the defenders is a dreadful \nmismatch with the advantage strongly in the attacker\'s corner.\n    Second, information technology vendors release on average \nfour new vulnerabilities each day at the same time new attack \nmethods are proliferating.\n    Third, we have no alternative to the use of commercial off-\nthe-shelf, or COTS, products in our information systems because \nof cost issues; therefore, most of the hardware and software we \nuse is manufactured in countries whose interests do not always \nalign with those of the United States. We are buying and \nembedding these products in very complex systems that we expect \nto be secure. We are essentially trying to build trusted \nsystems from untrusted components, and many of us wonder if it \ncan be done at all.\n    Fourth, most of the current emphasis in cybersecurity is on \nresponding to hacker attacks that exploit the inherent \nvulnerabilities that are present in all networked computer \nsystems. This effort is necessary and useful and should be \nincreased, but a longer-term view is needed. We need to put \nmore emphasis on addressing enterprisewide solutions and \nthreats from the more sophisticated adversaries.\n    My suggestions for addressing these problems are as \nfollows: First, reaffirm the concept of public/private \npartnerships, and encourage stronger collaboration among \ngovernment, industry, universities and national labs. We need \nto put more effort into sharing information on threats, \nvulnerabilities, consequences of outages, training and \ntechnology.\n    Second, extend these partnerships to include helping the \ninfrastructure owners make the business case for their \ninvestments in security upgrades.\n    Third, increase funding for cybersecurity technology to \naddress the new threat and vulnerability environment and to \nkeep the defensive efforts on par with the attack development \nactivities being conducted by our adversaries.\n    Fourth, establish and fully fund a concentrated effort to \nprovide defense against the sophisticated threat.\n    Finally, support the initiatives, directives and plans \ndescribed in several reports that DHS and the administration \nhave produced over the last few years.\n    Thank you, Mr. Chairman and members of the committee, for \nthe opportunity to address you today. I would be happy to \nanswer questions at the appropriate time.\n    Mr. Lungren. Thank you, Doctor.\n    [The statement of Mr. Varnado follows:]\n\n              Prepared Statement of Dr. Samuel G. Varnado\n\nIntroduction\n    Mr. Chairman and distinguished members of the committee, thank you \nfor the opportunity to testify on the vulnerabilities of, and threats \nto, Supervisory Control and Data Acquisition (SCADA) systems. I am Dr. \nSam Varnado, Director of Sandia National Laboratories\' Information \nOperations Center. I have more than thirty years of experience in \nenergy, information, and infrastructure systems development. I \ncurrently coordinate Sandia\'s activities in cyber security technology \ndevelopment, with special emphasis on critical infrastructure \nprotection applications.\n    Sandia National Laboratories is managed and operated for the \nNational Nuclear Security Administration (NNSA) of the U.S. Department \nof Energy (DOE) by Sandia Corporation, a subsidiary of the Lockheed \nMartin Corporation. Sandia\'s unique role in the nation\'s nuclear \nweapons program is the design, development, qualification, and \ncertification of nearly all the nonnuclear subsystems of nuclear \nwarheads. We perform substantial work in programs closely related to \nnuclear weapons--including intelligence, non-proliferation, and treaty \nverification technologies. As a multiprogram national laboratory, \nSandia also conducts research and development for other federal \nagencies when our special capabilities can make significant \ncontributions.\n    My statement will describe SCADA systems, identify some of the \nthreats they face, describe some of the cyber vulnerabilities of these \nsystems, discuss the consequences of disruptions, and explain Sandia\'s \ncontributions and capabilities in SCADA system security. I will also \ncomment on the gaps in current approaches to the problem, possible \nsolutions, and needs that Congress might choose to address.\n\nWhat Are SCADA Systems and How Are They Used in Critical Infrastructure \nApplications?\n    Both the national security of the United States and the well being \nof our citizens are highly dependent on the reliable operation of the \nnation\'s critical infrastructures. These infrastructures include \nelectric power, oil and gas, banking and finance, transportation, \ntelecommunications, and other networks. The operation of most of these \ninfrastructures is controlled by SCADA systems. These systems are \nhighly vulnerable to a wide range of threats, including terrorism. As \nan example, we have shown that it is possible to turn out the lights in \nmost major U.S. cities through cyber attacks on SCADA systems. \nDisruption of these systems by any means will result in substantial \neconomic loss, potential loss of life, long recovery times, and severe \ndisruption of the lives of our citizens.\n    We should note that we use the term ``SCADA\'\' to include all real-\ntime digital control systems, process control systems, and other \nrelated technologies. The control processes for each infrastructure are \nautomated systems that combine humans, computers, communications, and \nprocedures. Automated systems are used to increase the efficiency of \nprocess control by replacing high-cost personnel with lower cost \ncomputer systems. The widespread use of SCADA systems makes them \ncritical to the safe, reliable, and efficient operation of physical \nprocesses common to most infrastructures.\nHigh Level SCADA Vulnerabilities\n    SCADA systems have generally been designed and installed with \nlittle attention to security. Terrorist groups are aware of this. As \nnoted in an article in the June 27, 2002 Washington Post, these systems \nhave been targeted by al-Qa\'ida terrorists. Some government experts \nhave concluded that the terrorists hope to use the Internet as an \ninstrument of bloodshed by attacking the juncture of cyber systems and \nthe physical systems they control. The article further postulated that \ncombined cyber and physical attacks could produce nightmarish \nconsequences.\n    Sandia has been investigating vulnerabilities in SCADA systems for \nover ten years. During this time, many have been found. Our red team \nassessments show that security implementations are, in many cases, \nnonexistent or poorly implemented. Many of the older SCADA systems are \noperated in a stand-alone mode; that is, they are not connected to the \nInternet or to other corporate systems. Even so, these legacy systems \nhave vulnerabilities, including inadequate password policies and \nsecurity administration, no data protection mechanisms, and information \nlinks that are prone to snooping, interruption, and interception. When \nfirewalls are used, they are sometimes not adequately configured, and \nthere is often a ``back-door\'\' access because of connections to third-\nparty contractors and maintenance staff. We have found many cases in \nwhich unprotected remote access allows users to circumvent the \nfirewall. In addition, most of the SCADA manufacturers are foreign-\nowned.\n    In summary, it is easy for adversaries to take control of these \nlegacy systems and cause disruptions with significant consequences. \nToday, the legacy systems are gradually being replaced by new SCADA \nsystems that use the Internet as the control backbone. This change is \nbeing implemented to reduce cost and increase efficiency of operation. \nHowever, this trend substantially increases the possibility of \ndisruptions because (1) the number of people having access to the \nsystem is substantially increased, (2) disruptions can be caused by \nhackers who have no training in control systems engineering, and (3) \nthe use of the Internet exposes SCADA systems to all the inherent \nvulnerabilities of interconnected computer networks that are currently \nbeing exploited by hackers, organized crime, terrorists organizations, \nand nation states. Worms, viruses, network flooding, no-notice attacks \nthrough compromised routers, spyware, insider attacks, data \nexfiltration by outsiders who gain insider privileges (phishing), and \nDistributed Denial of Service attacks are all commonplace. Effectively \ncombating these attacks requires increased awareness, new technology, \nand improved response and recovery capabilities.\n    Especially vulnerable is the electric power grid. Under \nrestructuring, the grid is now being operated in a way for which it was \nnever designed. More access to control systems is being granted to more \nusers, the demand for real-time control has increased system \ncomplexity, and business and control systems are interconnected. In \nmany cases, these new systems are not designed with security in mind. \nMore vulnerabilities are being found, and the opportunities for \ndisruptions are increasing rapidly. The complexity of the systems and \nthe high degree of interdependency among the infrastructure sectors can \nlead to cascading failures in which failures in one sector can \npropagate to others.\n    Sandia has identified the vulnerabilities of SCADA systems and \nsummarized them in a report--\'\'Common Vulnerabilities in Critical \nInfrastructure Control Systems\'\'--that is available from our Center for \nSCADA Security website (http://www.sandia.gov/scada). The report \nidentifies the vulnerabilities that we uncovered in our red team \nassessments of systems in use by a diverse set of customers from the \nelectric power, petroleum, natural gas, and water infrastructures. This \ndocument has been made available to other government agencies and to \nprivate industry.\n\nSCADA Threats\n    Sandia performs vulnerability assessments using a red team process \nthat models adversarial capabilities and approaches. It is essential to \nview SCADA systems from an adversarial perspective in order to identify \ntheir important vulnerabilities. We use adversarial modeling as a way \nof understanding threats from different political, social, and \nmotivational structures so that relevant characteristics may be \nutilized to identify the classes of attacks that each adversary might \nbe able to launch. Hackers, organized crime, cyber terrorists, and \nnation states are examples of different classes of adversaries with \nvarying capabilities and attributes.\n    We consider two basic categories of adversaries: ``outsiders\'\' and \n"insiders." It is generally the goal of an outsider to acquire the \nattributes of an insider through such means as hijacking connections, \npassword sniffing, and identity theft. Most U.S. critical \ninfrastructure owners and operators have only a passing knowledge of \nthe nature of the adversaries\' capabilities. Consequently, the level of \nprotection is low and the probability of significant disruptions is \nhigh. Critical infrastructure owners and operators need to increase \ntheir awareness of both the vulnerabilities and the threat. They also \nneed training in network defense, information about improvements in \ncyber security technology for control systems, and timely updates on \nthreat information.\n\nSCADA Attack Consequences\n    The consequences of disruptions to SCADA systems are numerous, \nexpensive, and varied. Two examples are presented here simply to make \nthe point that we must start thinking seriously about the security of \nSCADA systems.\n    In his book, At the Abyss: An Insider\'s History of the Cold War, \nThomas C. Reed (former National Security Council member and Air Force \nSecretary) reported that in June 1982 the CIA, through exploitation of \nsoftware transferred to the Soviet Union, created a damaging attack on \nSoviet pipeline systems. The software that was used to run the pumps, \nturbines, and valves of the pipeline was programmed to malfunction \nafter a specific time interval. The malfunction caused the control \nsystem to reset the pump speeds and valve settings to produce pressures \nbeyond the failure ratings of the pipeline joints and welds. The result \nwas the largest non-nuclear explosion and fire ever seen from space. \nThere were no physical casualties, but the goal of economic damage was \nmet. This story is an excellent example of the type of attack that can \nbe accomplished by a nation state.\n    In January 2003, when the SQL Slammer worm began attacking computer \nnetworks around the world, users of the business network at Ohio\'s \nDavis-Besse nuclear power plant began to notice a network slowdown. \nInvestigation revealed the worm had spread from the plant\'s business \nnetwork to its operations network, causing enough congestion to crash \nthe computerized panel used to monitor the plant\'s most crucial safety \nindicators. Minutes later, the Plant Process Computer, another \nmonitoring system, crashed as well. The plant\'s firewall had initially \nblocked Slammer, but the worm still managed to reach the plant through \na high-speed connection from an unsecured contractor\'s network. Had the \nplant\'s operations network been properly protected from either the \ncontractor\'s network or the plant\'s own business network--or had the \nplant operators installed Microsoft\'s patch to prevent the Slammer \ninfection (released six months earlier)--the infiltration would not \nhave happened. Fortunately, the incident did not result in disaster \nbecause the plant was off-line at the time, for regular maintenance, \nand the crashed monitors were being backed-up by analog counterparts..\n    These two incidents exemplify the potential consequences of \ninadequate cyber security processes. We should regard them as warnings.\n\nSandia\'s Contributions to Critical Infrastructure Control System \nProtection\nSCADA Security and Standards\n    During the Clinton administration, Sandia was heavily involved in \nsupporting the President\'s Commission on Critical Infrastructure \nProtection. That activity, along with our experience in providing \nsecure information systems for nuclear weapon command and control \nsystems, provided impetus for our initial work in SCADA security. We \nbegan our work with laboratory directed research and development (LDRD) \nfunds, and we initiated development of a laboratory SCADA test bed in \n1998. At that time it was difficult to convince others of the \nimplications of SCADA vulnerabilities, so we also engaged the standards \ncommunity. Standards are necessary for improving the security of \ndistributed, networked systems. Because many SCADA equipment \nmanufacturers are foreign owned, the only way to provide trusted \nsystems is through the application of standards. Sandia was designated \nby the DOE to be the U.S. representative to the International \nElectromechanical Committee standards working group, TC57. We are \nexpanding our efforts, in collaboration with other national \nlaboratories, by engaging other standards groups like AGA 12-1 \n(``Cryptographic Protection of SCADA Communications\'\'), API 1164 (``API \nSecurity Guidelines for the Petroleum Industry\'\'), and ISA SP99 \n(``Manufacturing and Control System Security\'\'), as well as various \nIEEE working groups.\n    Sandia maintains strong research and development programs in \ncryptography, network security, secure network architecture design, \nwireless network security, threat assessment, and intelligent agent-\nbased security approaches. This work is coordinated by our Center for \nSCADA Security, which was established in 2000.\n\nRed Team and Assessments\n    Sandia also performs vulnerability assessments of critical \ninfrastructure systems from both cyber and physical security \nperspectives. We have completed vulnerability assessments of a number \nof dams in the western United States. We have also assessed the \nvulnerability of networks used by a number of banks and by the \nStrategic Petroleum Reserve. We have worked with the electricity and \noil and gas sectors to improve the robustness of their SCADA systems. \nAs a result of these experiences--as well as our own strategic \nplanning, our LDRD investments, and the foresight of sponsors to invest \nresources toward critical infrastructure protection--Sandia was in a \nposition to immediately address some of the urgent needs following the \nevents of 9/11.\n    For example, we quickly developed a self-assessment methodology \ncalled RAM-W for water treatment facilities; this effort was sponsored \nby both the Environmental Protection Agency and the American Water \nWorks Association Research Foundation. We also developed training \nclasses on assessing SCADA systems for use in training our own staff. \nWe now provide this training to industry, and we promulgate best \npractices to industry for securing SCADA systems. These and other \ncontributions to critical infrastructure protection are possible \nbecause of strategic planning conducted years ago that led to early \ninvestment in the capabilities needed to respond. We also continue to \ninvest LDRD funds in areas of urgent need. Examples include the \nintegration of cyber and physical security technology, cryptographic \nsolutions for SCADA system communications, modeling and simulation of \ninfrastructure elements, secure control of micro-grids, SCADA \nforensics, and application of new network security technologies to \nSCADA systems.\n\nPartnering Activities\n    In 2004, the DOE and the National Energy Technology Laboratory \nfunded the National SCADA Test Bed (NSTB), which is an activity of the \nCenter for SCADA Security at Sandia. Sandia and Idaho National \nlaboratories were designated as co-leads of this effort. Other partners \ninclude Argonne National Laboratory, Pacific Northwest National \nLaboratory, and the National Institute of Standards and Technology. The \ngoals of the NSTB are to raise awareness of, and demonstrate the need \nfor, improved security. The approach is to demonstrate credible threats \nagainst critical infrastructures and conduct vulnerability assessments \nof SCADA systems. We also develop, in collaboration with industry, risk \nmitigation strategies for current SCADA systems. We are developing new \narchitectures for future secure infrastructures, and we are supporting \nthe development of national guidelines and standards for secure SCADA \ndesign and implementation.\n\nInternal Sandia Programs\n    A number of Sandia facilities support the SCADA security effort, \nincluding the Distributed Energy Technology Laboratory, which provides \na platform to test the control of operational generation and load \nsystems. We also have a Network Visualization Laboratory that provides \nboth visualization and network modeling capabilities, a Cryptographic \nResearch Facility that supports research and development of \ncryptographic methods for SCADA networks, an Attack Resource Center \nthat provides tools to attack and analyze SCADA vulnerabilities, and an \nAdvanced Information Systems Laboratory that supports research and \ndevelopment of intelligent agent technologies that may provide self-\nhealing infrastructures in the future.\n    Sandia also sponsors a nationally recognized College Cyber Defender \nprogram that trains university students to protect electronic \ninformation and defend computer systems and networks from cyber \nattacks. The program encourages a pipeline of qualified candidates in \nthe fields of cyber security and protection to address Homeland \nSecurity and national security needs.\n\nResearch\n    The Department of Homeland Security has funded the Institute for \nInformation Infrastructure Protection (I3P) to conduct research in \nSCADA security in order to improve the robustness of the nation\'s \ninterdependent critical infrastructures. Sandia is the team lead for \nthis project, which includes faculty and staff from ten institutions \nindividually recognized for their expertise in cyber security and \ncritical infrastructure research: Sandia, University of Virginia, New \nYork University, University of Tulsa, Pacific Northwest National \nLaboratory, Massachusetts Institute of Technology\'s Lincoln Laboratory, \nSRI International, MITRE, University of Illinois at Urbana-Champaign, \nand Dartmouth College. The institute is presently researching the \nfollowing six high-priority tasks:\n        Task 1: Assess dependence of critical infrastructures on SCADA \n        and its security.\n        Task 2: Account for the type and magnitude of SCADA \n        interdependencies.\n        Task 3: Develop metrics for the assessment and management of \n        SCADA security.\n        Task 4: Develop inherently secure SCADA systems requirements.\n        Task 5: Develop cross-domain solutions for information sharing.\n        Task 6: Transfer technology of these solutions into industry.\n    The institute represents the type of collaboration needed among \nprivate stakeholders, academia, government agencies, and national \nlaboratories to solve the complex problem of SCADA security.\n\nSuggestions for Addressing Critical Infrastructure Control System \nProblems\n    Private industry owns about eighty-five percent of U.S. critical \ninfrastructure assets. Industry, therefore, has a key role in \nimplementing protection strategies. Currently, the business case (i.e., \nreturn on investment) for industry to invest in increasing the security \nof their information systems has not been convincingly made. Part of \nthe reason is that no one has been able to clearly define a specific \nthreat. In the past, industry has demonstrated its willingness to \ninvest in protection when faced with a specific threat. The best \nexample of this is the hard work and dedicated effort that industry \nprovided to counter the Y2K threat.\n    Although we know that many threats exist, specific details are \nelusive. It may be that we will need to take a consequence-based \napproach--rather than a threat-based approach--to provide the rationale \nfor the business case. This approach would involve identification of \nspecific portions of information systems affected by specific attacks. \nIt would require vulnerability assessments, analyzing the consequences \nof disruptions in economic terms, and defining and implementing \noptimized protection strategies based on risk assessments. The national \nlaboratories use sophisticated means to develop simplified assessment \nand risk survey processes, like the RAM-W work at Sandia. Risk \nassessment methodologies can quickly and more broadly identify the \ncurrent security conditions and help decision-makers plan the most cost \neffective steps to improve a particular infrastructure\'s security \nposture. Increased emphasis should be placed on public-private \npartnerships in order to make this process efficient.\n    When considering solutions, the difference between levels of \nthreats needs to be considered. The current emphasis by industry is to \ntry to eliminate inherent vulnerabilities that are present in all \nnetworked computer systems. Hackers and hacker coalitions view these \nvulnerabilities as low-hanging fruit. They exploit them to steal \ninformation and identities and/or to deny or disable processes. There \nis recent evidence that organized crime is also exploiting these \nvulnerabilities for extortion purposes. Academia and the industrial \ninformation security groups are working to provide technology solutions \nto counter the lower level threat. Until those solutions arrive, all \ncritical infrastructure providers should apply best practices for \ndefense against inherent system vulnerabilities. These practices should \ninclude development of security policy as well as technology solutions \nto provide a sustainable security environment.\n    At the same time, terrorists and nation states are developing \nattack methods that are much more sophisticated, often covert. We need \nnew efforts to identify, characterize, and counter these threats. \nPerhaps this is the proper role for government agencies with technical \nsupport from the national laboratories. In that case, the government \nagencies and national laboratories that are working on high-end \ndefensive solutions will need to establish a plan for technology \ntransfer to industry, because the methods used by today\'s sophisticated \nadversary will at some point be available to the lower level threat \ncommunity.\n    It is clear that successful defense of the nation\'s infrastructure \nwill require increased interagency cooperation. For example, the \nDepartment of Defense (DoD) has a vital interest in the reliable and \nsecure operation of the nation\'s critical infrastructures because the \nU.S. military depends on both domestic and international \ninfrastructures to conduct its missions. Thus the DoD has a keen \ninterest in protecting the SCADA systems that monitor infrastructures, \nand cooperation with other U.S. agencies will be vital to its mission \nsuccess.\n    The Department of Homeland Security (DHS) is already working with \nthe DOE on cooperative interagency projects like the National SCADA \nTest Bed and the DHS\'s SCADA security programs. These two agencies \nshould continue their cooperative efforts to ensure that work is \ncoordinated effectively, all threats are considered, the best \ntechnology is used, and duplication of effort is avoided. The \ncollaborations and partnerships called for in Homeland Security \nPresidential Directive 7 (Critical Infrastructure Identification, \nPrioritization, and Protection), along with the roles and \nresponsibilities described there, are key to accomplishing these goals.\n\nRecommendations\n        <bullet> Reaffirm the concept of public-private partnerships \n        and encourage participants to share information on threats, \n        vulnerabilities, consequences of outages, training, and \n        technology. Extend these partnerships to assist industry in \n        making the business case for investments in security upgrades.\n        <bullet> Increase funding for improvements in cyber security \n        technology, for example: tools for high speed intrusion \n        detection systems, software assurance, attack attribution and \n        trace-back, security modeling of existing and proposed SCADA \n        systems, network visualization for mapping cyber disruptions, \n        triage of threat scenarios across many vectors, and methods for \n        assuring the reliable performance of COTS products.\n        <bullet> Establish and fully fund additional work that provides \n        defense against sophisticated threats.\n        <bullet> Continue Congressional support of the initiatives and \n        directives described in the National Strategy for the Physical \n        Protections of Critical Infrastructures and Key Assets, the \n        National Strategy to Secure Cyberspace, Homeland Security \n        Presidential Directive 7, the Interim National Infrastructure \n        Protection Plan, and associated Sector Specific Plans.\n    Thank you, Mr. Chairman. I would be pleased to respond to any \nquestions you may have.\n\n                              ATTACHMENTS\n\n           Supplemental Statement of Dr. Samuel Glenn Varnado\n\n                      Sandia National Laboratories\n\n    Summary of Major Points\n        <bullet> The nation\'s infrastructure is highly vulnerable to \n        cyber threats. Supervisory Control and Data Acquisition (SCADA) \n        systems are prime targets for hackers, terrorists, and nation \n        states.\n        <bullet> U.S. computer networks are under daily attack. \n        Adversaries are becoming more sophisticated. We are seeing \n        structured, well-resourced attacks that are designed to steal \n        information or disrupt and/or deny processes.\n        <bullet> Information technology vendors release four new \n        vulnerability announcements each day. At the same time, new \n        attack methods are proliferating. For example, Super Slammer, a \n        fast worm, infected 60% of the Department of Defense\'s (DoD\'s) \n        NIPRNET (Unclassified but Sensitive Internet Protocol Router \n        Network) machines in eight minutes.\n        <bullet> Most of the current emphasis in the cyber security \n        community is on responding to hacker incidents. This effort is \n        necessary and useful; however, the work has a short-term focus. \n        We must mature our thinking in the area of enterprise-wide \n        network defense strategies. In addition, more complicated \n        threats such as terrorism and nation state actors must be \n        addressed.\n        <bullet> We have no alternative to the use of Commercial Off \n        the Shelf (COTS) products in all our information systems. Most \n        of these hardware and software products are manufactured in \n        countries whose interests do not always align with those of the \n        United States.\n        <bullet> We must understand that we will be attacked. What are \n        the implications of that understanding, and what strategies do \n        we have in place to operate through the attacks in order to \n        implement recovery and response activities?\n        <bullet> We need to expand our investment in cyber security \n        technology development in order to address the new threat and \n        vulnerability environments.\n        <bullet> We must encourage more public-private partnerships to \n        share threat, consequence, and vulnerability data and to \n        implement cost effective security solutions.\n        <bullet> We must help industries develop a business case for \n        their investment in SCADA security.\n        <bullet> Sandia National Laboratories has been working to \n        improve the security of SCADA systems for over ten years. We \n        have invested laboratory directed research and development \n        (LDRD) and other appropriate sponsor-provided funds into \n        technologies that have direct application to homeland security \n        and infrastructure protection.\n\n    Mr. Lungren. The Chair would now recognize Dr. K.P. Ananth, \nAssociate Laboratory Director for National Homeland Security at \nthe Idaho National Laboratory, to testify.\n\n   STATEMENT OF K.P. ANANTH, ASSOCIATE LABORATORY DIRECTOR, \n   NATIONAL AND HOMELAND SECURITY, IDAHO NATIONAL LABORATORY\n\n    Mr. Ananth. Thank you, Chairman Lungren and distinguished \nmembers of the homeland security subcommittee. I am K.P. \nAnanth, Associate Lab Director for National and Homeland \nSecurity at the Idaho National Laboratory, a DOE national lab. \nIt is a pleasure for me to appear before you to represent the \nwork carried out at INL in support of our national efforts to \nprotect critical infrastructure. In this testimony I will give \nyou a short summary of our unique capabilities related to \nSCADA, critical infrastructure protection, and cybersecurity, \nthe work we do and the challenges we face.\n    For the last half century, INL has played a key role in the \nenergy security and national security of the U.S. through its \npioneering work in nuclear reactors, nuclear power and nuclear \nship propulsion, and, as a result, developed a significant \ninfrastructure with one-of-a-kind test beds and facilities on a \nsecure 890-square-mile complex in Idaho. The written testimony \nprovides details on many of the facilities, but I will focus \nhere on those assets directly related to improving \ncybersecurity and a critical infrastructure protection mission.\n    Process control systems in SCADA at the INL include a 61-\nmile, 138-kilovolt transmission line with seven substations and \na power distribution control center, a pilot chemical plant, \nand significant cybersecurity capabilities. We have 10 SCADA \ntest beds with plug-and-play capabilities that a system might \nneed for evaluation. These test beds are secure to protect \nvendor systems and information and have connectivity to the \ntest range.\n    Additionally, we work with the global commercial vendors \nsuch as ABB, AREVA, GE, Siemens and others, and we enable our \nwork through these vendor systems to look at the system \nvulnerability and to improve cybersecurity.\n    Additionally, INL\'s low radio frequency background, \ncombined with our NTIA status and access to major telecom \nvendors, enables INL to address risks and improve robustness of \ncommunication links. This portfolio of unique test beds \ncomplemented with our experienced staff and our collaborators \nin the national laboratories, academia and industry serve as a \nnational resource for critical infrastructure protection.\n    Now I will touch upon the key programs we have and results. \nThe DHS program known as US-CERT Control Systems Security \nCenter is aimed at improving control systems security across \nall critical infrastructure sectors. Key accomplishments \ninclude design of a cybersecurity framework and self-assessment \ntool for industry that is being validated by industry and NIST. \nThis will be piloted in fiscal year 2006.\n    We support US-CERT in handling control systems-specific \nincidents and events, preparing bulletins and support for \nreported events. We have expanded the cyber test bed with three \nfully functioning systems and tested control systems of vendors \nshowing vulnerabilities and shared them with industry. We have \nprovided training and tabletop demonstrations at 9 U.S. \nlocations to 460 end users.\n    The DOE program known as the SCADA Test Bed performs \ntesting and analysis focused on the energy sector. We have \nidentified key vulnerabilities in four major control systems \nused in the electric sector and worked with vendors to develop \nfixes. We have shared findings with over 200 representatives of \n100 major industry owner user groups through invited \nparticipation. We provided SCADA security NERC-certified \ntraining and other courses to over 350 participants. Through \nthese programs we have helped industry develop and deploy more \nsecure digital control SCADA systems and evaluated technology \nfrom providers representing 80 percent of the control systems \nmarket for the electric grid.\n    Now I will move on quickly to the challenges. Increased \nconnectivity. As my colleague mentioned here, control systems \ntoday are susceptible to security threats due to open industry \nprotocols and access to control systems information via public \nnetworks, legacy systems. Many of the older control systems \nwith long life cycles did not consider cybersecurity; hence, \nthey are vulnerable.\n    Deregulation. Utility deregulation has increased the number \nof entities involved in the power life cycle, from generation \nto transmission, distribution, marketing and billing. \nConsequently there is increased connectivity and increased \npotential for cyberattacks via corporate networks.\n    Offshore reliance. Again, cost pressures and technology \nsupport constraints have driven companies to go abroad, again \ncausing security vulnerabilities.\n    And the need for information sharing is also critical.\n    Although these challenges are numerous, they are \nsurmountable, and we have got some recommendations that are in \nthe written testimony that you will see.\n    Mr. Chairman and distinguished members of the group, we \ninvite you to visit Idaho, see the test bed and the work we do \nin supporting the Nation\'s infrastructure problems. Thank you.\n    Mr. Lungren. Thank you very much, Doctor.\n    [The statement of Mr. Ananth follows:]\n\n                 Prepared Statement of Dr. K.P. Ananth\n\n    Chairman Lungren and distinguished members of the Homeland Security \nSubcommittee:\n    I am Dr. K. P. Ananth, Associate Laboratory Director for National \nand Homeland Security at the Idaho National Laboratory (INL), a DOE \nnational laboratory. It is a privilege and honor for me to appear \nbefore you to represent the work being carried out at INL in support of \nour national efforts, undertaken in both the federal and private \nsectors, to protect U.S. critical infrastructure. In this testimony, I \nwill give you a brief background on INL and its mission, and a summary \nof our unique capabilities as they relate to Supervisory Control and \nData Acquisition (SCADA), Critical Infrastructure Protection (CIP) and \nCyber Security. I will also discuss key federal and commercial programs \ncarried out at the Laboratory to support industry and end users, and \nidentify the challenges we face along with some recommendations.\n\nINL and its Mission\n    The Idaho National Laboratory had its origin as the National \nReactor Testing Station in 1949 in Idaho Falls with a mission to \ndesign, engineer, develop a prototype, and test an electricity \nproducing nuclear reactor. Within two (2) years, in December 1951, INL \nsuccessfully demonstrated the first electric power reactor and, soon \nthereafter, developed the first prototype nuclear reactor for the \nnuclear submarine Nautilus. For more than 50 years, the laboratory has \nbeen a critical asset within the National Laboratory system as an \nengineering, prototyping and testing resource, with 52 reactors built \nand operated on the 890 square mile reservation in southeastern Idaho. \nBeginning in the 1950s, the Laboratory began to support major \nDepartment of Defense programs, including training of thousands of Navy \nnuclear operators; earlier the Laboratory was involved in the \ndevelopment and testing of naval guns and ordnance. In 1985, the \nLaboratory was selected to produce armor for the Army\'s Abrams tank \nusing depleted uranium, and earlier this year we successfully completed \nour twentieth anniversary on the program.\n    To support these varied missions, INL has developed a significant \ninfrastructure on the Idaho desert. INL carries the distinction of a \nvast, remote, and secure heavily-invested site complex with ``one-of-a-\nkind\'\' test beds and facilities for nuclear research and development \n(R&D), explosives detection and testing, unmanned aerial and ground \nvehicles payload testing, physical security, cyber security and \ncritical infrastructure protection. Mindful of the rich assets at INL, \nthe Department of Energy issued a Request for Proposal (RFP) in 2004 to \nmanage and operate INL with the mission of ensuring the nation\'s energy \nsecurity with safe, competitive, and sustainable energy systems and \nproviding unique national and homeland security capabilities. Two areas \nwere specifically called out within national and homeland security for \nthe Laboratory: nuclear nonproliferation and critical infrastructure \nprotection. On February 1, 2005, the new contract to operate the \nLaboratory was implemented, making the critical infrastructure \nprotection mission of the Idaho National Laboratory unique within the \nNational Laboratory system. We are hard at work fulfilling this \nmandate.\n    Today I will focus on how we are leveraging our efforts with DHS \nand DOE in the area of improving control systems security across all \ncritical infrastructure sectors by reducing cyber security \nvulnerabilities and risk.\n\n    INL\'s Unique Assets\n    With more than five decades of experience in establishing, \ndeveloping and maintaining critical infrastructure systems, INL has \ncreated several recognized and integrated capabilities to provide real \nsolutions to our customers in critical infrastructure protection and \ncyber security. INL has focused in three major areas--process control \nsystems, cyber security, and wireless technology.\n    Process Control Systems (PCS) and SCADA--Our location and \noperational infrastructure provides the ultimate proving ground for \nanalysis and assessment of real-world critical infrastructure \ncomponents. INL has become the logical home for significant portions of \nthe National SCADA Test Bed and has become the focal point for research \nand testing of control systems and cyber security with a direct benefit \nof increasing the security of these systems. INL operates a power \ndistribution control center, a pilot chemical plant, and 61 miles of \n138 kV transmission line with seven substations and a dedicated control \nroom on our 890 square mile site. It is the combination of this \ninfrastructure, a program with current access to commercial control \nsystems from principal global vendors (e.g., ABB, AREVA, GE, METSCO, \nMicro Motion, [Emerson], Rockwell Automation, Siemens), and our \nresearch expertise and partners that enables us to conduct offline and \nfull-scale testing in a real life environment. This unique capability \nis helping to research and develop solutions that will strengthen our \nnation\'s industrial control systems and physical components of our \ninfrastructures from attacks by viruses, hackers, and terrorists.\n    Cyber Security--the INL Cyber Security Group\'s intimate familiarity \nwith various hacker methodologies enables us to generate exploits and \nassessment tools for use in testing the security of Critical \nInfrastructure control system environments. Focused on multi-tier \nattack vectors and full spectrum threat actors, the team provides a \ncredible representation of cyber threats and then conducts cutting edge \nresearch into advanced mitigation strategies and solutions. Coupled \nwith our academic and industry partners in this area, we are striving \nto effectively address current challenges while advancing the state-of-\nthe-art in detecting hacker signatures. We have invested resources to \nexplore the cyber security vulnerabilities of Portable Electronic \nDevices (PEDs) technology. INL is pursuing commercial and government \npartnerships to address vulnerabilities in PEDs technology because \nthese devices are becoming more prolific and have crept into new \ncontrol systems.\n    Wireless Technology--INL\'s Wireless Test Bed and telecommunications \ninfrastructure provides access to advanced, next generation \ncommunication technology and current communication systems to analyze \nvulnerabilities, analyze new protocols and operational performance, and \ndevelop risk mitigating solutions. INL\'s location providing a low RF \nbackground, our National Telecommunications and Administration (NTIA) \nexperimental radio station status, full-scale isolated communications \nnetworks, and ability to connect to functional systems has attracted \nindustry (e.g., Bechtel Telecommunications, Nokia, AT&T Wireless) and \ngovernment customers. Bechtel Telecom, through a Cooperative Research \nand Development Agreement (CRADA), has made a significant investment at \nthe Laboratory in this area. These attributes afford us the unique \nopportunity to holistically analyze both performance and risk of entire \nsystems, develop wireless security solutions for our nation\'s complex, \ninterconnected infrastructures, and improve robustness of communication \nlinks for emergency responders.\n    The importance of these core assets can not be overlooked, \nrepresenting a national resource that provides access to control system \nhardware and applications, functioning transmission and distribution \nassets, wireless local and metro area networks, advanced radio, \nmicrowave, fiber optic and satellite communications, mesh networks and \npersonal electronic devices (PEDs). Additional assets include unmanned \naerial vehicles (UAVs), explosives detection, testing and blast \nmitigation systems. Perhaps more importantly, our current network of \nindustry participants and top shelf researchers across the nation \nenable INL to address the most challenging issues in CIP.\n    These are the elements--housed in our comprehensive test range, \ndesigned to be full-scale in nature, representative of real world \ninfrastructures and capable of being isolated--that uniquely position \nthe federal government, national laboratories, and industry to be \nsuccessful in identifying and managing risk to our nation\'s critical \ninfrastructure. To the best of our knowledge, there is no similar \nfacility in the world. And, the cache of over 100 experienced \nscientists, engineers, and technicians working in INL\'s SCADA/Cyber \nSecurity groups are aware of the great responsibility that comes with \nmanaging these resources and the significance of our mission to assist \nin securing the control systems of our nation\'s critical \ninfrastructure. With this knowledge, we have focused on developing \nextensive collaborations on our programs and continually strive to \nbring the best-in-class institutions to help in developing solutions to \nthis complex challenge. Our collaborators in this area include other \nnational laboratories, National Institute of Standards and Technology \n(NIST), American Society of Mechanical Engineers (ASME), \nInstrumentation Systems and Automation Society (ISA), Carnegie Mellon \nUniversity (CMU), Dartmouth University (DU), University of Idaho (UoI), \nBritish Columbia Institute of Technology (BCIT), and others such as \nNorth American Electric Reliability Council (NERC), Electric Power \nResearch Institute (EPRI), Chemical Industry Data Exchange (CIDX), \nDecision Analytics Corporation (DAC), KEMA Consulting and Bearing \nPoint.\n\nKey Programs Conducted at INL and Results Achieved\n    Our two primary programs in Cyber Security and Critical \nInfrastructure Protection are with the Department of Homeland Security \nNational Cyber Security Division and Department of Energy Office of \nElectricity Delivery and Energy Reliability. INL is supporting both \nprograms with a team of talented people from other national labs, \nacademia and industry based on their best-in-class core competencies \nand the needs of the program.\n    The DHS program is known as the ``US-CERT Control Systems Security \nCenter (CSSC) Program.\'\' This program is aimed at improving control \nsystems security across all critical infrastructure sectors by reducing \ncyber security vulnerabilities and risk. One of the key tasks of this \nprogram was the design of a cyber security protection framework \nconsisting of a comprehensive set of requirements, graded \nrecommendations/solutions, and automated self-assessment tools for all \nsectors to use to enhance the security of their control systems (e.g., \nSCADA, DCS) against cyber attack. The draft framework was issued in \nJuly 2005 and reviewed with 20 industry control systems and cyber \nexperts; and a second review occurred in August with several key \nindustry security managers. Comments to date have been:\n        ``. . . .framework provides a centralized, organized approach \n        to Control System security. . .\'\'\n        ``. . . .provides actionable recommendations. . .\'\'\n        ``. . . .provides a benchmark and metrics for cyber security \n        protection. . .\n        ``. . . .will help consolidate the efforts by the Standard \n        bodies\n        . . .\'\'\n        ``. . .provides for cross platform standardization across \n        vendor products\n        . . .\'\'\n        ``. . . .impressed with the automated self-assessment tools \n        that will measure\n        improvement\n        over time\n        . . .\'\'\n    We have plans to work with NIST and ISA over the next three months \nto assist us in implementing the cyber security framework for self \nassessment. We will also work with facilities in several key sectors in \nFY-06 to pilot and validate the framework. A key component of the self \nassessment will be a risk reduction tool that helps companies \nprioritize vulnerabilities that are found when assessing requirements \nand potential consequences.\n    Additionally, the program also developed a quick response cell to \nsupport US CERT in handling control system specific incidents/events. \nWe have assisted in preparing cyber security bulletins and providing \nTier II support for reported events to the US-CERT.\n    Over the last two years, we have collaborated with DHS and DOE to \nsignificantly increase the capabilities of our extensive cyber test \nbed. This capability includes ten (10) SCADA test beds and three (3) \nfully functioning systems that are ready and are currently testing \nvendor systems and specific tools to reduce cyber vulnerabilities. On \nthe CSSC program, we are currently testing three (3) vendor control \nsystems and have already identified significant vulnerabilities on the \nfirst two systems. The vendors are evaluating the results and our \nrecommendations.\n    The purpose of this program is to reduce risk to key infrastructure \nfrom cyber attack by enhancing the security of control systems. To that \nend, we have developed a risk assessment methodology for control \nsystems to measure vulnerability reduction and we have developed \ndecision analysis tools. We have started validating these tools by \nanalyzing test results and attack scenarios.\n    Our industry outreach efforts provide unique training by \ndemonstrating how an attack may propagate through the business system \nto critical control systems with an emphasis on how to mitigate the \neffects of such an attack. These awareness demonstrations and training \nactivities are ongoing with positive feedback from industry and \ngovernment participants. The tabletop demonstrations have included live \ndemonstrations of attacks/effects on small scale representative control \nsystems for chemical and electric system processes and demonstrations \nof attack mitigation strategies. We have held these demonstrations at \nnine (9) venues across the U.S. with over 460 end users participating \nfrom a wide variety of industries to include control systems/cyber \nsecurity organizations and federal, state and local government \nagencies.\n    Through this program, we are also providing SCADA and process \ncontrol security training for the protection of dams and hydroelectric \nfacilities to system users in the Department of Interior\'s Bureau of \nReclamation.\n\n    The DOE program, known as the ``National SCADA Test Bed (NSTB) \nperforms testing and analysis of SCADA systems representative of those \nused throughout the energy sector to identify, validate and reduce \ncyber vulnerabilities. The second objective is to identify best \npractices for design and deployment of secure control systems and to \nsupport institutionalization of those best practices in government and \nindustry standards. The NSTB is a joint effort between Sandia National \nLaboratory and Idaho National Laboratory. The NSTB effort is managed by \nthe INL and includes, Pacific Northwest National Laboratory (PNNL), \nArgonne National Laboratory (ANL), and the SCADA vendor community (ABB \nNetwork Management, AREVA T&D Automation, GE Energy Management Systems, \nSiemens Power Transmission and Distribution), as well as computer \nsystem vendors such as IBM, HP, and Sun Systems. Key accomplishments on \nthis program include:\n        <bullet> The NSTB has identified SCADA vulnerabilities in the \n        four systems INL has tested, worked with the SCADA vendors to \n        define/develop fixes where needed, and verified the fixes \n        through follow-on testing. SCADA vendors have improved new \n        releases and developed patches to mitigate significant security \n        weakness. These risk reducing actions will directly benefit \n        many of the nation\'s critical infrastructure organizations.\n        <bullet> We have shared the findings from these SCADA system \n        vulnerability assessments, in various levels of detail, with \n        over 230 representatives from 100 major industry owner/user \n        organizations through invited presentations at SCADA vendor \n        users\' group meetings.\n        <bullet> We have issued detailed test reports of the SCADA \n        assessments to the respective vendors. One of the vendors is \n        sharing their assessment report, under tight non-disclosure \n        agreements, with all interested users.\n        <bullet> Through the participation of SCADA vendors who have \n        been willing to loan their systems to INL on the NSTB program \n        for an extended time, we have established an extensive, \n        representative environment for searching out typical security \n        vulnerabilities and for testing solutions.\n    We developed and presented a NERC-certified training course on \nSCADA security. Based on feedback from the initial presentation of \nvarious courses (NERC and others) to over 350 participants, we are \nexpanding the content and are now responding to requests for additional \npresentations.\n\n    Commercial Programs--INL has helped industry develop and deploy \nmore secure digital control/SCADA systems, through vulnerability \ndiscovery, validation and mitigation, standards development and secure \nsoftware technology.\n    Specifically, the INL managed National SCADA Test Bed Program \n(NSTB) has worked with global control system software vendors to \npromote more secure , innovative installation and implementation of \ntheir products, where such efforts are consistent with recognized \nindustry guidelines and best practices. The program has discovered \nexisting weaknesses in deployed systems as well as design weaknesses in \nfuture control systems. The program has evaluated technology from \nproviders representing 80% of the electrical grid control system \nmarket, working closely with engineering teams of four (4) global \nproviders.\n    We have worked with control system owners and operators across \nmultiple sectors to evaluate and enhance security of existing \ntechnology deployments. These companies took advantage of the unique \nknowledge-base and trusted relationships at the Lab as an important \nelement to their overall approach to critical systems risk management. \nCompanies have also turned to us when things go wrong with the systems \nto assist in evaluating particular events to determine if directed or \nnon-directed attacks might have occurred.\n    With most of the critical infrastructure residing in the private \nsector we felt it was appropriate to submit just a few comments from \nthe asset owners themselves. These perspectives come from private \nsector organizations from the trenches to the executive offices best \ndemonstrating the value of government sponsored CIP initiatives at INL:\n        1. David Norton, Transmission IT Security program manager for \n        Entergy--New Orleans (the second largest generator of \n        electricity in the U.S. delivering electricity to 2.7 million \n        customers), wrote ``We are in dire need of INL, its mission, \n        and its uniquely qualified staff. I know of no other entity in \n        North America doing anything like what they are doing in the \n        field of SCADA control system security, and certainly not to \n        the level of excellence that I and my peers in the industry \n        have witnessed.\'\'\n        2. Cheryl Santor, Information Security Manager, Metropolitan \n        Water in California (one of the largest water systems servicing \n        5,200 square miles in Los Angeles, Orange, San Diego, \n        Riverside, San Bernardino and Ventura Counties with 18 million \n        customers), wrote ``The INL provides a knowledge base from \n        which all organizations using SCADA and Process Controls can \n        benefit. . . .in order to secure their critical resources.\'\'\n        3. Phil Harris, CEO of PJM (Ensuring the reliability of the \n        largest centrally dispatched Control area in North America by \n        coordinating the movement of electricity in all parts of \n        Delaware, Illinois, Indiana, Kentucky, Maryland, Michigan, New \n        Jersey, North Carolina, Ohio, Pennsylvania, Tennessee, \n        Virginia, West Virginia, and the District of Columbia), wrote \n        ``PJM feels it is important that the Electric Sector, as a \n        Critical Infrastructure support INL and the work they do. There \n        is no substitute or other entity that is providing such quality \n        service of such national importance.\'\'\n        4. Another utility security executive from American Electric \n        Power recently testified to the value provided by INL through \n        the DHS and DOE program: ``The electricity industry is \n        interested in continuing to work closely with DOE on the work \n        being done at the Idaho National Laboratory. We believe it \n        holds great promise as one of the best and most efficient means \n        of stimulating research and developing technical solutions to \n        the present shortfalls in cyber security.\'\' [Hearing Before the \n        United States House of Representatives Science Committee, \n        September 15, 2005].\n\nKey Challenges in CIP and Cyber Security\n    As a result of operating and testing infrastructure systems, \nworking with control system vendors and end users, INL is keenly aware \nof the key challenges in protecting critical control systems and the \npotential solutions to these complex challenges to ensure the security \nof our nation\'s critical infrastructure.\n\n<bullet> Increased Connectivity--The use of open systems and more \ncommon technology combined with greater system access and available \nsystem knowledge has changed the risk profile of SCADA systems. These \nsystems evolved in a less connected world relying on proprietary \ntechnologies which provided a sense of ``security through obscurity\'\' \nin the past. The control systems of today are more susceptible to \nsecurity threats than before with SCADA vendors increasingly moving \ntoward open industry standard protocols and platforms, system owners \nand operators providing greater access to market and accounting \nsystems, regulatory requirements to share information and make systems \navailable to all market participants and the greater use of public \nnetworks and wireless communications.\n\n<bullet> Interdependencies--A further challenge arises from the \nreliance on telecommunication as an integral part of the overall \ncontrol system. If SCADA and Energy Management Systems (EMS) are the \nbrain stem and receptors of a control system, then Telecommunications \nrepresents the intricate network of nerve pathways that connects these \noperational assets, providing the means by which to deliver the control \ninstructions and update system status. [The following provides a useful \nreference: Cyber Security: A Crisis of Prioritization, President\'s \nInformation Technology Advisory Committee, February 2005]\n\n<bullet> Complexity--A particular challenge is the complex and \ninterconnected nature of critical control systems which can be found \nacross many of the critical infrastructure sectors from directing \nadvanced manufacturing systems to controlling the North American \nelectric grid. If we focus on energy production and delivery, we find \nProcess Control Systems (PCS) and specifically SCADA systems are used \nextensively throughout the electric, oil, and gas sectors to monitor \nand control processes that generate, transmit, transport and distribute \nenergy.\n\n<bullet> Legacy Systems--A significant portion of the control system \ntechnology in place today in many installations is old. These legacy \nsystems were designed to operate over long lifecycles and were not \ndesigned with cyber security in mind. Hence, they are vulnerable to \ncyber attack and, in many cases, difficult to protect. In order to \nsignificantly lower the risk, we need to understand legacy system \nvulnerabilities and develop cost effective means to mitigate them \nwithout relying on new system deployments.\n\n<bullet> Deregulation--Market forces, to include deregulation in the \nelectric utility industry have increased the number of entities \ninvolved in the power life cycle from generation through transmission, \ndistribution, metering, and billing; thus increasing reliance on and \naccuracy of information from third parties. Correspondingly, this has \ncome with increased connectivity with outside vendors, customers, and \nbusiness partners which have eroded the sanctity of the network \nperimeter. More connections through the perimeter inherently introduce \nmore threats into the corporate networks.\n\n<bullet> System Accessibility--The convergence of power company \nnetworks and the demand for remote access to these systems has rendered \nmany SCADA systems accessible through non-SCADA networks. Specifically, \nconnections between the grid and corporate networks for reporting \npurposes and outage management interfaces have the potential to expose \nthe grid network to the threats experienced by the more common business \nnetwork. [The following provides a useful reference: U.S.-Canada Power \nSystem Outage Task Force, August 14th Blackout: Causes and \nRecommendations, April 2004].\n\n<bullet> Offshore Reliance--Cost pressures and technology support \nconstraints have increased reliance on offshore development and system \nmaintenance, thereby increasing the risk of intentional or \nunintentional security vulnerabilities. This risk is amplified as a \nresult of ineffective/non-enforceable cyber laws in the respective \noffshore countries.\n\n<bullet> Information Sharing--Finally, competitive pressure, legal \nliability risk and the lack of information protection mechanisms pose a \nsignificant barrier to information sharing between critical \ninfrastructure stakeholders. This has significantly impeded the \ndiscovery and understanding of control system vulnerabilities, as well \nas the reporting of real-world incidents. [The following provides a \nuseful reference: CRS Report for Congress &ndash; Government Activities \nto Protect the Electric Grid, October 2004]. On the other hand, the \nknowledge revolution that has accompanied the Internet makes it easy to \nlocate specific information regarding SCADA and automation systems. For \nexample, ``over 90% of major SCADA and Automation vendors have all of \ntheir manuals and specifications available online to the general \npublic\'\' (SCADA Security Strategy, PlantData). Easy access of such \ninformation to potential threat actors is a concern.\n\nRecommendations\n    These challenges, although numerous and complex, are surmountable. \nThere is an urgent need to accelerate the research, development, \ntesting, and application of advanced control systems to enhance cyber \nsecurity across the energy and other sectors. This need transcends \nindividual companies, energy subsectors, and even the private sector. \nToward this end, the Department of Homeland Security and the Department \nof Energy are supporting programs to facilitate and support risk \nreducing solutions. We, at INL, are focused on providing solutions to \nthis key national need and have some recommendations for meeting the \nchallenge.\n\nSCADA/Cyber/Telecom Interconnect--We, as a nation, should develop an \ninterdependent and inclusive view of control systems to include not \nonly the SCADA systems but the cyber and Telecommunications functions \nthat support them to ensure secure electrical power and industrial \nprocesses. SCADA, Cyber Security, and Telecommunications are areas \nwhere we must integrate research and testing efforts to understand how \nvulnerabilities impact the entire system. We at INL are already engaged \nwith the telecommunication firms on interoperability and bandwidth \nissues, and we see the SCADA/Cyber/Telecom interconnectivity as the \nnext area of pursuit.\n    The 21st Century could be characterized as a globally \ninterconnected ``flat world\'\' (courtesy of Tom Friedman), which means \nhierarchical systems have to yield to horizontal and partnership-based \nenterprises. To that end, critical infrastructure protection, cyber \nsecurity, and telecommunications particularly call to attention the \ninterdependence between providers and markets so industries have a \nresponsibility to work across sectors, and the same holds for the \nfederal government. Furthermore, in the event of a manmade or natural \ndisaster as in Katrina, active coordination across sectors is vital for \ntimely response and expeditious recovery.\n\nMinimum Standards--The electric sector, being at the hub of all, is \nactive in securing its cyber and physical resources. Interim cyber \nsecurity standards are in place in the electric sector, and they are \nmoving through the approval process for a permanent, more expansive CIP \nstandard. The final product should strengthen cyber security across the \nelectric sector and lay the groundwork for greater collaboration \nbetween industry and government. Similar efforts are underway through \nCIDX and much work remains to be done in all sectors of our \ninfrastructure.\n\nDevelop Risk Assessment Tools--The federal government should continue \nto invest in the development of tools and provide required information \nto assist control systems security professionals to identify and \naddress risk. Education and awareness efforts should be focused on \ndeveloping an accurate understanding of risk to control systems. The \nNSTB Program and the CSSC program are both actively addressing this \nneed and risk mitigation steps are beginning to be implemented at the \nuser level.\n\nFixing Legacy Systems--Some type of incentive, either at the vendor \nlevel or user level, will go a long way to implement cyber security in \nlegacy process control systems. Coupled with independent third party \ntesting of the control system, through programs such as NSTB and CSSC, \nlegacy systems could be upgraded with protective measures.\n\nInformation Protection--The electric infrastructure is one of the most \ncritical infrastructures servicing the nation and maintaining our way \nof life. Certain technical, architectural and operational aspects and \ndetails must be kept secure so they will not be inadvertently disclosed \nto those who would try to disrupt or destroy our social, political or \neconomic fabric. Yet there is a need to share the security aspects of \nthe information with government and industry peers for benchmarking \npurposes while preserving competitive advantages. The same challenge \napplies to other sectors as well. This is an area where the use of \ntrusted independent third party entities might prove beneficial and \nacceptable to all parties and merits further discussion.\n\nConcluding Statement\n    Mr. Chairman and distinguished Members of the Committee, we at \nIdaho National Laboratory are fully committed to deliver on this \nimportant national mission, and along side DHS, DOE, and industry, we \nwill strive to make our Laboratory the Center of Excellence in critical \ninfrastructure protection to help end users. We welcome you to visit \nthe Idaho National Lab to see firsthand the solutions we are providing \nto make our infrastructure safer. Again, I thank you for the \nopportunity to share these comments with you.\n\n    Mr. Lungren. The Chair would now recognize Dr. William \nRush, institute physicist at the Gas Technology Institute, to \ntestify.\n\nSTATEMENT OF WILLIAM RUSH, INSTITUTE PHYSICIST, GAS TECHNOLOGY \n                           INSTITUTE\n\n    Mr. Rush. Good afternoon, Mr. Chairman and members of the \ncommittee. I would like to thank you very much for letting me \ntestify on what I think is a really important topic. I am Bill \nRush. I hold a Ph.D. in physics, and for the past 27 years I \nhave been with the Gas Technology Institute, or GTI. I also \nchair the American Gas Association\'s Encryption Working Group, \nwhich is charged with developing cryptographic protection for \nSCADA communications.\n    Today I am going to update you on the nuts and bolts of \nwhat it is that we have done to protect against cyberattack and \nrecommend some specific steps for improving SCADA security.\n    As you know, attacks against SCADA are of concern because \nSCADA is the remote control, if you will, of a network. It \ncontrols the circuit breakers and the valves. It is the actual \n``reach out and grab things\'\' part of the system. Most systems \nwere designed before security was regarded as a serious concern \nand as a result are poorly protected against cyberattack. One \nteam of U.S. network experts was into a SCADA system within 15 \nminutes.\n    Can cyberattack have real consequences? Absolutely. As Dr. \nVarnado pointed out, a 3-kiloton explosion, to put that into \nmore usable or more familiar terms, that is about 1,000 times \nas powerful as the explosion that blew up the Murrah Federal \nOffice Building in Oklahoma City.\n    SCADA information has been found on captured al-Qa\'ida \ncomputers. Three weeks after the 9/11 attacks, the American Gas \nAssociation chartered the AGA 12 Working Group to develop a \nstandard to protect SCADA communications. The drawing that we \nhave up here indicates basically how it works. What you do is \noriginate a command, such as open the switch inside a secure \nfacility. It then gets sent into a cryptographic module which \nchanges the message, and as you can see across the bottom, it \ncan\'t be read by anybody without a special number that is \ncalled a key. When it shows up on the other end, it is \ndecrypted by the same key and turns back into the message, open \nthe switch.\n    AGA 12 team is proud of its progress to date, but this is \nnot just a paper standard. This device that I have brought with \nme, and you can see it afterwards, is an AGA 12-compliant \ncryptographic module. This unit effectively slams the door in \nthe face of those who would attempt to penetrate the \ncommunication networks of SCADA systems. Early versions of this \nequipment has performed well in the field tests. This unit is \npriced at about $500. It can be installed right now in most \nSCADA systems that operate on low-speed links. Nationally labs \nare in the process of evaluating its security level and its \nperformance. At least two manufacturers will market AGA 12 \nmodules. No other standard groups can provide this protection \ntoday.\n    While many groups contributed to AGA 12\'s success, none did \nmore so than the Navy\'s Technical Support Working Group, or \nTSWG. TSWG funded GTI to work on AGA 12 full time. This allowed \nus to move far faster than any other all-volunteer groups.\n    Note that AGA 12 is only one of dozens of groups who are \ninvolved in developing standards. There is a significant risk \nof developing conflicting standards. These volunteer groups \nlack the resources to coordinate their efforts. The DHS Process \nControl Security Forum and DOE\'s Roadmap are important examples \nof government and private sector coordination in cyber \nsecurity.\n    Regrettably, AGA 12 has become a victim of its own success. \nTSWG only funds prototypes until they succeed. When AGA 12 \npassed this milestone last May, both funding and progress \nceased with a serious loss of momentum. Our early success \nobscured the fact that critical work remains. DOE is providing \nsome funding to go restart tests and to edit parts of AGA 12 \nfor publication, but there is still critical work, including \ndeveloping a seal of approval conformance testing to show that \na product such as this really meets the standard, sort of a \nGood Housekeeping seal of approval; next-generation designs to \nwork faster and at half the cost; a major pilot test to \nvalidate that the technology really works; and remote key \nchanging so you don\'t have to send staff out when you make \nchanges; and forensic tools to find and prosecute attackers.\n    In summary, we make the following recommendations: Fund R&D \nto develop protection against cyberattacks on the Nation\'s \ncritical infrastructure. Prevent loss of momentum by avoiding \nprogram interruptions. This is very disruptive. Support the \ncoordination effort, such as the Process Control Security Forum \nand the Roadmap. Complete the remaining AGA 12 work that I have \njust outlined. Support other selected standards works in \naddressing the many vulnerabilities that are beyond the scope \nof AGA 12.\n    Mr. Chairman and subcommittee members, we applaud your \nfocus on securing our Nation\'s critical infrastructure, \nespecially the area of SCADA protection. I would be pleased to \nanswer questions afterwards. Thank you.\n    Mr. Lungren. Thank you very much, Dr. Rush.\n    [The statement of Mr. Rush follows:]\n\n               Prepared Statement of Dr. William F. Rush\n\nINTRODUCTION\n    Good afternoon Mr. Chairman and members of the Subcommittee. Thank \nyou for the opportunity to address you today on this important topic. \nMy name is Bill Rush and I hold the position of Institute Physicist \nwith the Gas Technology Institute (GTI), where I have worked in the \nfield of natural gas technology research and development for 27 years. \nGTI is a not-for-profit Research and Development institute \nheadquartered in Des Plaines, Illinois. I also am the Chairman of the \nAmerican Gas Association\'s SCADA Encryption Working Group. The American \ngas industry has charged this group with developing cryptographic \nprotection for gas, water, and electric SCADA communications.\n    The focus of my testimony today is to update you on the steps the \nAmerican Gas Association AGA, GTI, and many other organizations have \nbegun to take to protect SCADA communications from cyber attack. At the \nconclusion of my remarks, I will provide recommendations to the \nSubcommittee on what actions can be taken to further advance the \nsecurity of industrial control systems for critical infrastructures.\n\nSCADA SYSTEMS ARE OFTEN VULNERABLE TO CYBER ATTACK\n    Supervisory Control And Data Acquisition (SCADA) systems are an \nimportant component of critical infrastructure. SCADA systems can be \nthought of as the ``remote control\'\' part of most gas, water, electric, \nand oil pipeline systems. SCADA Remote Terminal Units (RTUs) read the \npressures, voltages, temperatures, and flows at critical points \nthroughout the transmission and distribution portions of these critical \ninfrastructure networks and transmit this real-time data back to \ncentral control rooms. They also operate valves, circuit breakers, and \nswitches and are thus critical equipment for control of the systems. \nThis remote control of unmanned facilities provides quick response to \nchanging situations, while providing cost-effective operations of a \nmultitude of critical equipment and stations, spread over a large \ngeographic area. Many SCADA RTUs have ``maintenance ports\'\' that enable \noperators to change critical system parameters remotely, open or close \nvalves or breakers, or download new firmware. There are strong \nsimilarities among gas, water, electric, sewage, and oil SCADA systems. \nProcess automation and control systems used in other critical \ninfrastructure applications, such as oil refineries and chemical \nplants, may not have the long-distance aspects of SCADA, but share many \nother characteristics.\n    The cost constraints under which SCADA systems operate determine \nmany of their security-related characteristics. Because SCADA systems \nare expensive to replace, they have long life times--typically between \n10 and 20 years. Consequently, many systems now in service have been \nthere for a long time and will remain as legacy systems for some time \nto come. Consequently, today\'s SCADA systems are often based on \ntechnology which is a decade old. In particular, many of these systems \noperate at relatively low communication speeds over telephone modems, \nspeeds which most Internet users of today find unacceptably slow.\n    Because these systems were designed before critical infrastructure \nsecurity was a major concern, they often have significant \nvulnerabilities to unauthorized electronic operations, referred to as \n``cyber attacks\'\'. Many of the systems do not have effective password \nprotection for access control or encryption for confidentiality of data \nand commands. When they use dial-in telephone modems, they often can be \nhacked from any computer with a phone modem. When the SCADA system uses \nradio communication, the radio waves can often be detected and altered \nby a third party with an appropriate, commercially available receiver/\ntransmitter. The question confronting skilled cyber attackers is less \n``Can we enter the system?\'\' and more ``How long will it take us to \npenetrate it?\'\' The North American Electric Reliability (NERC) is \nconcerned about the ability of an attacker to use the maintenance ports \nto attack SCADA systems by making unauthorized changes in critical \nsystem parameters. Information on American SCADA systems has been found \non captured al-Qa\'ida computers.\n    Cyber attacks are not simply minor incidents involving mildly \nannoying hackers, but can have significant operational, economic, and \nsafety consequences. A single example that underscores this point is \nthe Soviet Union\'s use of stolen American SCADA software during the \n1980\'s. This code--which had been deliberately modified to cause harm \nto a SCADA system--led to physical damage to the Soviet SCADA system \nresulting in an explosion large enough to be photographed from space \nand estimated at 3 kilotons TNT equivalent. (See ``At the Abyss: An \nInsider\'s History of the Cold War\'\', Thomas C. Reed, Ballantine Books, \nNew York, 2004.) To put the 3 kiloton number into perspective, the \nMurrah Federal Office Building bombing in Oklahoma City was estimated \nat 0.002 kiloton and the Hiroshima nuclear bomb was between 14 and 20 \nkilotons. The salient point is that it clearly is possible to cause \nsignificant physical damage to critical infrastructure if the SCADA \ncode can be modified.\n\nAGA 12 IS A STANDARD TO PROTECT SCADA FROM CYBER ATTACK\n    Three weeks after the 9/11 attack, AGA chartered a working group to \ndevelop a comprehensive standard that would use cryptography to protect \nSCADA communications from cyber attack. This standard has been \ndesignated ``AGA 12\'\'. When it is completed, it will be a comprehensive \napproach to SCADA cryptography. The charter instructed the working \ngroup to develop a recommended practice for the gas industry and to \ninclude water and electric SCADA systems as well. This approach also \napplies to sewage and oil pipeline SCADA systems. This effort has made \nsuch significant progress that we are now field testing commercial \nprototypes of products that use cryptography to protect SCADA \ncommunications.\n    As a standard, AGA 12 has several significant characteristics. \nFirst, it is an open consensus standard that is designed to produce \ninteroperable cryptographic products. ``Open\'\' means that anyone can \nuse the standard to build equipment without needing to pay a royalty or \nlicensing fee. Open here also refers to the process by which anyone \nwith an interest in the topic can participate in developing the \ndocument. The working group included this requirement to encourage \nmarket competition to drive costs down, since no one has a monopoly \nposition. The open-source code for implementing AGA 12 is available for \nfree on the Internet. AGA 12 is a consensus standard because the \nworking group develops consensus among its members and the AGA \nmembership as well that its recommendations are indeed a sound \npractice. Finally, the standard specifies a minimum level of \ninteroperability among products made by different manufacturers. Thus, \nusers will have a choice of suppliers. The standard also assures that \nnew products will remain compatible with earlier versions. Finally, AGA \n12 provides strong protection; it is based on well-established NIST \nencryption standards and has been examined for its ability to protect \nagainst a wide variety of attacks.\n    AGA 12 is a suite of 4 documents, designated Parts 1 through 4. The \nfour documents address different aspects of SCADA communication \nprotection.\n    AGA 12, Part 1 (AGA 12-1) summarizes cyber security policies, the \nbackground of the cyber security problem, and a procedure for testing \ncryptographic protection systems. This document educates SCADA \noperators on the need to do a risk assessment and recommends an \napproach for those utilities whose risk assessment reveals a need to \nprotect their systems with cryptography.\n    AGA 12-2 is a detailed technical specification for building \ninteroperable cryptographic modules to protect SCADA communications for \nlow-speed legacy SCADA systems and dial-up maintenance ports.\n    AGA 12-3 will describe how to protect high speed communication \nSCADA systems.\n    AGA 12-4 will describe how to build next generation SCADA systems \nso that their cryptography will be compatible with the legacy systems; \nthis will ease the transition to the newer designs.\n    Parts 1 and 2 are close to completion. Parts 3 and 4 are in the \nplanning stage.\n    Figure 1 illustrates both the configuration of a SCADA system and \nthe scope of AGA 12. On the left is the Control Room, which is manned \naround the clock and where critical operational decisions are made. On \nthe right is the ``Remote Terminal Unit\'\' (RTU), which is typically \nunmanned and controls the sensors and actuators that operate the \ncritical infrastructure. Both the Control Room and the RTU are assumed \nto be secure. The AGA 12 working group deals only with the issues of \nsecurity of messages while they are in transit over an insecure network \nand leaves to others the responsibility for securing the rest of the \nsystem.\n    It is important to recognize that while cryptographic protection of \nSCADA communications is an important weapon in the arsenal of tools \nthat can protect SCADA, it is only one tool among many that are needed. \nCryptography can not provide any protection at all against many kinds \nof attacks. In particular, it does not protect against jamming or \nbreaking the communication line, against physical attacks, or against \nmany kinds of insider attacks. Nor does it protect local facility \ncontrol systems1 that are often connected to SCADA systems, and usually \noffer additional independent vulnerabilities to cyber attack. These \nissues are being addressed by literally dozens of groups working in the \nsecurity area. While I am focused only on the AGA 12 effort, I am \npleased to report that there are so many security initiatives under way \nthat coordinating their work is a major challenge. I would call your \nattention to both the Department of Energy\'s Roadmap to Secure Control \nSystems in the Energy Sector and the Department of Homeland Security\'s \nProcess Control Systems Forum as good examples of how the Government is \nworking effectively with the private sector to advance and coordinate \nthe many security efforts that are now under way. I also call your \nattention to the Instrumentation, Systems and Automation Society\'s \n(ISA) ISA SP99 committee, ``Manufacturing and Control Systems \nSecurity\'\'. This is a broad industry wide automation and control \nsystems security standards effort that has published over 150 pages of \nguidance on how to establish automation systems security programs and \navailable technologies to deal with unacceptable risks. Finally, the \nNational Institute of Standards and Technology (NIST) has produced many \nstandards on which AGA 12 has relied and operates the Process Control \nSecurity Forum (NIST PCSRF) which continues to advance putting the \ncause of cyber security on a firm basis.\n\nAGA 12 SPECIFIES CRYPTOGRAPHY TO PROTECT SCADA COMMUNICATIONS\n    AGA 12 uses cryptography to protect SCADA communications. Figure 2 \nillustrates the basic idea of how this works. Data and commands (``Open \nSwitch\'\' in this figure) originate inside of a secure facility, as \nillustrated in Figure 1. Prior to leaving the secure facility, the data \nor command is sent to a ``SCADA Cryptographic Module\'\' (SCM) which \nencrypts it. Essentially, this encryption step changes the message so \nthat it can no longer be read by anyone without a special number, \ncalled a key. In operation, the encrypted message is sent over the \ninsecure network in an unintelligible form. When it arrives at the \ndesignated secure facility, the key is used to decrypt the message, \nreturning it to its original meaning, ``Open Switch\'\'.\n    The AGA 12 standard has gone to great length to assure that \nencrypted messages are very difficult for potential attackers to use to \nharm a system that uses SCADA. This ``link encryption\'\' approach has \nbeen used successfully for many years by the financial community to \nsecure its transactions. While this discussion has only considered \nmaking the message hard to read, AGA 12 also makes it difficult to \nalter, forge, or record and replay a message. An important issue \nassociated with AGA 12 is how these secret keys are managed. The keys \nmust be changed periodically to prevent their being guessed or \ncompromised. Different keys are used for employees with different \nresponsibilities and different levels of authority. The authorization \nto use keys must, for example, be changed if an employee leaves. It is \nimportant to be able to do this without the expense of visiting the \nmany distant sites that may be controlled by the SCADA system.\n    Because of the long life of SCADA systems, the owners and operators \nof these systems urged the working group to focus first on the \nchallenging problem of protecting legacy systems. Focusing on next-\ngeneration SCADA systems first would leave the legacy systems \nunprotected for many years. Protecting legacy systems, however, \nrequired developing cryptographic modules that will support most of the \nroughly 150 types of existing SCADA systems, each of which has a \ndifferent ``SCADA language\'\' and which operate at different \ncommunication speeds and over a wide variety of communication media \n(such as telephone, radio, and microwave.) The next steps are to \ndevelop the same standard protection for high speed and next generation \nSCADA systems.\n\nAGA 12 HAS MADE RAPID PROGRESS FOR A STANDARD\n    AGA 12 has made rapid progress, given the constraints that an open \ngroup is developing a consensus standard. This is a process that is \ngenerally slow for two reasons. First, developing consensus among \nusers, manufacturers, and cryptographic experts on a difficult \ntechnical task is a challenging task. Each group has different needs \nand understanding levels for the standard. Second, most standards \ndevelopment efforts are all volunteer activities. This limits the rate \nof progress to what can be accomplished in an overload or spare time \nmode by people with full-time job responsibilities.\n    Those of us who have participated in the AGA 12 process are proud \nof the success we have achieved, for this is no longer just a paper \nstandard. AGA 12 Part 1 is in the final stage of balloting prior to \nbeing adopted as an industry recommended practice. Two manufacturers \nare offering or soon will offer cryptographic modules that comply with \nAGA 12, Part 2. Early versions of this equipment have performed well in \nfield tests at actual gas companies. AGA 12 has entered the field test \nstage at least 2 years ahead of any other group developing an open \nstandard for cryptographic hardware.\n\nMANY GROUPS HAVE CONTRIBUTED TO THE SUCCESS OF AGA 12\n    Many groups have contributed to the success of AGA 12. No single \ngroup did more to accelerate the work of AGA 12 than the Technical \nSupport Working Group (TSWG), a part of the Combating Terrorism \nTechnology Support Office. TSWG began support of cryptography for SCADA \nsystems with a project at GTI in 1998, well before terrorism was \nrecognized as a threat. While as previously mentioned, most standards \ngroups operate on an all volunteer basis, TSWG funded GTI to provide \nfull-time support by several people to work on AGA 12. This allowed us \nto debate approaches, build models of the various ideas, test to see \nwhat does and what does not work, write our results into the emerging \nstandard, and begin the cycle anew with a debate on the next issue.\n    In addition to TSWG support, several other government agencies have \ncontributed to the progress of AGA 12. The National Institute of \nStandards and Technology provided funding to help develop a standard \ntest methodology for evaluating how much cryptography slows \ncommunications in network. Sandia National Laboratories evaluated the \nsecurity level of the first version, work which led to several \nsignificant improvements to AGA 12. Pacific Northwest National \nLaboratory conducted a preliminary test on the impact of AGA 12 on \ncommunication speed. Under DOE sponsorship, both of these laboratories \ncontinue to do work on the security and performance of the AGA 12-\ncompliant cryptographic modules. These National Laboratory tests are \nparticularly important to the private sector\'s acceptance of the AGA 12 \nstandard as both secure and functional.\n    In addition to government support, industry groups have helped. \nBoth AGA and the American Water Works Association Research Foundation \n(AWWARF) have provided funding and substantial in-kind support for the \nAGA 12 standard. GTI and the Gas Research Institute have funded the AGA \n12 work as well.\n    Many private companies also supported the AGA 12 project. These \ninclude Cisco, OPUS Publishing, SafeNet Mykotronx, TecSec, Schweitzer \nElectronic Laboratory, Thales e-Security, and Weston Technology. \nPeoples Energy (Chicago) and Detroit Edison have also been supportive \nand contributed extensively to the working group\'s understanding of the \nneeds of SCADA operators.\n\nDESPITE REMAINING WORK, AGA 12 HAS SLOWED SUBSTANTIALLY\n    Although significant work remains to be done to complete the AGA \nstandard, progress stopped in May of 2005 when TSWG funding ran out. \nTSWG is an organization which only funds prototype developments until \nthey prove successful, at which time funding is to be provided by other \norganizations. DOE has supported Sandia and Pacific Northwest National \nLaboratory to evaluate the security level of the standard and the speed \nof its encryption, respectively. In October, DOE provided limited \nfunding for GTI to complete some field testing and write up the \nexisting version of AGA 12-2 as a document that is in a suitable format \nfor ballot. This 5 month hiatus significantly reduced the momentum of \nthe AGA 12 project. Largely as a result of these delays, one of the \nthree manufacturers that originally committed to produce AGA 12 modules \nhas stopped work on this project.\n    Regrettably, AGA 12 became a victim of its own success. Given that \nit is well ahead of any other hardware development of cryptographic \nprotection and manufacturers are developing products, it appears that \nmarket forces have now taken over and there is no further role for \ngovernment support.\n    The apparent success of AGA 12 obscures the additional work that is \nrequired. This includes several topics that--while of great importance \nto the success of the AGA 12 effort--are difficult to appreciate. These \ninclude the following:\n        <bullet> Conformance testing--While the AGA 12 standard will be \n        validated by at least two National Laboratories, SCADA system \n        owners and operators need a ``seal of approval\'\' to verify that \n        the particular products they are considering buying actually do \n        conform to AGA 12 requirements. There is no existing set of \n        tests that is recognized as providing this assurance.\n        <bullet> Next generation design--Because AGA 12, Part 2 is a \n        retrofit solution for legacy systems, it is the most expensive \n        and least effective approach to the cryptographic protection to \n        SCADA systems. Incorporating this protection into products at \n        the time of manufacture is estimated to be less than half as \n        costly as adding it after it is in the field. It is critical, \n        also, that the next generation systems be able to interoperate \n        with the units that have already had cryptography added.\n        <bullet> Large scale pilot test--While the laboratory and \n        small-scale field tests that have been completed and will be \n        done in the near future will validate that AGA 12 does work in \n        the field, this is not a full scale pilot test. Several parts \n        of AGA 12 that will function well during a small scale test may \n        prove problematic for larger scale installations. Key \n        management is a good example. Another is the possibility that \n        network congestion problems might manifest themselves when many \n        of the messages are encrypted, but will be invisible in small \n        scale tests. SCADA operators are more likely to feel confident \n        in a system that has been tested in a full-scale pilot than in \n        a system that has only been tested on a small scale.\n        <bullet> Key management--Good cryptographic practice requires \n        that the keys that decrypt the encrypted data and commands be \n        changed periodically. This ``key management\'\' must be done \n        remotely to be cost effective, since the wide geographic extent \n        of SCADA systems prohibits visiting sites to change keys if a \n        strike occurs or if an employee leaves.\n        <bullet> Forensics and diagnostics--While it is important that \n        AGA 12 be able to protect SCADA systems from attack, it is also \n        desirable that these systems detect attacks that are under way, \n        inform the operator of the attack, and gather possible forensic \n        information that will facilitate the detection, identification, \n        arrest, and prosecution of system attackers. Although AGA 12 \n        contains some features that lay foundations for this type of \n        work, it is far from complete.\n        <bullet> Management port--The management port requires some \n        additional features that are different from those required to \n        send data and commands.\n        <bullet> Coordination of security standards--It is important \n        that standards groups establish and maintain contact with one \n        another. There are estimated to be approximately 100 groups \n        currently developing cyber security related standards. There is \n        very little contact among these groups, an undesirable \n        situation likely to lead to duplication of effort and \n        conflicting standards that no manufacturer will follow.\n        <bullet> High speed networks--While AGA 12\'s early focus on the \n        protection of low speed legacy SCADA systems is appropriate in \n        providing protection to the large installed base of these \n        systems, it is also clear that many of the newer systems will \n        use higher speed communication links, such as the Internet. \n        This requires that we be able to maintain as much \n        interoperability as possible between the low and high speed \n        networks.\n\nSEVERAL GOVERNMENT STEPS WILL ADVANCE SCADA SECURITY\n    In summary, we make the following recommendations\n        <bullet> Make sure that there is funding for R&D and strong \n        industry-government partnerships to develop protection of the \n        Nation\'s critical infrastructure against cyber attacks. \n        Progress is being made--the key to moving forward is to \n        continue R&D efforts and partnerships.\n        <bullet> Prevent loss of momentum by avoiding funding \n        interruptions in on-going programs.\n        <bullet> Continue the coordination efforts (such as the DOE \n        Control Systems Roadmap and the DHS Process Control Systems \n        Forum) which are key elements of growing coordination between \n        the government and industry and also vital to coordination \n        among different infrastructures. These two programs are models \n        for how to coordinate across a wide area.\n        <bullet> Support continued development of AGA 12. In \n        particular, work should be completed to develop key management, \n        establish conformance tests, do a large-scale pilot test, \n        specify a next-generation design, secure high-speed networks in \n        a manner compatible with the low speed networks, and develop \n        forensics and diagnostics to detect and foil attacks.\n        <bullet> Support selected other standards development efforts. \n        While our focus here has been on AGA 12, it is important to \n        recall that this is only a small part of the total SCADA \n        security requirements. Both the ISA SP99 and the NIST PCSRF \n        efforts are noteworthy. Many of these other standards groups \n        labor on an all volunteer basis on other critical requirements \n        of significance as great as that of AGA 12. This all volunteer \n        pace will not lead to rapid development of required standards.\n    Mr. Chairman, we applaud your focus on securing our critical \ninfrastructure, especially in the area of SCADA protection. This \nconcludes my prepared statement. I would be pleased to respond to any \nquestions you or other Members of the Subcommittee may have.\n\n                            List of Acronyms\n\n        AGA--American Gas Association\n        AGA 12--American Gas Association Report No. 12, ``Cryptographic \n        Protection of SCADA Communications\'\'\n        CM--Cryptographic Module\n        DOE--Department of Energy\n        EPRI--Electric Power Research Institute\n        GTI--Gas Technology Institute\n        ISA--Instrumentation, Systems and Automation Society\n        ISA SP 99--ISA Special Publication 99, ``Manufacturing and \n        Control Systems Security\n        NERC North American Electric Reliability Council\n        NIST--National Institute of Standards and Technology\n        PCSRF--Process Control Security Research Forum\n        RTU--Remote Terminal Unit\n        SCADA--Supervisory Control And Data Acquisition\n        SCM--SCADA Cryptographic Module\n        TNT--Tri-Nitro Toluene (dynamite)\n        TSWG--Technical Support Working Group, part of the Combating \n        Terrorism Technology Support Office\n        [GRAPHIC] [TIFF OMITTED] T2242.001\n        \n\n    Mr. Lungren. The Chair would now recognize Mr. Allan \nPaller, the Director of Research for the SANS Institute, to \ntestify.\n\n   STATEMENT OF ALAN PALLER, DIRECTOR OF RESEARCH, THE SANS \n                           INSTITUTE\n\n    Mr. Paller. Thank you, Mr. Chairman. SANS is different from \nthe other organizations. We are basically an educational \norganization. We--our 45,000 alumni are the front lines, the \npeople who put the security into the computers that try to \nblock the attack. So we are constantly looking for methods that \nwill make that feasible, because right now the bad guys are \nwinning faster than the good guys are getting better.\n    So what I am going to do today is not talk about what the \nsolution is to SCADA security, but how you can take--how we can \nprove you can take the solutions that Sam and K.P. and the \nothers and Bill have found already and get them into operation \nrather than studying them to death. So that is what the \ntestimony will be.\n    I do want to emphasize that you will sometimes hear these \ncomputers are not connected to the Internet; therefore, they \nare safe. The problem with that statement is they are often \nconnected by packet radio. Think of old-fashioned wireless. So \nthey might not be on the Internet, but the packet radio is the \nmethod by which the water treatment system in Maroochy Shire \nwas taken over, and human waste backed up on the streets of the \ncity, by a man who was angry at the system. It wasn\'t connected \nto the Internet, but it was very vulnerable. So we need to look \nat both of those attack methods. And these vulnerabilities \naren\'t theoretical. You already heard them from Sam.\n    What I am going try to show you is a method and tell you a \nquick story of a method the U.S. Government has used that \nradically changed the dynamics of security in the country. And \nI think I will tell you that story and then finish this.\n    Microsoft systems are being put more and more into SCADA \nsystems. You are buying them. GAO just came without a report \nthat said that the problem--not just, a few months ago--came \nout with a report that says the problems in SCADA security are \ngetting worse because they are connected to the Internet and \nbecause they are buying off-the-shelf, vulnerable operating \nsystems.\n    So how do you make somebody who has a powerful monopoly \nover all of the computers that we buy change their way and \ndeliver safer systems? About 2-1/2 years ago, the CIO at the \nAir Force got up at a public meeting and said, we are now \nspending more money to fix the problems we have because of \nMicrosoft bugs than to buy the stuff in the first place. But he \ndid something that no one else has done. He took Federal \nprocurement power and said, we are going to fix this. And what \nhe did is he consolidated all of the contracts that the Air \nForce has with Microsoft, all of them, and in doing that he \nsaved $100 million. It is a half-a-billion-dollar procurement, \nbut he has got provable savings of $100 million.\n    But that wasn\'t the exciting part of it. The exciting part \nof it was that he required Microsoft to deliver systems that \nwere preconfigured according to the standards that DHS helped \ncreate, that the National Security Agency really fronted, and \nan organization called the Center for Internet Security brought \ntogether. So there was consensus benchmarks for what safe \nmeans, and that allowed the Air Force to require the vendor to \ndeliver safer systems. It was a lot of argument, a lot of \nnegotiation, but in the end Steve Vollmer and Microsoft said \nyes.\n    And what I am trying to show you is you can actually change \nthe rate at which systems get safer by using combined buying \npower, and that is what I believe can be done very quickly in a \nSCADA environment, because what Bill is talking about, what Sam \nis talking about, what K.P. is talking about are actual \nsolutions that aren\'t going to get implemented unless the \nbuyers can act together, because the vendors--each individual \nvendor has an incentive not to get ahead of the others because \nit will cost them more, and if they spend more, the other \nvendors can sell cheaper. So unless the buyers get together and \nagree on standards, it won\'t happen.\n    And what is exciting about the SCADA system is the State \nand local governments and the Federal Government have a huge \nconcentration of them, so they can create an enormous buying \npower as long as the DHS and Sandia, and Bill and K.P. can \nagree on what those standards need to be. And it is a very \nquick thing. We are not talking about years and years. We are \ntalking about weeks and months to agree on what needs to be \ndone. But then instead of having regulations, instead of having \nlaws, use procurement power to change things.\n    I thank you for allowing me to speak, and I look forward to \nquestions. And I hope you feel better, Ms. Ranking Minority \nMember.\n    [The information follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T2242.002\n    \n    [GRAPHIC] [TIFF OMITTED] T2242.003\n    \n    [GRAPHIC] [TIFF OMITTED] T2242.004\n    \n    [GRAPHIC] [TIFF OMITTED] T2242.005\n    \n    [GRAPHIC] [TIFF OMITTED] T2242.006\n    \n    [GRAPHIC] [TIFF OMITTED] T2242.007\n    \n    [GRAPHIC] [TIFF OMITTED] T2242.008\n    \n    [GRAPHIC] [TIFF OMITTED] T2242.009\n    \n    Mr. Lungren. I hope she feels better, too. I am not sure I \nfeel better after hearing your testimony about the \nvulnerabilities that we have here.\n    We have now been informed that I guess we are to go back at \n5:30, so we will have time to not only ask questions, but to \nhear your comments. And I appreciate your brevity, but I also \nappreciate the quality of the testimony.\n    This is a concern that many of us on this community have. \nIt is, as someone said, the soft underbelly of our \ninfrastructure, and it is something that doesn\'t immediately \ncome to mind because we take for granted that we have these \nsystems that work. And our increased interconnectivity is a \nblessing, but it is also a curse. It creates the vulnerability \nthat makes that soft underbelly even greater. And I hope I am \npronouncing your name correctly. Is it Dr. Varnado?\n    Mr. Varnado. Varnado.\n    Mr. Lungren. Varnado. I put the wrong emphasis on the \nsyllable.\n    Dr. Varnado, of all the things that you suggested are our \nvulnerabilities, what would be the chief one; that is, the \ngreatest--which would require the greater exertion of political \nwill and governmental attention right now?\n    Mr. Varnado. There are basically two approaches that we \nneed to take. We need to continue to work on the inherent \nvulnerabilities that are there in every networked computer \nsystem. Industry and universities are doing a pretty good job \nin taking, looking at that one very hard.\n    The second area is that of induced vulnerabilities, \nsomething like what happened in Russia. And the problem with \nthe COTS products, those are very complex systems. We have no \nidea what is deeply buried in those systems. The software that \nwe purchase may have 20 million lines of code, and for us to \nreverse-engineer that is a very difficult task. Same thing with \nchips. There can be layers, seven, eight layers, in \nmicroelectronics today. More and more of those systems are \nembedded. So finding out how to reverse-engineer some of those \nproducts and to do security checks is a very difficult problem.\n    Now, the thing that comes to mind for Congress is trying to \nimprove our collaboration among universities and industry and \nnational labs and the government. There are things that get in \nthe way, like classification issues. There are certain things \nabout the threat that we can\'t talk about in this room. There \nare other issues like trust, antitrust, those kind of things, \nthat the government could take some action to help give some \nrelief in those areas so that we could discuss more. If we \ncould discuss more openly the things that we all know, we would \nbe in a better position.\n    So I probably didn\'t answer your question precisely, \nbutSec. \n    Mr. Lungren. Well, let me ask it another way. You said \nthat--I mean, you almost articulated an insoluble problem which \nsaid we are attempting to build trusted systems with \nuntrustworthy pieces. Other than us pulling in and saying \neverything we are going to do is going to be totally \ndomestically engineered, produced, testing, et cetera, what do \nyou suggest?\n    Mr. Varnado. Doing it all ourselves is not in the cards. We \ncan\'t afford it. So what we are doing is we are looking at \ndifferent ways to configure systems that put security checks \nbuilt into the technology as you assemble the system. So we are \ntrying to decompose the system a bit and to put in security \nfeatures where we think we might find problems and be able to \ndetect problems quicker.\n    We do not have intrusion detection systems, for example, \nthat operate in real time. That is why on the zero day exploits \nand the things like the 8 minutes of infecting the DOD system \nis so hard. We don\'t have these real-time intrusion detection \nsystems yet. So we are working on those kinds of things to try \nto solve this problem. We cannot afford to build everything, no \nquestion.\n    Mr. Lungren. Thank you, Dr. Varnado.\n    Mr. Purdy, I have had a chance to hear you before, and I am \nvery impressed with the breadth of your knowledge and the \nobligations that you have at your job. Having heard Dr. Varnado \narticulate the problem, as well as several other of the members \nof the panel, how do you at Homeland Security attempt to try \nand deal with this challenge, because in some ways it is a \nmatter of priorities; and also, how do we--it seems to me that \nthere is more things you can do immediately by command within \nthe government than you can do in the private sector. How do \nyou differentiate between what you can do by command in the \ngovernment versus what you can do by whatever means in the \nprivate sector?\n    Mr. Purdy. Well, that is a difficult question which I know \nis one of the reasons that you asked it, and the importance of \ntrying to get a handle on these issues. But essentially \nSecretary Chertoff\'s approach of risk assessment and risk \nmitigation, which underlies our National Infrastructure \nProtection Plan, and our work in building the partnership \nbetween government and the private sector for information \ntechnology within the sector and across the sectors, that is a \nfundamental piece of our effort. But we have prioritized \nseveral risk mitigation efforts within that context. One is \ncontrol systems we have talked about. Another very important \none is software assurance, and a third is Internet disruption, \ntrying to promote the survivability and resilience of the \nInternet.\n    The software assurance piece that Dr. Varnado talked about \nrelates to a number of efforts going on that are coordinated. \nThe Department of Defense has a major effort in the software \nassurance area that is closely coordinated with our own \nsoftware assurance security program.\n    The two fundamental things in addition to the purchasing \npower issue that Allan Paller talked about which we are working \nvery hard on is the development of best practices along the \ndevelopment cycle for software assurance. And it is developing \ntools so that we can go back and assess the software after the \nfact.\n    The foreign issue that Dr. Varnado talked about, we are \nworking in the unclassified and in the classified space. I am \nworking as the cochairman of the globalization of IT within the \nCommittee on National Security Systems, where the 24 agencies \nare coordinated on the national security systems so we can \naddress exactly the kind of issue that Dr. Varnado talked \nabout, the insecurity of what is made overseas, but, in fact, \nour inability to be able to tell on what is made domestically \nas to whether software not only does what it is supposed to, \nbut to make sure it doesn\'t do other things; the coordinated \neffort among the partnership, among the national labs; the \nfunding that DOE, DHS--some direct, as our 15 million that is \nup this year for 2006--the money that our Science and \nTechnology Directorate is funding; the additional funding that \nis provided for next year that goes to the I3P program that \nSandia is coordinating; and a number of the specific efforts we \nbelieve are going to in 2006 provide some real deliverables to \nhelp make folks safer. But it is going to continue to require \nthe partnership among everybody here, the owners and operators \nand the security vendors, and it is a difficult and important \nchallenge.\n    Mr. Lungren. The Chair recognizes Ms. Sanchez for 5 \nminutes.\n    Ms. Sanchez. Thank you, Mr. Chairman.\n    Mr. Varnado, I wasn\'t going to ask a question, but you have \nme a little curious. When you talked about new systems and then \nintercepting them, did you mean like a little systems test as a \npiece of that hardware got made, or--I am trying to understand \nwhat you meant as an ability to counteract.\n    Mr. Varnado. Right. What we are thinking, this is very much \nright now, Congresswoman, an R&D project that we are looking \nat. If we purchase most of the system and then we put it \ntogether, there are places in the data flow within the computer \nsystem that we may be able to put some small components in that \nwould detect certain anomalies or violate certain patterns of \nuse that would alert us more quickly and maybe even be able to \nprevent that from happening. So it is very much an R&D project \nat this point, and we are just starting to work on it the last \n6 months or so. It is brand new. We think it holds some \npromise, but it is a huge problem, and we need to put more \neffort on it, I guess is the message I want to leave with you.\n    Ms. Sanchez. Thank you, Doctor.\n    Mr. Chairman, I am going to give up my time so that--\nbecause you have a lot of Members on my side who showed up to \nthis, which goes to show just how important most of us think \nthis is. And I am going to yield back the rest of my time and \nmove it on.\n    Mr. Lungren. I thank the gentlewoman for yielding back and \nrecognize the Chairman of the subcommittee Mr. Reichert for 5 \nminutes.\n    Mr. Reichert. Thank you, Mr. Chairman.\n    Well, I am going to be totally honest. I am coming at this \nfrom a novice\'s perspective, and so I listened to you. My \nbackground is law enforcement. And so GTI, SCADA, NSTB, SCSC, \nNERC, AGA 12, cryptographic module and TSWG, and I had some \nmore but I will stop. So, book them, Dano, is where I come \nfrom.\n    I am just really curious, you know, we need to be prepared. \nFirst of all, where are we really today; in your analysis of \nwhere we actually stand today, where are we? Anybody.\n    Mr. Paller. The demonstrations of vulnerability are active \nand scary. So if you want to break into the power systems and \nthe other systems in the United States, you can hire a bunch of \ncompanies that will demonstrate that it can be done. I just \ndon\'t believe that we are at risk of that right away because it \nis easier to bring conventional weapons in and blow things up \nthan to figure out exactly how to use that to blow up a \npipeline. But I don\'t think we are far away from it, and if we \nwait until we see the first strong use of it, there will be no \ncatching up.\n    So it is hard to fix a problem when you don\'t see the \nattacks. It is very hard to spend money on that. That is why I \nlike the Air Force method, because they actually didn\'t spend \nnew money. They used old money and the buying power of the old \nmoney to make the change. I don\'t think there is another way to \ndo it. There is not on lot of fresh money coming from the \nFederal Government.\n    Mr. Reichert. Thank you. I thought that might be the \nanswer.\n    And so when you look at what we need to do to become more \nresponsive and aware, there is an educational training process \nthat has to take place, not only some of the things that you \nmention in constructing the right system, but people learning \nall of the acronyms that I just mentioned, and I am sure there \nare a lot more. But how does local--how does the local \ngovernment officials, how do they play into that, local law \nenforcement and also the local businesses?\n    You touched a little bit upon the industry and how they \nplay a partnership, but when it comes to training, I think, Mr. \nPurdy, you mentioned training, and, Dr. Ananth, you said \nsomething about training 350 people. What kind of training, and \nwho do you train?\n    Mr. Ananth. Well, if I might say, the training that we talk \nabout is for the people who install those control systems and \nfor the end user. We are not talking about training the State \nand local people, because, as you know, sir, there is a lot of \nproblem in interoperability devices with the response workers \nand the emergency response workers. But what we are talking \nabout is the people who actually own the critical \ninfrastructure assets, which is a lot of the private sector. So \nwe are talking about where the control systems are located, so \nthey need to know where the vulnerabilities are, they need to \ndo a fix. So when we talk about the training, and when I talk \nabout the training, that is the audience, the target audience, \nI was talking about, the owners of these infrastructure assets.\n    Mr. Reichert. Mr. Purdy, did you have any comment on the \ntraining?\n    Mr. Purdy. Well, we have a number of different levels of \nthe awareness piece that was touched on. I believe the House \npassed today a resolution to support National Cybersecurity \nAwareness Month, which is October, which helps emphasize the \nimportance of getting the cybersecurity important message out \nto consumers and small business and what folks need do about \nit.\n    In addition the training program, we work with the National \nScience Foundation on the Cyber Corps Program, because we want \nto encourage the number of well-trained cybersecurity \nprofessionals in the Federal workforce, and as part of training \nwe have been partnering with the Department of Defense, because \none of the big issues about whether the Federal Government has \nenough well-qualified people is, if you define all the jobs \ndifferently, it is impossible to do the gap analysis. So they \nhave done the job task analysis of DOD, and we are going to try \nto leverage that across the Federal agencies.\n    Also we are partnering with the National Security Agency. \nIn fact, we have a major conference tomorrow up in Baltimore \nwith the Centers of Academic Excellence, as we have been \ncreating a common body of knowledge for those university \ncenters of excellence to train the next generation of \ncybersecurity professionals and software developers to do a \nbetter job of what it is that they do.\n    Mr. Reichert. Thank you, Mr. Chairman.\n    Mr. Lungren. Mr. Purdy, I might just mention your reference \nto the bill that we passed yesterday. It is a great analogy for \nwhere we are. We passed appreciation for this month in the \nmiddle of the month. Maybe it shows you how we have to catch up \nin this whole arena.\n    Mr. Pascrell is recognized for 5 minutes.\n    Mr. Pascrell. Mr. Purdy, I want to start off with this \nquestion, and I would ask you to be very direct and specific. \nHow many Department of Homeland Security employees are \ncurrently working on the SCADA control systems issues? How many \npeople?\n    Mr. Purdy. We have two government employees and 35 full-\ntime contractors.\n    Mr. Pascrell. So there are only two people in the \nDepartment of Homeland Security, and listening to the \nvulnerabilities from you six gentleman, we have two employees, \nFederal employees, and we are contracting out most of this \nwork, correct? Correct me if I am wrong so far.\n    Mr. Purdy. On the control systems piece. The other efforts \nwe are doing will help protect the control systems owners and \noperators as well, and that is integral to it.\n    Mr. Pascrell. Well, then, let me ask you this question. We \nsaw in the recent hurricane, Hurricane Katrina, that the \nFederal Government was unprepared to respond to a large natural \ndisaster. Today we have heard about the devastation that may be \ncaused if a terrorist or a--or there is a natural disaster hits \nour control systems. Mr. Varnado, you made four very specific \nrecommendations. Just last week there was a headline in the New \nYork Times that said, U.S. Cybersecurity Due for FEMA-Like \nCalamity. Are we prepared for a cyberattack on our control \nsystems, Mr. Purdy? And if a natural disaster hits our control \nsystems, are we prepared to respond to it, in your estimation?\n    Mr. Purdy. Well, we believe we are prepared for a \ncyberattack, to respond to a cyberattack against the control \nsystems. Our partner division within the Infrastructure \nProtection Office, Protective Security Division, is the best \ndivision to talk about the actual direct physical consequences \nof your question.\n    Mr. Pascrell. So from your standpoint we are prepared.\n    Mr. Purdy. We have a high cyber risk in this area, but we \nare prepared to respond and mitigate an attack that might \noccur, yes, sir.\n    Mr. Pascrell. Well, there is no need to get on the \ndefensive. I have a right to ask the questions, and you have a \nright to deliberate before you answer me.\n    I am getting particularly annoyed--for the Chair, I am \ngetting particularly annoyed with employees that come here from \nthe Department of Homeland Security, the responses to this \ncommittee or any committee dealing with homeland security, and \nfrankly, I am tired of it because we are not prepared. You know \nit, and I know it.\n    And let me make some suggestions before I leave it for now. \nWe know that there are vulnerabilities within these systems, \nand we know that these vulnerabilities are abundant, and we \nknow that the threat of the terrorist attack against these \nsystems is real. Those things we know, we agree on. So the \nCongress, it would seem to me, needs to engage in a robust \nanalysis and oversight in this realm, Mr. Chairman. We need to \nhelp ensure the security of the various control systems that \nare used in critical infrastructure. And I am heartened that \ntoday two Homeland Security subcommittees are leading the \ncharge.\n    A cyberattack on one of New Jersey\'s four nuclear power \nplants or 100 chemical sites, for example, has the potential to \nbe absolutely devastating not only in terms of lives lost, but \nalso in the regional and national economic structure it could \nbring forth. That is very serious, very serious business.\n    Back in 2002, the National Infrastructure Protection Center \nreported that a computer belonging to an individual who had \nlinks to Osama bin Laden contained programs that clearly showed \nthe individual\'s interest in the structural engineering of \nvarious critical infrastructures. It indicated that al-Qa\'ida \nmembers had sought information about the control systems which \nwe are talking about here today, from the verySec.  from the \nmany multiple Websites.\n    The NIPP, the National Infrastructure Protection Plan, was \ndue in December of 2004. Mr. Chairman, please hear me on this. \nThis is important. The American people, American public is \nbeing duped. That was supposed to be completed in December of \n04. In February of 2005, we had an interim plan. It was issued, \nsetting a deadline of November 05 for the final plan. Now, \naccording to the GAO, the interim plan was incomplete in the \nfirst place. It lacked both national-level milestones and \nsector-specific security plans. The plan remains uncomplete to \nthis day. We can\'t even get proposals ready in a timely manner.\n    This is unconscionable. There really is only one full-time \nemployee staffed in the DHS that deals with national \ncybersecurity, and I am not going to accept as a Member, \nRanking Member, Ranking Member, it doesn\'t matter, I am not \ngoing to accept folks coming before us and thinking that we \ndon\'t do our homework. And we are saying--we are talking here \nabout on a nonpartisan basis.\n    This is critical stuff. You have never met deadlines. You \ndon\'t care about those deadlines, and I don\'t think you have \nthe expertise to meet the deadlines. What do you know about \nthat? And I have not heard anything to the contradiction to \nthat statement either. And I am tired of it, and the American \npeople are tired of it.\n    Natural disasters. We are not going to have 7 days to \nprepare for a terrorist. We are not going to have 7 days. I \nsuggest that you look at, if you haven\'t already, Mr. Varnado\'s \nfour recommendations. It is a start. It is not the total \nsolution. There is no seamlessness in this battle, no perfect \nsystems, but it is 4 years later, and we are no further down \nthe line, Mr. Chairman.\n    Thank you for your tolerance\n    Mr. Lungren. The gentleman\'s time has expired.\n    Mr. Purdy, if you wish to respond, you may.\n    Mr. Purdy. I expect that when the National Infrastructure \nProtection Plan goes out early in the year, that the concerns \nraised in the GAO report will be well addressed. The work we \nhave done in the National Cyber Security Division to implement \nour strategic plan in furtherance of the national strategy to \nsecure cyberspace, we believe, has made concerted progress. It \nhas been reflected in the additional funding we have been \ngiven.\n    We believe Secretary Chertoff believes in the importance of \nthe cyber issue as part of the overall risk management \nframework that he has. We are proud of the progress we have \nmade. We would be happy to brief the Congressman and his staff \nand other members of the committee on that substantial \nprogress. I recognize that the cyber risk is substantial. We \nrecognize it is substantial. We agree with the committee. We \nagree with the members of the panel on that issue. To the \nextent the forcefulness of my answers came across as being \ndefensive, I apologize, but that is how forceful I am. Thank \nyou, sir.\n    Mr. Lungren. Thank you.\n    Before I recognize Mr. Pearce, I might just say there has \nbeen some frustration exhibited by this panel for the failure \nof reports to be done in a timely fashion, and I think that has \nbeen on a bipartisan basis. There is no suggestion on my part \nthat you are not trying to do your job, but I will just tell \nyou that is a real frustration on this committee.\n    Mr. Pearce is recognized.\n    Mr. Pearce. Thank you, Mr. Chairman. I have got several \nquestions, so I am requesting briefer answers if you could.\n    Mr. Purdy, can you outline the process by which the four \ncomponents, divisions of the Office of Infrastructure \nProtection coordinate and share information in the progress or \nimplementation of your mission? You have got four divisions. \nHow do you all coordinate and share information?\n    Mr. Purdy. You are talking about generally?\n    Mr. Pearce. Generally, yes.\n    Mr. Purdy. Across the board, well, we have two meetings a \nweek with the Assistant Secretary for Infrastructure \nProtection, each of the division directors. We have an \nadditional meeting without the Assistant Secretary where the \ndivision directors themselves come together. We have milestones \nthat come down from the Infrastructure Protection Office \nweekly. We have weekly reports that the Infrastructure \nProtection Office gives to each of the divisions so that people \nknow what the other groups are doing. And we have a number of \nspecific areas that we are partnered with; for example, the \nProtective Security Division, they do the site-assist visits of \nthe localities, and we provide the cyber guidance for those \nassessments that are due in the local locations. In addition, \nwe have periodic briefings, where each division briefs the \nentire group, all the division heads from Infrastructure \nProtection, as to what the goals, objectives, accomplishments, \nbudgetary situations are, progress and challenges ahead\n    Mr. Pearce. Mr. Todd, do you have--you have heard Mr. \nPurdy\'s discussion. In your report you talk about the need in \nthe future for maybe coordinated contact with other agencies. \nIn the past year what contact have you had with Mr. Purdy\'s \nNational Cyber Security Division?\n    Mr. Todd. Well, let me handle them in two different ways. \nOne is the--\n    Mr. Pearce. If you could just give me the brief answer. \nWhat contact have you had with them?\n    Mr. Todd. I have not had any with them.\n    Mr. Pearce. Thank you.\n    Dr. Varnado, what contact has your group had?\n    Mr. Varnado. We are currently working with him on the \nNational SCADA Test Bed as well as a program at Dartmouth that \nwe are interacting on.\n    Mr. Pearce. Okay. Thank you.\n    Mr. Todd, as I read your report, I just find the language \nto be very reassuring, very reassuring, and I find the language \nof the other reports to be not so reassuring; that is, I hear \npointed comments. In other words, you say that you all have \nmade the appropriate improvement measures, engineering, that \nyou have done what you can to protect the equipment and ensure \nthe safety of public health, that you have maintained a policy \nof not connecting your SCADA systems. You have evaluated and \nimproved, you have identified the cyber vulnerabilities. You \nare continuously evaluating. Now you list a couple of sections, \nbut then your closing statement says that we believe our \nsecurity program meets the challenges of these requirements, \nand then kind of a throwaway comment that we will look forward \nto contributing and just staying on top of the situation.\n    Do you find the reports of the other agencies, the other \npeople testifying here today, to be that much different from \nyour findings? In other words, I find some element of alarm in \neveryone else\'s, but yours declares that we are on top of it, \nand we have been on top of it, and we are going to stay on top \nof it.\n    Mr. Todd. Well, let me say it this way; the differences, I \nbelieve, are this--we are an agency that puts things out on the \nground. So we are certainly vulnerable to the kinds of \ncontractors and chips and so forth that we might contract for. \nThat is true. However, in our implementing these kinds of SCADA \nsystems, we have had, over the last 20 years, a basic distrust \nof the system itself. We want it to be foolproof. And so we \nhave put in other kinds of guarding devices. For instance, we \nhave operators on 24 hours a day. We check with transmission \nagencies continually about what is being provided and what \nisn\'t. And if those things are not right within our \nparameters--\n    Mr. Pearce. You feel like you could fight off any attempts, \nlike the Australian attempt that is reported by one of the \nother presenters, that that really would not happen in your \nagency, that there is not much attempt or much capability for \nan outside group to come in and affect the flow of waters \nthrough the BOR or through the dam system or--you know, you \nthink that you really are that secure.\n    Mr. Todd. We believe the risk is low.\n    Mr. Pearce. Okay. Thank you. Appreciate it, Mr. Chairman.\n    Mr. Lungren. I thank the gentleman.\n    As I understand it, you do not have the SCADA systems \nrunning the gates; is that correct?\n    Mr. Todd. We do not have SCADA systems running spillway \ngates. We certainly have them running the smaller power gates \nfor power generation, that is true.\n    Mr. Lungren. But the greater danger is with the spillway \ngates.\n    Mr. Todd. Yes, it is. Our SCADA systems are set to operate \nwithin the safe channel capacity, and so, therefore, we do not \nhave them hooked up to the spillway gates, which are set to \noperate sometimes out of the channel capacity.\n    Mr. Lungren. I thank the gentleman.\n    Mr. Lungren. It is my pleasure to recognize the chairman of \nthe full committee, Mr. Thompson.\n    Mr. Thompson. Thank you. I am interested to know from Mr. \nPearce\'s answer that it was low risk. And the chairman just \nasked the question--you said, it was high risk; if I could get \nclarification and communication from one to the other, with the \ndams.\n    Mr. Todd. Excuse me, I am not quite understanding the \ndifference of what you are asking.\n    Mr. Lungren. Mr. Chairman, I was asking about--the highest \nrisk, as I understand it, comes from the control of the gates \nfrom the spillways and they are not on a SCADA system. Even \nthough they have a SCADA system that does deal with the gates \nthat go to the power plants, it deals with the volume, so the \nhighest risk.\n    Mr. Todd. Okay, I think I understand what you are asking. \nOur SCADA systems operate power plants, and in those power \ngeneration plants they have turbines which--we have special \ninlets which have some gates to those turbines. Those are much \nsmaller systems that, if all were turned on, for instance, full \nspeed, they would still operate within the channel capacity \ndownstream, so it wouldn\'t cause a catastrophe or consequences \nof damage and that sort of thing.\n    However, we also, in operating the dam, have much larger \ngates because of high flooding and other kinds of events that \nwe have to safeguard the dam itself. Those gates, which if \noperated at full capacity, might go out of the channel \ncapacity; those gates are not hooked up to the SCADA systems. \nSo our SCADA systems would only operate within the safe channel \ncapacity, itself, of the river.\n    Mr. Thompson. Is there a plan to put them on the system?\n    Mr. Todd. Not that I am aware of.\n    Mr. Thompson. Mr. Purdy, the President asked in 2003 that \nwe put together this National Infrastructure Protection Plan. \nAs you know, we have more or less missed deadlines, and when we \nfinally got it, GAO was very critical of the product. It was \npulled back, and I would assume that at some point we will have \nanother response or report put together.\n    Do you have any idea when we will have that?\n    Mr. Purdy. Well, I will expect the report to come out \nshortly after the first of the year. Once that report comes \nout, then the sector-specific plan--such as, our sector is \ninformation technology--there will be a 6-month period in which \nwe work with the private sector to create those plans.\n    So the specific implementation plans in each sector will be \nready 6 months after that.\n    Mr. Thompson. So we will miss the November deadline?\n    Mr. Purdy. Well, I will leave that up to my boss, the \nAssistant Secretary, to--I believe he is coming to the Hill on \nThursday. So I probably shouldn\'t officially comment on meeting \nthat deadline, but I am confident it will be there shortly \nafter the first of the year.\n    Mr. Thompson. Okay. All right.\n    Well, Mr. Chairman, I hope you noticed that we are still a \nlittle tardy with our deadline.\n    Mr. Lungren. I understand that. I also apologize for \ncalling you chairman. Either--\n    Mr. Thompson. No, I accept.\n    Mr. Lungren. Either I have granted Ms. Pelosi\'s fondest \nwish or I have inducted you into the Republican Hall of Fame, \nso whichever one you would like.\n    Mr. Thompson. Well, okay, either way, I accept.\n    The other thing, Mr. Purdy, I am a little concerned about \nis the fact that we don\'t have but two full-time employees in \nyour Department; is that correct?\n    Mr. Purdy. We have two Federal employees working on the \ncontrol systems area and 35 contractors. We have an allocation \nof 40.\n    Mr. Thompson. Explain the contractors to me.\n    Mr. Purdy. They are people paid--many of them are through \nthe national labs, for example, people that are not official \ngovernment employees that are paid on a contract basis through \na contractor. That is supporting our efforts in the control \nsystems area. My division is the National Cyber Security \nDivision which--control systems is one part of a broader \neffort.\n    So we have an allocation of 40 Federal employees. Of those, \nwe have two and one to be hired for the control systems area \nthat are official government employees.\n    Mr. Thompson. Now, the contractors, are those individuals \nthat are contracted?\n    Mr. Purdy. No, they are through companies or through the \nnational labs.\n    Mr. Thompson. All right.\n    Can you provide this committee with how much that is \ncosting taxpayers, rather than having full-time employees, how \nmuch we are paying those contract employees?\n    Mr. Purdy. Yes. We can get you how the funding is broken \ndown by contractors, yes, sir. We can get you that.\n    Mr. Thompson. For the record, can you tell me whether or \nnot we are paying more for those people based on contracts than \nif they were full-time employees?\n    Mr. Purdy. I can\'t. I haven\'t seen the per-person breakdown \nof it. So I can\'t answer that question, sir, but we will be \nable to give you information from which that will be obvious.\n    Mr. Thompson. Well, just tell me what your best guess is. \nYou are over it, right?\n    Mr. Purdy. I couldn\'t hear you.\n    Mr. Thompson. You are over it, right, you are over the \ndivision?\n    Mr. Purdy. Yes.\n    Mr. Thompson. You approve the contracts?\n    Mr. Purdy. Yes.\n    Mr. Thompson. Well, just give me a best guess whether we \npay more for the contract employees rather than if they were on \na Federal payroll.\n    Mr. Purdy. My best guess is, we are paying more for \ncontract employees, yes, sir.\n    Mr. Thompson. How much more?\n    Mr. Purdy. Sir, that really would be a guess. I really \nshouldn\'t venture there.\n    Mr. Thompson. Well, so is it your opinion that we get a \nbetter product with contract employees than full-time \nemployees?\n    Mr. Purdy. I am given a certain allocation of Federal \nemployees to achieve our mission and implement our objectives \nand goals. So to do that, we need to hire contractors to help \nus fulfill our mission.\n    Mr. Thompson. So, in other words, you can\'t hire but three \npeople?\n    Mr. Purdy. We can\'t hire but 40 people, right.\n    Mr. Thompson. Out of that 40, you chose to hire three in \nthe Federal system and then contract everyone else?\n    Mr. Purdy. That is correct.\n    Mr. Thompson. Even though it costs us more to contract, \nthere are 37 others?\n    Mr. Purdy. Yes, sir.\n    Mr. Thompson. Well, I guess when you have got a lot of \nmoney, you can do that.\n    Thank you, Mr. Chairman.\n    Mr. Lungren. Thank you, Mr. Thompson, Ranking Member \nThompson.\n    Ms. Brown-Waite.\n    Ms. Brown-Waite. Thank you very much, Mr. Chairman.\n    Perhaps as a follow-up to Mr. Thompson\'s question, if these \nare individuals and you have a contract with them, you \nobviously have a deliverable. What are they supposed to be \ndelivering?\n    Mr. Purdy. I am sorry.\n    What are the deliverables? Maybe that would help us to \nunderstand, when you do respond to the question, if you would \nalso put what the deliverables are, because it could very well \nbe that there isn\'t any qualified employee.\n    I think, in addition to the deliverables, a natural follow-\nup question is, what is the length of their contract and when \nare they supposed to produce and what are they supposed to \nproduce? I think that would be very appropriate.\n    I know you probably don\'t have that with you now. But in \naddition to how much are we spending, I think that that is an \nimportant follow-up component.\n    The SCADA system is something that I was familiar with. I \nused to be a contracts manager at a water management district, \nwhich meant I got to okay the payments, the monthly and \nquarterly payments for the SCADA systems, for their structures, \ntheir control structures. So, naturally there is a concern, you \nwant to make sure that they work. But that was long before 9/\n11, so when you look at all the other systems, obviously the \nwhole SCADA system of controls is just very, very important.\n    While we have concentrated on how many employees work for \nyou on SCADA, maybe we also need to ask, do you know how many \nare at NCSD?\n    Mr. Purdy. Well, as I said, we have an allocation of 40. We \nhave 25 or 26 in place. I believe we have six or seven in the \nhiring pipeline; we are pursuing hiring an additional balance \nof the 40.\n    Ms. Brown-Waite. Okay, and in a follow-up question, what is \nthe plan for the NCSD in the reorganization?\n    Mr. Purdy. Our division will move, of course, into the \nlarger preparedness directorate, the information analysis, \ninfrastructure protection directorate; that is, the Under \nSecretary level has become a preparedness directorate.\n    Within that, we will move along with the telecommunications \nfolks, called NCS, National Communications System. So cyber and \ntelecommunications will be under a new position that is being \ncreated for an assistant secretary for cyber and security \ntelecommunications. So we will be under a new assistant \nsecretary who will, in turn, be under the under secretary for \npreparedness.\n    Ms. Brown-Waite. I can tell you that so many constituents \njust feel that the Department of homeland Security is nothing \nother than bureaucracy, layer upon layer, and that there is \njust a lot of concern out there that the major question is, are \nwe safer for it today.\n    Can you also tell me, Mr. Purdy, what progress is actually \nbeing made in developing standards for SCADA systems?\n    Mr. Purdy. Well, some of the members of the national labs \nhere can probably go into more detail than I can. But within \nthe framework of our plan for 2006, there was some discussion \nabout the cyber security protection framework to develop and \ndisseminate tools to assist the users in assessing their cyber \nsecurity practices against industry best practices and \nstandards. We are trying to work to perform those vulnerability \nassessments to identify the weaknesses in the systems against \nthose standards and recommend mitigative strategies for them.\n    The Process Control Systems Forum, which we cosponsor with \nthe Science and Technology Directorate, with the users--again, \nwe are working with the owners and operators, the vendors and \nthe national labs to help identify the specific standards for \nthe control systems against which we can judge how the actual \nowners and operators are doing.\n    Ms. Brown-Waite. So I think what you said is, there is no \nstandard yet, but you are working on it. Is that--\n    Mr. Purdy. We have a draft cyber security framework, as I \nsaid in my testimony, that we are going to be piloting this \nyear, that we will then be able to roll out this year--``this \nyear\'\' being 2006--so that the individual companies can do \ntheir assessments. That is going to be part of the effort as \ndiscussed by others to build the business case to convince the \nowners and operators to spend the money to meet the standards.\n    Ms. Brown-Waite. Do you believe that there is a way that \ngovernment can incentivize the private sector to actually \ndevelop smarter SCADA security?\n    Mr. Purdy. Well, within the context of software and in \ncontrolled systems, we want to do--and we have begun to do what \nAlan Paller was talking about, which is put in incentivizing \nprograms for those contracts which the Federal Government is \nbuying so that we can raise the bar in a nonmandatory way--not \nlike in a regulatory way, but if you want to get the contract, \nyou have to have the security built into the system you are \nselling. We believe that is an important basis.\n    In addition, having the assessments and the framework and \nthe tools for self-assessment, that is going to help encourage \nand make the business case for the private sector to spend the \nmoney.\n    Ms. Brown-Waite. Thank you, Mr. Purdy.\n    I yield back my time. I thank the chairman.\n    Mr. Lungren. I thank the gentlelady.\n    The gentlelady, Ms. Norton, is recognized for 5 minutes.\n    Ms. Norton. Thank you, Mr. Chairman. Actually, it is this \nlatter point, and I was going to direct the question to Mr. \nPaller, because I was intrigued with his notion of requirements \nof the contractor essentially to deliver security-ready \nsystems.\n    It seems so obvious that I have to ask you--it seems \nobvious because, obviously, if you are delivering to the big \ngranddaddy of them all, the Federal Government, you really do \ncall the shots. You know, it is like Texas calling the shots on \ntextbooks that everybody else has got to use, because they have \nmore kids. Or it is like Medicaid prescription drugs, where we \nought to be taking advantage of our market advantage. This goes \nto the underlying substance: Who in the hell needs this more \nthan the Federal Government?\n    What are the--I mean, what do we--what are the barriers? I \nmean, for example, is this very costly to do? If so, you know, \nI can\'t imagine that it would cost us even more to do it after \nwe got it. So that is one question.\n    Are there security reasons? Is there some discussion of \ncontractors and whether or not you want them that much, excuse \nme, in on your business, but they, of course, I presume, know \nall this in the first place.\n    I would like to know what are the real barriers to this and \nwhether it can be done, because you indicated it can be done \npretty quickly.\n    Mr. Paller. There are two barriers that we have seen, one--\nand they are both real, so that when people fight against it, \nthey are fighting not irrationally.\n    One is, if you take responsibility for securing systems and \nyou deliver a more secure system, when the user wants to do \nsomething that is not turned on by default, he may call up for \nsupport. So there is a support issue that comes in.\n    But the much larger one, that the lawyers get involved in, \nis that they are worried about taking liability. They are \nconcerned that if they say, now we are going to give you a more \nsecure system, that somehow the trial lawyers will be all \naround them. At least that is what they say.\n    But could I just take one second and answer another \nquestion that I wasn\'t asked?\n    Ms. Norton. On my time?\n    Mr. Paller. Yes.\n    Ms. Norton. No. Because I have another question.\n    Mr. Paller. All right. You.\n    Mr. Lungren. Normally, we would allow you, but we have a \nshort time frame here.\n    Ms. Norton. If he would have extended my time--see, he is \nnot going to do that.\n    I have got to go to Mr. Purdy and ask him about the four \ncyber security managers in so short a period of time, high \nturnover, and of all positions, the security managers at DHS. \nAs I understand it, the last turnover was in January. This \ndoesn\'t make me feel very secure.\n    Mr. Purdy, I would like to know why there is such turnover \nin the cyber security managers, what you can do to correct it. \nI can\'t believe it is good for the system.\n    I want to know what the effect is on cyber security, and I \nwant to know why the Secretary hasn\'t appointed a new cyber \nsecurity manager here in the month of October?\n    Mr. Purdy. Well, let me address the last question first. It \nis certainly my expectation and hope that now that the new \ndirectorate is stood up by the President signing the Department \nof Homeland Security budget, that Secretary Chertoff will \nannounce the appointment of an assistant secretary for cyber \nsecurity and intelligence.\n    Ms. Norton. Excuse me, so you are saying it was a budget \nquestion?\n    Mr. Purdy. The position did not exist before the President \nsigned the budget. All I am saying is, it is my expectation.\n    Ms. Norton. I thought there were four cyber security \nmanagers. So you are saying the position of cyber security \nmanagers did not exist?\n    Mr. Purdy. I am sorry. I am trying to answer your last \nquestion first, the question on Secretary Chertoff appointing a \nnew assistant secretary for cyber security and \ntelecommunication. And I was saying, it is my hope and \nexpectation that he will make that appointment very soon now \nthat the new directorate has been stood up.\n    I think the publicity about high-level departures from my \ndivision is really overblown. To me, the progress that we made \nfrom the time I came over from the White House, having worked \non the national strategy, in April of 2003, through the time \nwhen Amit Yoran, my predecessor, was in office and some of the \nother folks have left and are gone, we have built and have \nimplemented a very important complex plan to reduce our cyber \nrisk. We do not believe that has been impacted by individuals\' \ndeparting.\n    Ms. Norton. Why are they departing? Please answer my \nquestion; I have limited time.\n    If there have been these rapid departures, one, why have \nthey departed; and two, what can we do to keep turnover in all \ndivisions of cyber security managers? I would like to ask my \nquestion because, you know, everybody is going to leave here in \na minute.\n    Mr. Purdy. Some of the positions were departures based on \npersonal reasons that were not related to mission. I think that \nis primarily what we are talking about, not related to mission.\n    We believe we have the positions in place. We have the plan \nin place. We have the funding, particularly with the additional \n2006 money, that we are going to be able to keep strong people, \nand we are going to be able to implement our strategic plan.\n    Ms. Norton. I will accept that as a promise.\n    Thank you, Mr. Chairman.\n    Mr. Lungren. I thank the gentlelady.\n    Ms. Jackson-Lee is recognized for 5 minutes.\n    Ms. Jackson-Lee. Thank you very much, Mr. Chairman, and to \nthe ranking member. We don\'t have a lot of time for what I \nthink is a very important hearing.\n    I guess I remain troubled by, one--Mr. Purdy, maybe you can \ntell me, you might be under review or under the consent process \nof the Senate. You might advise me of that. But I continue to \nbe troubled by the acting director scenario, because I think in \nthe Department of Homeland Security we are rattled, if you \nwill, with interim and acting personnel when we have a very \nserious challenge. So I know in the course of your response, \nyou will provide me with that.\n    I would like, first of all, to ask unanimous consent to \nhave my statement submitted into the record, Mr. Chairman.\n    Mr. Lungren. It is so submitted.\n    Ms. Jackson-Lee. But what I would like you to walk me \nthrough again, and if you have said this previously, thank you \nfor repeating it in a more detailed manner, and that is the \nabsence of a National Infrastructure Protection Plan. Why don\'t \nyou tell me why no such plan exists?\n    I am sure you are going to tell me that it is either being \nworked on or it has been submitted, and I missed it. But then \nalso tell me what you would expect to see in such a plan?\n    Let me just highlight for you that in the course of at \nleast 6 months, we have had a number of incidents at our \nchemical plants and refineries in the gulf coast region. Adding \nto the misery, of course, were Hurricane Katrina and Rita in \nterms of control data systems determining the status of those \nparticular entities, one, the vulnerability to terrorism and \nother catastrophes that might make the situation worse.\n    So obviously this hearing is extremely important, because \nwe are talking about control systems and SCADA systems which \nare sometimes confused and intermingled.\n    I think it is obviously a failure that we have never \nfinished our national vulnerability assessment or national \nthreat assessment that I think many of us have been asking for \nfor a number of years now, since 9/11.\n    Now I understand that we don\'t have the particular National \nInfrastructure Protection Plan relevant to the issues at hand. \nWould you, first of all, respond to--you could give me your \nstatus, but would you both tell me whether there is an existing \nplan, but then what you would expect or would see, expect to \nsee, in such a plan to be presented and to be in place?\n    Mr. Purdy.\n    Mr. Purdy. So the existing status, you are talking about my \nacting director position?\n    Ms. Jackson-Lee. I am. Are you acting or are you in the \nmiddle of being confirmed?\n    Mr. Purdy. No.\n    Ms. Jackson-Lee. Or what is your stance?\n    Mr. Purdy. No. I am the Acting Director of the National \nCyber Security Division, and we are waiting for the appointment \nof an assistant secretary for cyber security and \ntelecommunications, who will be my boss; and he or she will \nmake the decision of whether I will be director or in some \nother position.\n    Ms. Jackson-Lee. So we are in complete disarray?\n    Mr. Purdy. No, I think we are implementing our strategic \nplan in furtherance of the National Strategy to Secure \nCyberspace. I think we are making demonstrable progress, and we \nare happy to brief you in more detail on it.\n    Ms. Jackson-Lee. Can you help me then with the question \nthat I asked, why do we not have such a plan right now?\n    Mr. Purdy. The responsibility for the plan is the \nresponsibility of my boss, the Assistant Secretary.\n    Ms. Jackson-Lee. Who doesn\'t exist at this time?\n    Mr. Purdy. The Assistant Secretary for Infrastructure \nProtection, until the time that President Bush signed the \nbudget, was my boss. When the budget is signed, as soon as my \nbosses tell me that there is a change, then there is a vacancy \ncreating an assistant secretary for cyber security and \ntelecommunications who will be my boss. So we are in a little \nbit of a transition period.\n    But in response to your question, they didn\'t want to make \na decision to drop the ``Acting\'\' from my title, giving the \nopportunity to the person who will be my boss, so that he or \nshe can decide who they want in that position and how they want \nto organize cyber security and telecommunications in a cohesive \nand integrated way.\n    Ms. Jackson-Lee. Let me acknowledge that I am putting you \nin probably an untenable and embarrassing and compromising \nposition in terms of trying to answer the question. Let me \nthank you, first of all, for your service, but let me admit \nthat what you have just said sounded as convoluted as one might \nimagine.\n    It is almost incomprehensible what you just said. I think I \ngleaned from it that someone that was in the position went on \nto something else, and they are dealing with the budget, and \ntherefore, we are not in order.\n    I would only say to you this: The acts of terror really \ndon\'t make appointments, and they don\'t respond to our lack of \npersonnel in place. So your response certainly is not your \nresponsibility and fault. But let me go on record and say that \nwe are in disarray, and we are dangerously in disarray in a \nvery important area.\n    I do acknowledge that recent legislation had funding in the \ncyber security area, and I am very glad of that, and amendments \nthat we have put forward have been accepted, but still--would \nyou please answer the question again?\n    I don\'t think we will agree on whether or not the area \nwhere you are in is in order, but can we at least agree, is \nthere or is there not a National Infrastructure Protection \nPlan, yes or no; and if there is not, prospectively what would \nyou expect to be included in that plan?\n    Mr. Purdy. The draft of the National Infrastructure \nProtection Plan is on Secretary Chertoff\'s desk, and we expect \nit to be circulated for additional comment in the next few \nweeks.\n    Mr. Lungren. The gentlelady\'s time has expired.\n    Ms. Jackson-Lee. I thank the chairman.\n    Mr. Lungren. The gentleman from North Carolina, Mr. \nEtheridge, is recognized for 5 minutes.\n    Mr. Etheridge.7 Thank you, Mr. Chairman.\n    Mr. Purdy, at the risk of embarrassment, I am going to go \nback to the issue that we are still on, and then I have--I am \ngoing to move on and try to get to another question.\n    As you draft the response to this question on the budget \nthat you had indicated you will share with us relative to the \n40 slots that are available in your area, I recognize that you \nare only the Acting Director. But that doesn\'t matter; this \ncommittee deserves the information.\n    I would like to know, and I think the other members of the \ncommittee would like to know, as you look at that, since we \nonly have three permanent positions, what--as you draft the \nnumbers for the cost of the contractors, how much the taxpayers \nof this country would be saving if we had full-time positions \nand what the turnover would be if they were not contractors \nthat moved back and forth.\n    I think it is critical--and I am going not going to ask you \nto answer that today, but I think it is a critical issue to \nhave permanent people you can have access to, that can be \ntrained, who aren\'t likely to have the information and you have \nto move on and you have to have different people in place. I \nthink that has a real impact on continuity.\n    Because you said early on that cyber security is important. \nI happen to believe it is, and if it is important, it ought to \nbe important enough to have permanent, full-time people to be \nthere in place on a daily basis to deal with these issues that \nare important to the taxpayers of this country and to the \npeople of America.\n    I hope you agree with that.\n    Mr. Purdy. Yes, sir.\n    Mr. Etheridge. I hope you will add that to the material you \nare going to send us.\n    Now, my question is this: I wanted to follow up, and you \nprobably can\'t answer it, because you have tried to get to it \nand haven\'t really answered it thus far, simply because I think \nit is above your pay grade, and that is inappropriate, because \nhaving as many people in this position since the Department has \nbeen funded creates a real problem of continuity for people \nnow, in this period of time, without having someone permanent.\n    I am going to leave that out there and not ask you to \nrespond to it, because I think it is inappropriate to ask you \nto respond to it. But I trust this information will get back to \nthe Department. Hopefully, the Secretary will be here at some \npoint, and we will have an opportunity to ask that question.\n    My question to you and to Dr. Rush and Mr. Paller--I will \nsay this: The Department of Homeland Security established the \nProcess Control Systems Forum to facilitate communication \nbetween government, industry, vendors and academia. Are you \nfamiliar with that?\n    Okay.\n    How effective has this endeavor been, and do you know of \nany meetings between these groups? If you do, what was the \noutcome?\n    Mr. Rush. Yes. I would say those are some of the most \neffective activities I have seen.\n    We are developing standards; we are feeding them in. There \nare two activities--well, really three, but the two that you \nmentioned, the PCSF, the Process Control Systems Forum has \nbrought together the vendors, the manufacturers, the users, \ncryptographic experts, the whole field. That has been very \neffective.\n    There was a question about coordinating Chairs. We had a \nmeeting just a couple of weeks ago where there were literally \ndozens of organizations getting together and swapping \nglossaries and making substantial progress.\n    Mr. Etheridge. Beyond philosophies, though, did we get any \nresults?\n    Mr. Rush. Absolutely.\n    Mr. Etheridge. Can you name, share with us some of the \nresults?\n    Mr. Rush. In terms of things that are out there?\n    Mr. Etheridge. Yes, please.\n    Mr. Rush. Here is a product that conforms to one of the \nstandards. What you need to understand is the standards groups \nare volunteer organizations, and they don\'t have the resources \nto coordinate. This provides them with exactly the forum that \nthey need to exchange. We have got 100 groups working \nindependently. Imagine 100 congressional committees not talking \nto each other.\n    Mr. Etheridge. Good. Thank you.\n    Mr. Paller. Yes. It is a wonderful talking group. Bill\'s \noutcome is very real. There is a problem with groups like that. \nIt was seen in the health--the security of the health devices, \nCAT scanners and things like that.\n    When the vendors have too big a role, implementation of \nsecurity is delayed almost endlessly. So at some point, the \nusers have to say, this is our need, our things are at risk. \nVendors are going to have to deliver what we say rather than \nletting the vendors hold it up.\n    So PCSF is the best thing out there, but at some point the \nvendors will have to be asked to wait outside while they vote.\n    Mr. Etheridge. Mr. Purdy.\n    Mr. Purdy. In addition, the PCSF has provided the input \nthat has led to the development of the security framework, \nwhich helped set the best practices and also provided the input \nfor the development of the assessment tool. The assessment \ntool, which is now being used to test, is used to assess the \ncyber components of the control systems and then provide the \nchecklist and the questionnaire to determine the particular \nvulnerabilities and whether the mitigated steps have been put \nin place. That collaborative effort is what is helping to drive \nsolutions to a very complex problem.\n    One of the reasons for the complexity is that so many \ndifferent owners and operators have so many different systems \nwith different levels of maturity. So it is hard to have one \nset fix across the board to make it better. So that is why the \ncollaboration in developing these tools in the framework has \nbeen so important.\n    Mr. Etheridge. Thank you. I yield back.\n    Mr. Lungren. The gentlelady from the Virgin Islands, Mrs. \nChristensen, is recognized for 5 minutes.\n    Mrs. Christensen. Thanks, Mr. Chairman. Let me ask a little \nbit different question.\n    I want to ask Mr. Paller about the training, because that \nis your responsibility also, the training of the technical \nsecurity professionals. Where are we, how many have you \ntrained? What is our need? How are we meeting that need?\n    Also, where did the students come from? And do you work \nwith universities, and if you work with universities, to what \nextent are minority-serving institutions involved?\n    Mr. Paller. When we get all done training everybody we can \ntrain, we won\'t have touched 1 percent of the people who have \ncontrol of these systems. So the solution is not to train more \npeople. We have got to build safer systems; then the training \nwill have an effect. So as hard as we work, we will never get \nthere.\n    I do want to go back to Mr. Reichert\'s question. We \nactually work with universities and local law enforcement. They \ndon\'t have the funds that large companies do, so we have major \nprograms where we cut the costs of education by about 85 \npercent, so they get a much lower cost. So locally we work with \nthe FBI to set up these programs for local law enforcement. It \nactually is wonderful, because they give more feedback, and \nthey are the best students we get.\n    But the training of the SCADA people, we have just begun \nwith courses on how you measure SCADA security, and they are \njust starting. I think the jury is still out. You have got two \ngroups. You have SCADA engineers on the one side and security \npeople on the other side, and getting the course right for \nthose two interest groups is challenging. So we will know in \nthe spring how that works. .\n    Mrs. Christensen. Okay, just one other question for\n    Mr. Todd. Since I sit on the Resources Committee, I am glad \nto know that your SCADA system is not connected to the \nadministrative systems because that is one of the problems we \nare reading about.\n    Do you monitor only the 17 dams that the Bureau has created \nor are you monitoring the private dams? Have you used the RAM-D \nto assess the threats, vulnerabilities and consequences; and to \nwhat extent are the dams that you are assessing, how far along \nare you?\n    Mr. Todd. We--of course, as you said, we don\'t have any \nresponsibility for the non-Federal dams. But in reclamation, we \nhave 252 high and significant hazard facilities, and of those \nfacilities, we have assessed all of them. What we would call \nour ``major mission-critical facilities,\'\' which are the very \ntop-producing power-generating dams and also very high dams, we \nhave used the RAM-D on. There are about 50 of those that we \nused the RAM-D that was developed in conjunction with Sandia. \nThose are assessed, and those are the ones that we did.\n    Now we have used the other ones. We have done different \npriority dams and low-cost methods.\n    Mrs. Christensen. I yield back my time.\n    Mr. Lungren. I thank the gentlelady for yielding.\n    Mr. Dicks is recognized for 5 minutes.\n    Mr. Dicks. I wanted to go to the dams question. It says \nhere, significant information on control systems is publicly \navailable. It says design and maintenance documents, technical \nstandards for the interconnection of control systems and \nstandards for communication among control systems, all of which \ncould assist hackers in understanding the system and how to \nattack them. Moreover, there are numerous former employees, \nvendors, supporters, contractors and others, end users of the \nsame equipment, worldwide, who have inside knowledge about the \noperation of the control systems.\n    So, Mr. Todd--and we have got information here that al-\nQa\'ida has, in fact, said they are interested in the operation \nof these dams. I am told--maybe you covered this earlier, but I \nhave got to go back to it.\n    We have heard the story of a hacker gaining control of some \nsystems of the Roosevelt Dam in Arizona, which holds 400 \ntrillion gallons of water. What is the worst damage that could \nhave been done there?\n    Mr. Todd. In that particular situation--and that happened a \nnumber of years ago and, of course, there have been a lot of \nupgrades to that system to not allow that to happen again; that \nindividual did intrude, but did not get access or gain access \nto any of the operation of the gates and so forth.\n    Mr. Dicks. Could it be done from outside?\n    Mr. Todd. Well, yes, there are always those possibilities \nthat it could be done, especially if it is hooked up to outside \nsystems.\n    We believe that is a low risk in our system because they \nare not hooked up to outside systems.\n    Mr. Dicks. Is there encryption?\n    Mr. Todd. Yes, there is.\n    Mr. Dicks. Let us say a terrorist got control of the dam. \nIs there a way to override this system at the dam?\n    Mr. Todd. Yes, there is. We have operators on 24 hours a \nday. When we notice that the particular facilities that are \ncontrolled are not operating in the way that we believe they \nshould be, we have manual controls. We do send our maintenance \npeople out to check those. Sometimes we take over in manual \ncontrol and operate the system manually just because there may \nbe a glitch or something.\n    So, yes, we do have ways to do that.\n    Mr. Dicks. Do you have a comment there at the end,\n    Mr. Paller?\n    Mr. Paller. Yes, I have a small comment. There are two \nother ways to connect to these.\n    First of all, the word SCADA doesn\'t cover all the control \nsystems. We had a fight about that this morning. SCADA is just \nthe distributed system; sometimes the very big gates use other \nsystems called digital control systems.\n    I don\'t know to what extent those gates are not controlled \nby SCADA, but controlled by digital control systems. If there \nis a digital control system, most of those have dial-up access \nfor maintenance ports, and Bill knows a lot about this.\n    So this idea--SCADA is not connected, doesn\'t define the \nwhole problem. I am not saying that what--\n    Mr. Dicks. You are saying there are other vulnerabilities?\n    Mr. Paller. There are other ways of getting into those \nsystems besides the Internet. There are other systems that \ncontrol those gates besides SCADA systems. Sometimes they are \ncalled DCS, sometimes they are called RTUs; they have got other \nnames.\n    Mr. Dicks. Could hackers get into those systems as well?\n    Mr. Paller. The FBI has reported that they already have. It \nmight not be true. I mean, the only data I have got is, the FBI \nhas reported it has.\n    Mr. Dicks. Interesting point.\n    Mr. Paller. No, listen, it wasn\'t--it wasn\'t attacked.\n    Mr. Dicks. Now, does the Bureau of Reclamation, do you have \ncontrol over the Army Corps of Engineers dams?\n    Mr. Todd. No, sir, we do not.\n    Mr. Dicks. So they are completely separate?\n    Mr. Todd. Yes, they are.\n    Mr. Dicks. All the private dams are separate?\n    Mr. Todd. Yes, they are.\n    Mr. Dicks. Are you working to try to develop best practices \nin the industry?\n    Mr. Todd. Yes, we have, especially on the physical side. We \nwork directly with the Corps of Engineers and TVA and Homeland \nSecurity on those systems, and we are fully engaged in that. \nOne of the outcomes of the Government Coordinating Council is \nto work with the private side and to get information sharing \nand communications going, so we believe that is working well.\n    Mr. Dicks. Mr. Purdy, they beat up on you pretty good \ntoday. Let me ask you this.\n    We spent a couple billion dollars, several billion dollars \nat the Department of Defense trying to put in place encryption \non all kinds of different defense systems.\n    Have you benefited from any of that? Does Homeland Security \nget briefed on information from Defense about what they did to \nsecure their systems?\n    Mr. Purdy. Yes. We have a close working relationship with \nthe Information Assurance office within the Department of \nDefense, as well as a similar entity within the National \nSecurity Agency. So we share in the benefits of the information \nthat they have gleaned and share with us.\n    Mr. Dicks. Can you give us any examples of anything that is \nbeen achieved?\n    Mr. Purdy. Well, I can\'t mention--I don\'t recall.\n    Mr. Dicks. If this is classified--I don\'t want to get into \nclassified information obviously.\n    Mr. Purdy. I can\'t recall specific encryption benefits, but \nin those kinds of techniques, things as simple as making sure \nyou encrypt the data not only in transit, but at rest, and how \nto protect those databases from attack are some of the examples \nof things that we have learned from them.\n    Mr. Dicks. Any comments on this point from any of the other \nwitnesses?\n    Mr. Rush. Yes. We have actually--completely, independently, \nas an industry organization, the American Gas Association got \ntogether with a group of people and put together an open \nstandard. Any company can build it, and it provides a very high \nlevel of protection, not military grade, and it is an open \nstandard. It is ready.\n    We have two manufacturers who have begun producing \nprototypes. It is ready to go. We are not talking something \ntheoretical.\n    Mr. Dicks. Are people ordering it? Are companies ordering \nit?\n    Mr. Rush. At this point they are openingSec.  ordering them \nin small numbers, yes, they are. But they are only ordering \nthem in evaluation kits, typically about five.\n    Until it works and people have tested it, people will be \nslow to adopt them. But, yes, they are adopting them.\n    Mr. Dicks. Thank you, Mr. Chairman.\n    Mr. Lungren. I think we have about 6 minutes to get over to \nthe floor to vote on the first 15-minute vote.\n    I want to thank this panel. I think it has been very \nhelpful, very instructive. We make requests that all or some of \nyou come back at another time, because this subcommittee--I am \nsure my cochair shares this--desires to continue to look at \nthis.\n    I thank you all for your valuable testimony and the members \nfor their questions. The members of the committee may have some \nadditional questions for the witnesses, and they may submit \nthem to you in writing. I would hope that you would answer \nthose in a timely fashion. The hearing record will be held open \nfor 10 days.\n    Mr. Lungren. The committee stands adjourned.\n    [Whereupon, at 5:40 p.m., the subcommittee was adjourned.]\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n\n Dr. K.P. Ananth Responses to Hon. Daniel E. Lungren, and Hon. Dave G. \n                Reichert, Letter dated November 8, 2005\n\nI. The Threat: Probability/Impact of Attacks on SCADA Systems\n    1. Based on available research, how likely is an attack on a SCADA \nsystem?\n    Based on a review of 120 incidents, the current likelihood of a \nsevere attack is low; but if the rate of incidents follows what has \nbeen seen for the Internet in general, we forecast that the risk will \nrise to a significant level in the future. Documented case histories \nshow that activity has increased significantly since 1988. Many of \nthese incidents come from the Internet by way of opportunistic viruses, \ntrojans, and worms, but a surprisingly large number are directed acts \nof sabotage. Additionally, it is likely that there are many attacks not \nbeing reported because many asset owners are reluctant to share or \nreport their experience.\n    SCADA systems are currently at risk from attacks stemming from a \nbroad spectrum of attackers ranging from common Internet threats to \ndirected attacks by individuals. The likelihood that SCADA systems are \nattacked in a manner that results in severe consequences is dependent \non the potential attacker\'s motivation, intent, and expertise. SCADA \nsystems are vulnerable and can be exploited to result in a disruption \nin service if an attacker invests enough time to learn the system \nbefore they attack. To date, the majority of reported attacks against \nSCADA systems have been the result of general Internet propagating \nviruses and worms that were opportunistic in nature and not directed.\n\n    2. What cyber security failures and incidents have you seen with \nSCADA networks?\n    Incidents to date have exposed poor security processes and \nvulnerable technology implementations. The lack of general awareness as \nto how the technology can be exploited has resulted in vulnerable \ntechnology implementations and weak security practices.\n    In the past, incomplete security efforts and risky practices have \nallowed common Internet attacks to randomly bleed into SCADA \nenvironments. In one example, servers infected before shipping by the \nmanufacturer were mounted directly onto a control system network.\n    Security incidents impacting SCADA/control systems have been \ndocumented in 11 sectors. The largest number of incidents has occurred \nin the petroleum, power and utilities, transportation, and chemical \nsectors, which combine for over 70% of the incidents observed. None of \nthe documented incidents have resulted in a significant event that \nresulted in loss of life, major disruption of service, or economic \nimpacts. The US-CERT Control Systems Security Center (CSSC) has issued \na report describing the reported incidents. (US-CERT Control Systems \nSecurity Center, Industrial Security Incidents, June 9, 2005)\n\n    3. Based on all available research, how frequently are SCADA \nnetworks attacked?\n    There have been only a few reports of directed attempts to \npenetrate and compromise operational control systems. However, there is \nno way to know with a high degree of confidence how many attacks take \nplace because there is currently no formal center to report cyber \nattacks on control systems. A single reporting center is operated by \nthe British Columbia Institute of Technology (BCIT). But reporting to \nthe BCIT incident reporting system is purely voluntary. The BCIT \nprimarily represents North America (Canada and the United States) with \nseveral members from the UK and Australia. It is doubtful that the \nreporting to the BCIT represents more that 10% of the total number of \nevents. The CSSC has also collected incidents from several other \nreporting sources. These sources have documented approximately 120 \ndocumented cases in the past 20 years with the majority (more than 70%) \noccurring in the past 5 years. Therefore, a reasonable estimate of the \nnumber of attacks, resulting in some damage, is between 20 and 200 per \nyear. General cyber security monitoring at the perimeters of \norganizations using power sector SCADA systems has shown a higher rate \nof system probes and cyber reconnaissance activity than organizations \nbelonging to other sectors.\n    This estimate includes a wide range of possibilities because actual \nincident reporting is very low. The low percentage of incidents that \nget reported is due to several factors, including:\n        <bullet> Organizations often perceive risk in reporting \n        security incidents\n        <bullet> Many organizations lack the technical skill sets to \n        detect sophisticated intrusions or to forensically investigate \n        such activity\n        <bullet> Security technology is not well-suited for SCADA \n        environments and existing technology have few features that \n        lend themselves to detect attack activity\n        <bullet> Lack of general awareness as to the vulnerability of \n        SCADA systems often results in not enough attention or efforts \n        to detect attack activity.\n    The most immediate need in the arena of incident tracking is a more \neffective way of reporting cyber attacks (all or at least successful) \non control systems. This enhanced reporting system needs to be a joint \neffort between industry and government and needs to provide anonymity \nto the reporter.\n    Technology trends will continue to create more vulnerabilities, and \nprovide greater opportunities for threat actors to access control \nsystem networks. More interconnectivity and communication among cyber \nsystems will lead to increased opportunities for talented people to \nbreach the security systems and maliciously manipulate information or \ncontrol system functions. We also anticipate this interconnectivity and \ncommunication capability to increase in control systems, at least for \nthe foreseeable future. While access to operator information and \ndenial-of-service attacks may cost industry money or result in \nembarrassment, the manipulation of system functions using this \ninformation can have more far-reaching consequences.\n\n    4. Is it possible to devise an attack to disable or disrupt a SCADA \nnetwork for an extended period of time? If so, what is being done to \nmitigate such attacks?\n    Based on current testing and the knowledge of only a small number \nof actual control system implementations, we believe that cyber attacks \ncan be devised to potentially disrupt SCADA systems (electric sector \ncontrol systems) for as long as five to seven days. However, this does \nnot necessarily translate into a failure of the physical system or \ncontrolled process for the same time frame. It is possible for a \nsophisticated attack to poison databases and files over time that would \nrequire a system re-build and re-configuration before the control \nsystem would function normally. More research is needed to investigate \nif cyber attacks can cause significant failures in long lead time \nphysical equipment, such as transformers and generators. Similar \nstudies are also needed in other sectors such as water, transportation, \nand chemical plants to assess equipment impact and downtime.\n    Our cyber security researchers have demonstrated the ability to \nphysically destroy many of the IT components used in the control of a \nSCADA system. The practice is commonly referred to by hackers as \n``bricking\'\' a box. There are many ways to require that a SCADA system \nbe rebuilt from the ground up. Additionally, if the attacker plants a \nprogram in the backup sets ahead of time, the system will just destroy \nitself again as soon as it is brought back online. The attacker can \nalso plant programs in non-essential equipment such as card readers, \nand printers that are unlikely to be found. The result is long-term \ndisruption of service.\n    Many of the physical devices are set to automatically shut off at \npreprogrammed points to protect the devices from overheating/\noverdriving/overworking. In some instances an attacker can reset those \npoints and drive the hardware to failure. Rhythmically turning on and \noff a 480-volt motor can destroy it. Operating a valve hundreds of \ntimes a second can destroy it. Flow-cooled pumps will overheat and fail \nif the valve is closed while the pump is running. Many other scenarios \nare easy to find and exploit.\n    Based on our testing in a representative configuration (an electric \nsector EMS system) established in the test beds, it is possible to \ndisrupt system operation through cyber attack. The duration of the \ndisruption will depend to a large extent on the types of attacks \nexecuted, the specific owner/user\'s system configuration, backup \ncapability, and response/recovery practices. Mitigation efforts to date \nhave focused on identifying specific vulnerabilities by examining \nrepresentative systems in the test beds and providing information to \nsystem vendors who then eliminate the vulnerabilities in their \nproducts. Work in the test beds is also helping to identify the best \npractices that can be implemented by both the vendors and the users in \nmaking their systems less vulnerable. A significant effort is being \nmade to enhance owner and vendor awareness of the methods for reducing \nvulnerabilities.\n\n5. (Not assigned)\n\n6. Electric power is important for nearly all the things that Americans \ndo--from businesses to schools to government to many forms of \nrecreation. Has your research shown that the SCADA systems that control \nour power generation and distribution are fully protected from attacks \nlaunched from the Internet? If not, what kind of damage do your \nresearchers believe smart, well researched attacks could cause?\n    Although some SCADA systems that control power generation and \ntransmission currently have some form of cyber protection, power sector \nSCADA systems are not ``fully protected\'\' from Internet-launched \nattacks. Research has shown that the majority of vendor solutions are \nvulnerable to a cyber-based attack coming from the Internet and through \nthe surrounding corporate network that could result in a complete loss \nof system control. Those attacks were successfully demonstrated despite \nthe use of common configuration practices and the use of available \nsecurity technologies (IDS, Firewalls, etc). For obvious reasons the \nmajority of this research has not been replicated in the field but INL \nhas the ability to create very large scale control system and physical \ninfrastructure simulations in both the electric and chemical processing \nsectors.\n    We have also seen evidence of SCADA systems being vulnerable to \nnon-expert-based attacks. In fact, non-directed common and \nopportunistic threats, such as viruses and worms, have impacted SCADA \nsystems. Considering a random threat such as a virus can impact a SCADA \nsystem, a well resourced and motivated threat actor could compromise a \ncontrol network and cause significant disruption to power SCADA \nsystems. The disruptions may or may not result in wide-spread power \noutages depending on how much the attacker learned once inside of the \ntarget\'s control system. Certainly, a directed attack can result in \ninjected commands being passed through the SCADA system to breakers in \nthe field possibly resulting in breakers taking lines out of service.\n    Assessments performed in the test beds show that typical control \nsystems can be compromised from the Internet if the attacker has some \nunderstanding of the system. Much of that system information can be \nobtained by a patient study of open source information. A well-\norchestrated attack could provide the attacker with the capability to \ntake over the operator\'s function, potentially without the knowledge of \nthe operator. While strongly influenced by system configuration and \noperating policies, there is the potential to cause damage to equipment \nthrough the manipulation of operating and safety limit set points.\n\n7. (Not Assigned)\n\n8. We\'ve heard a lot about the impact of a terrorist attack on a \ncontrol system. But as we saw during Katrina, natural disasters can \ncause devastating impacts to our control systems infrastructures too. \nWhat kind of impact would natural disaster have on control systems in \nCalifornia (earthquakes), Oregon (Tidal waves/Tsunamis), The Gulf Coast \n(Hurricanes), elsewhere?\n    Any event, whether manmade or natural, resulting in the destruction \nof physical equipment and the loss of supporting services like water, \npower, and communications can negatively impact SCADA systems. \nAnecdotal information and data emerging from hurricanes Katrina and \nRita are showing that, for SCADA and other control systems (and other \nutility operations), the need to plan and prepare for an ``all hazards \napproach,\'\' rather than more narrowly defined scenarios, is crucial.\n    We learned from Hurricane Katrina that the main impact to a control \nsystem from a natural disaster is the remote entities that the system \nconnects with (e.g. customers, substations, transmission lines). After \nthe August 29th landfall of Hurricane Katrina in Louisiana, 2.7 million \ncustomers were without power, 263 substations and 181 lines were not \noperating. As of September 22nd, less than 250,000 customers are \nwithout power and 19 substations and 25 lines remain out (data from the \nOffice of Electricity Delivery and Energy Reliability U.S. Department \nof Energy, Hurricane Katrina Situation Report #42, September 23, 2005). \nThe control centers themselves are normally less vulnerable than the \nremote devices that are being controlled and queried for status.\n    The ability for a control system to minimize impact from a natural \ndisaster is directly related to the system owner\'s continuity of \noperations, disaster recovery planning, and overall preparedness to \nhandle natural disasters as discussed in the US CERT website (US-CERT \nInformational Paper September 16, 2005, produced by the US CERT Control \nSystems Security Center, Hurricane Katrina Control System Assistance \nhttp://www.us-cert.reading_room/KatrinaCSA.pdf).\n    The control system is only as good as the data it can receive. With \nlimited view and communications, the systems? components and the \napplications designed for automatic control cannot be used properly \nwithout subject mater experts making the decisions. In the case of \nKatrina, the restoration process was hampered by the other \ncommunications outages of telephone and wireless.\n    The National Infrastructure Simulation and Analysis Center (NISAC) \nprovides advanced modeling and simulation capabilities for the analysis \nof critical infrastructures, their interdependencies, vulnerabilities, \nand complexities. It would be helpful to study lessons learned during \nKatrina on the effectiveness of the NISAC models.\n\nII. The Public/Private Relationship in Developing a SCADA Solution\n\n    1. I understand the National Labs are conducting extensive research \ninto SCADA and Control Systems. What resources are you currently \nlacking? How are you coordinating these efforts with the private \nsector? What can the federal government do to provide more resources?\n    Needed Resources: INL recommends a 5-year funding profile that \nallows the development of long-term programs to support critical \ninfrastructure sectors immediate and long-term complex SCADA \nchallenges. The uncertainty of year-to-year funding and funding delays \nat the beginning of the fiscal year negatively impact our ability to \nprovide sustained research to identify vulnerabilities and to develop \nsolutions to fix vulnerabilities aligned with asset owner and vendor-\ndriven timelines.\n    Sustained funding will allow us to successfully decrease risks to \ncontrol systems by conducting ongoing tests to identify vulnerabilities \nand develop mitigations, raising awareness and helping organizations \ndevelop the right mind set to protect SCADA systems, gaining access to \nmore credible incident information, conducting in depth research and \ntesting to explore possible consequences and outcomes, and monitoring \nthe cyber underground to gauge their knowledge of and interest in SCADA \nsystems.\n    Private sector coordination efforts: INL is working directly with \nasset owners and vendors to evaluate their system vulnerabilities and \nimplementing mitigation steps. These evaluations are protected using a \nnondisclosure basis.\n    INL is engaging national experts from industry, national labs, and \nacademia in dialog to keep current on allied research and best \npractices and to share that knowledge with industry. In FY-05, we \nconducted nine regional workshops and participated in the Process \nControl Forum. These interactions directly impacted 280 asset owners.\n    Our industry outreach program includes training and awareness \ndemonstrations of the means and effects of a cyber attack on control \nsystems. These demonstrations and training activities are ongoing with \npositive feedback from industry and government participants. These \ninclude live demonstrations of attacks/effects on small scale \nrepresentative control systems for chemical and electric system \nprocesses and cyber security--control systems training uses these tools \nand subject matter experts.\n    Additional federal government resources: Along with sustained 5-\nyear funding, designate INL as a National Center of Excellence and User \nCenter for SCADA, Cyber Security, and Critical Infrastructure \nProtection. The Center would be modeled after existing National User \nFacilities at other DOE National Labs, such as the High Temperature \nMaterials Laboratory at Oak Ridge National Lab or the Light Source \nFacility at the Brookhaven National Laboratory). The Center designation \nwould capitalize on INL SCADA test beds and full scale infrastructure \nassets, build on our proven track record with asset owners and vendors \nto identify and mitigate cyber vulnerabilities, and provide an \nindependent, scientific organization that tests and validates the \nvulnerabilities and identifies solutions. The result is federal/private \npartnerships with high value to the critical infrastructure owners and \ntheir vendors.\n    With long-term dedicated funding, INL can move from the current \nresearch approach, which focuses testing on specific attacks as a \nmethod of raising vendor awareness, to conducting extensive assessments \nin a comprehensive fashion. We would develop consistent methodologies \nand system rating approaches that would apply across all vendors and \ndevelop quantitative measures to verify the return on investment of \nresearch dollars that directly impact industry and taxpayers. To that \nend we would devote research focus to develop a realistic threat \nassessment methodology and then apply it to create an open, industry-\nacknowledged threat model for contingency planning.\n\n    2. (Not assigned)\n\n    3. It has been widely reported that both industry and the federal \ngovernment find it difficult to estimate the economic impact of a cyber \nsecurity attack. Has the lack of actual quantifiable damages made the \nprivate sector leery of investing in cyber security?\n    There has long been widespread agreement that the published \nestimates of cyber-attack costs have little credibility. In April 2004, \nthe Congressional Research Service Report on The Economic Impact of \nCyber-Attacks concluded ``No one in the field is satisfied with our \npresent ability to measure the costs and probabilities of cyber-\nattacks.\'\' But the report resulted in limited research to address the \nmeasurement need. The research programs most directly addressing the \nneed for better assessments of cyber-attack consequences are the \nprograms of the U.S. Cyber Consequences Unit, a small independent \nagency established by the DHS in August 2004. The first of the larger \nUS-CCU reports will be available for limited circulation release in \nearly February 2006.\n    The lack of economic consequence data and security metrics has led \nto a variety of concerns about the possibility of a successful attack \nand its associated economic impact. Currently, there is no consensus \nabout the level of resources that should be devoted to control systems \ncyber security. Standards and associated business cases are being \ndeveloped that will help industry better evaluate the risk to their \nsystems. Even with this lack of documented cases of quantifiable \ndamage, attacks occur. For example, recent malware attack (Zotob) on \nmultiple sites of a large manufacturing company resulted in loss of \nproduction time.\n    These types of attacks increase asset owners\' awareness that they \ntoo could be the target of a potentially crippling attack; thus, \ninvestments are being made in the private sector. These investments \ntend to be dependent on the extent of awareness of cyber intrusions and \nthe liability posed by denied services or business losses faced by \nindividual companies as well as customer impact. Critical \ninfrastructure sectors, such as electric utilities, chemical companies, \noil and gas companies, and banks and financial institutions, realize \nthe potential impact of cyber threats but the investments and attention \npaid is not uniform across the sectors. Cyber security concerns \nresulting from easy electronic access to accounts in the Banking and \nFinancial Sector are addressed USA Today\'s November 2, 2005 first page \narticle, ``Cyber crooks break into online accounts with ease\'\'. In the \nElectric Sector, the required connectivity with neighboring systems \ncreates a weakest link problem for the overall network of \ninterconnected SCADA systems. The larger or more progressive utilities \nwill suffer from weaknesses presented by smaller, resource-constrained \nneighbors.\n    Several industry associations, such as the Chemical Information \nData Exchange (CiDX), the Water Environment Research Foundation (WERF), \nand the American Association of Railroads, are promoting cyber security \namong their subscribers. The Department of Homeland Security Control \nSystems Security Center (CSSC) established an Industry Interest Group \nto discuss asset owner\'s perspective of cyber security. Members of this \ngroup reported that at the operations levels within their company\'s \norganization, cyber security is important. However, at the board of \ndirector\'s level, cyber security seems less important because they may \nnot see any risk to bottom-line profits. The group also reported that \nawareness communication tools would be helpful in convincing their \nmanagement to invest in SCADA security, even though the perceived risk \nmay be low at this time.\n    The reason the National Cyber Security Division of the DHS \nestablished the US-CCU, with the support of the National Communications \nSystem and help from the DHS Private Sector Office, was that both \ncorporate executives and government officials regularly reported they \ncould not justify larger cyber security budgets without better \ninformation on the likelihood and costs of possible cyber-attacks.\n\n    4. (Not Assigned)\n\n    5. Can you tell us specifically how your research on SCADA has, to \ndate, impacted the way SCADA systems in the field are secured, and what \npercentage of those systems have been impacted? If that\'s not a big \nnumber, what is stopping us from putting the results of your research \ninto practice in the field?\n    A result of our assessment work in the test beds is the \nidentification of best practices that can be used to mitigate \nvulnerabilities by taking advantage of the capabilities already \nexisting in the SCADA systems. Examples include ensuring fully patched \noperating systems, improving password management practices, and \nimplementing layered security defenses (firewalls, DMZs).\n    SCADA system vulnerabilities identified through assessments \nperformed in the test beds have been communicated to the manufactures \nand users of those systems. In all cases, the vendors have taken quick \naction to incorporate system modifications to mitigate the identified \nvulnerabilities in their new systems, but only 5% of installed systems \nare new systems. Thus implementing enhancements in currently installed \nsystems requires that owners be made aware of the vulnerabilities \nwithin their systems and the mitigating methods that are available to \nthem.\n    More than 230 user representatives from over 100 major electrical \nindustry owners/users of SCADA systems have been made aware of typical \nvulnerabilities and methods for security enhancement. The percentage of \nthe industry that is represented by 100 owners is difficult to answer, \nbut in very general terms we can say that they control approximately \n80% of the power on the grid. This communication has been achieved \nthrough presentations and discussions in numerous electrical industry \nuser group meetings and conferences. In addition to electrical industry \ninteractions, workshops, demonstrations, training, and presentations \nhave been provided to audiences responsible for control systems used \nacross the Nation\'s critical infrastructure. In aggregate, these \nvarious forums have been attended by more than 7500 people from vendor \nand user companies.\n    In addition to assessments, cyber security awareness workshops in \nnine regions involved 480 industry participants during FY-05 have made \nthe industry more cognizant of the need to strengthen their SCADA \nsystems. In FY-06, we will be providing asset owners additional tools \nto strengthen SCADA security through vulnerability assessments both in \ntest beds and at participant selected facility locations. The value of \nthe INL work, as perceived by a sample of industry/end users, has been \npreviously stated (see INL\'s written testimony of October 18, 2005, to \nthe same Subcommittees).\n    We do not have access to data that would quantify the extent to \nwhich system owners are implementing our recommendations into their \nadministrative and hardware/software management policies. This is \ntypically information that is held close by the asset owners for \ncompetitive advantage reasons. Because the deployment of new systems \noccurs rather slowly (estimated at 5% annually for the installed \ninfrastructure) the users, working with their vendors, can also design \nand implement mitigations specific to their systems. Thus the \ninformation we provide can be used to upgrade and improve configuration \nand management of currently installed systems.\n    The reason for relatively slow system upgrades is the high cost and \nthe lack of a strong business case (bottom line dollar impact) to \njustify both the expenditure for improvements and to justify requests \nfor recovery through the rate base. A frequently raised issue is that \nif the requirements for security upgrades were mandated through \nregulation, the asset owners would have a stronger basis for requesting \nrate relief. However this brings with it the added burden of additional \nregulation to the industry and is therefore not strongly supported by \nindustry.\n\n    6. What has the money we have already spent on SCADA research done \nto improve SCADA security in the field?\n    The work performed and supported by the Department of Energy \nNational SCADA Test Bed (NSTB) in the Energy Sector and the Department \nof Homeland Security Control Systems Security Center (CSSC) Program on \nthe other sectors, have improved security at critical infrastructure \nfacility sites in significant ways:\n        <bullet> Awareness: As a part of the mission for both the NSTB \n        and the CSSC, cyber security awareness has increased in \n        industry and government. Information on potential threats, \n        vulnerabilities, and mitigation of cyber attacks on control \n        systems has been disseminated through workshops, outreach, and \n        training events at conferences, user groups, and invited \n        sessions. The increase in awareness of the potential for real \n        and serious impact to facility operations have resulted in \n        asset owners performing reassessments of their cyber security \n        for control systems.\n        <bullet> Assessment and Testing: CSSC and NSTB are engaged in \n        performing assessments of major control system SCADA vendors? \n        current products to identify both vulnerabilities and \n        mitigation. Some of the vendors have taken steps to eliminate \n        the identified vulnerabilities and shared the information with \n        their users. Working closely with the vendors and the user \n        community, the CSSC and NSTB provide a path to rapidly identify \n        and facilitate the use of this information to increase the \n        protection from cyber attacks. The success of these \n        relationships act as models to both the vendor and user \n        communities to work with these DOE and DHS programs. Several \n        site specific assessments have also been conducted at the \n        request of asset owners. Results of these assessments provide \n        direct and specific input to increasing SCADA security at those \n        sites.\n        <bullet> Technology Development: A key element of the CSSC \n        program is the identification and quantification of risk that \n        supports a business case to the asset owner for the policy, \n        time, and equipment investments to reduce risk to acceptable \n        levels. The characterization of vulnerabilities (control and \n        network systems), consequences (safety and national security), \n        and threats (beginner level to hostile nation state) coupled \n        with the cost of implementation of safeguards is a necessary \n        step in developing risk models and the business case. The CSSC \n        is active in working and coordinating efforts with industries, \n        industry and trade associations, government agencies, and \n        academia to identify gaps in technologies and standards to \n        apply to both current and legacy critical infrastructure \n        control systems. While these efforts are emerging, the broad \n        exposure of this work and participation of the stakeholders \n        will produce improvements in SCADA security that meet the need \n        for information protection coupled with business constraints \n        and will increase security awareness.\n        <bullet> US-CERT Support: The United States Computer Emergency \n        Response Team (US-CERT) provides response and capabilities to \n        support government and the private sector dealing with cyber \n        threat and attacks to the Nation\'s network communications and \n        computing infrastructure. The CSSC augments this capability by \n        providing expertise in control systems and the potential \n        vulnerabilities and impacts of cyber attacks. The CSSC has a \n        broad reach of assets within the national laboratories and \n        private sector to assess situational awareness during specific \n        response to events reported to the US-CERT. The CSSC, as a part \n        of the US-CERT in these activities, can issue alerts to be \n        distributed at a national level given that their may be real \n        and significant threats to control systems for certain sectors \n        or user communities. The goal of this capability is to provide \n        another level of information to those asset owners to increase \n        SCADA security to threats.\n\n    7. Is there any risk of duplicating efforts with the lab beds at \nSandia and Idaho and other research around the country?\n    INL is directly involved in two programs, the National SCADA Test \nBed sponsored by DOE/OE for the Energy Sector and the CSSC Program \nsponsored by DHS/NCSD for the other sectors. We are working with Sandia \nand others to complement what is needed to carry out the objectives of \nthese programs and there is no duplication of efforts. Also to prevent \nthe duplication of efforts, the sponsors (DOE/OE and DHS/NCSD) review \nthe scope of work on the NSTB and Control Systems Security Center \nPrograms.\n    INL and Sandia each have unique and complementary SCADA \ncapabilities. INL focuses on evaluating Cyber Security vulnerabilities \nof SCADA systems deployed in operational facilities and validating \nsolutions; and penetration testing of control systems. Also INL has on-\nsite, full scale infrastructure systems such as electric transmission \nsystems, substations, a pilot chemical plant and communications test \nbeds that enable field scale evaluations. Sandia, on the other hand, \nhas information technology red teaming and assessment capability, \ncryptography, and bench scale testing capability complementing INL\'s \ncapabilities. The two Labs recognize their strengths and collaborate to \nprovide the service needed to support asset owners and vendors.\n    Because of the number and diversity of infrastructure facilities in \nthe US requiring SCADA/Cyber security and the level of coordination of \nefforts between INL and Sandia, there is great value in having two \nnational labs with capability and capacity to provide a wide range of \nassessment services to asset owners.\n    INL, as the lead lab for the control system cyber security program \ncoordinates efforts between labs utilizing specific expertise, \nfacilities, and capabilities at each laboratory to perform its work. In \nJanuary of 2005, a Leadership Steering Group was organized and consists \nof members from Idaho National Lab (INL), Sandia National Lab (SNL), \nPacific Northwest National Lab PNNL), and Lawrence-Livermore National \nLab (LLNL). The Group meets on a quarterly basis to discuss the \ndirection of the program, coordinate efforts and deliverables, and \nidentify expertise that is needed to solve issues and challenges. Ideas \nare exchanged and security products developed for various governmental \ncustomers are shared.\n\nIII. The Federal Government\'s Role in Cyber Security\n\n    1. (Not Assigned)\n    2. (Not Assigned)\n    3. (Not Assigned)\n    4. (Not Assigned)\n\n    5. There are several SCADA test beds across the country. Is there \nany risk of duplicating efforts with the lab beds at Sandia and Idaho \nand other research? Is there anyway to consolidate these efforts?\n    INL is directly involved in two programs, the National SCADA Test \nBed sponsored by DOE/OE for the Energy Sector and the CSSC Program \nsponsored by DHS/NCSD for the other sectors. We are working with Sandia \nand others to complement what is needed to carry out the objectives of \nthese programs and there is no duplication of efforts. Also to prevent \nthe duplication of efforts, the sponsors (DOE/OE and DHS/NCSD) review \nthe scope of work on the NSTB and Control Systems Security Center \nPrograms.\n    INL and Sandia each have unique and complementary SCADA \ncapabilities. INL focuses on evaluating Cyber Security vulnerabilities \nof SCADA systems deployed in operational facilities and validating \nsolutions; and penetration testing of control systems. Also INL has on-\nsite, full scale infrastructure systems such as electric transmission \nsystems, substations, a pilot chemical plant and communications test \nbeds that enable field scale evaluations. Sandia, on the other hand, \nhas information technology red teaming and assessment capability, \ncryptography, and bench scale testing capability complementing INL\'s \ncapabilities. The two Labs recognize their strengths and collaborate to \nprovide the service needed to support asset owners and vendors.\n    Because of the number and diversity of infrastructure facilities in \nthe US requiring SCADA/Cyber security and the level of coordination of \nefforts between INL and Sandia, there is great value in having two \nnational labs with capability and capacity to provide a wide range of \nassessment services to asset owners.\n    INL, as the lead lab for the control system cyber security program \ncoordinates efforts between labs utilizing specific expertise, \nfacilities, and capabilities at each laboratory to perform its work. In \nJanuary of 2005, a Leadership Steering Group was organized and consists \nof members from Idaho National Lab (INL), Sandia National Lab (SNL), \nPacific Northwest National Lab PNNL), and Lawrence-Livermore National \nLab (LLNL). The Group meets on a quarterly basis to discuss the \ndirection of the program, coordinate efforts and deliverables, and \nidentify expertise that is needed to solve issues and challenges. Ideas \nare exchanged and security products developed for various governmental \ncustomers are shared.\n\n    6. (Not Assigned)\n\nIV. The Federal Role in the Future\n\n    1. Based on your knowledge of the SCADA research field, what are \nthe most promising technological breakthroughs you see that can protect \nour SCADA systems in the short term? I realize there are no silver \nbullets, but please list the solutions that will actually work to \nprotect our SCADA systems.\n    Various emerging technologies show promise in protecting control \nsystems. Deep packet inspection engines (optimized to detect control \nsystem packets) can guard for commands or injects traveling through \nunauthorized avenues like the organization\'s perimeter or corporate \nnetwork. Memory cache integrity technologies can be used to detect \nmalicious events like buffer overflows. Secure authentication \napproaches applied to SCADA protocols and emerging low-overhead \nencryption techniques are also promising. The optimization and use of \nthese emerging security technologies should reduce some of the risk \nSCADA systems now face. In order to bring these technologies to bear \nmore testing environments need to be used to test general IT security \nsolutions and enhance them to work in control system environments.\n    Near-term security enhancements can be most effectively implemented \nthrough taking advantage of existing technologies. This can be done \nthrough the definition and implementation of security policies based on \nthe best practices identified in the test bed efforts and in industry. \nBest practices include defining the electronic perimeter, setting up \nlayered defenses, monitoring communication traffic for anomalies (such \nas with intrusion detection and prevention devices), and establishing \nstrong password management and system patching policies. Encryption \ntechnologies should be applied to eliminate plain text communication \nthat can be monitored by an intruder to obtain system knowledge.\n    On a longer term basis, secure programming techniques should be \nused in application code development as is now being done for operating \nsystems and embedded applications.\n    Much knowledge exists, but there is a gap between general IT \nsecurity and SCADA security. SCADA systems have to be ultra-reliable \nand ultra-stable. If cyber-security is going to take hold in SCADA \nnetworks, the following must take place: (1) a testing location where a \nutility can test their configurations with expert support and advice \nmust be developed and (2) a user community where users of the same \nSCADA system with the same problems can critique their architectures \nand perform peer reviews must evolve.\n\n    2. How do we make rapid progress in improving security in the \nfield?\n    Increasing awareness among asset owners and vendors should be a \npriority because vendors must eventually implement the security \nmeasures. Another priority should be providing the ability to test the \nsystems in an impartial manner. Third is providing the tools that are \nneeded to mitigate the vulnerabilities and secure the systems. Finally, \nsome consideration is required for financial incentives to accelerate \ncyber security implementation by asset owners. In all of these steps we \nshould also look at the interlinked aspects of information technology, \ncontrol systems and telecommunication and take a systems approach to \ndealing with this challenge. The key to success lies with increasing \nindustry awareness, and industry associations can play a critical role. \nMany of these groups have already seen the need for improving cyber \nsecurity in control systems and have started working groups or sub-\ncommittees to address the issues and share information with their \nsubscribers. As NCSD shares vulnerability findings and provides best-\npractices for mitigation to these associations, they are transmitted to \ntheir members and mitigations are implemented.\n    A good example of the security initiative within industry is the \nChemical Information Data Exchange (CiDX). In January 2003, CiDX \nstarted the Chemical Sector Cyber Security Program. This program has a \nsub-committee that is devoted specifically to cyber security for \ncontrol systems. They recently recommended that the CiDX subscribing \ncompanies perform self-assessments of their control system security \nposture. Several companies reported results at the October CiDX General \nMembership meeting in Houston. While, these self-assessments are still \nimmature, their willingness to improve their security posture is \ncommendable. The NCSD has developed a self-assessment tool to help \nassociations like CiDX improve the effectiveness of their self-\nassessment process. The tool will assist asset owners to focus on the \ncritical cyber security requirements and associated compliance \nstrategies to achieve improvements in security. In FY-06, the self-\nassessment tool will be piloted with several asset owners in multiple \nsectors. After the piloting effort, NCSD will improve the tool, provide \ntraining at workshops in the various associations, and commence wide-\nspread distribution and use of the self-assessment tool. This will give \nasset owners specific measures for immediate implementation and \nreduction cyber security risk.\n    Rapid progress is based upon a multi-tiered approached that \ninvolves diverse stakeholders. This includes system integrators, \nvendors, and asset owners. Increasing security in the field will \nrequire each one of these stakeholders to develop better integration \nrequirements that include improved security, hardened vendor systems, \nand increased situational awareness, respectively. Asset owners need to \nincrease their awareness to control system cyber security and the \ninherent reliability benefits to addressing security, thereby \nrequesting that secure system be purchased and integrated into the \nfield.\n\n    3. (a) Has the federal government advocated for standards \nestablishing a minimum floor for securing control systems?\n    While the argument could be made for a minimum floor standard, this \nmay not be the solution for the long term. Since 85% of our critical \ninfrastructure is owned by the private sector, it is their \nresponsibility to adequately protect their assets and deliver the \nservices and products to the customer at large. The liability that \ncould result from a federally mandated minimum standard argues against \nsuch a standard. Also, the need for continuous improvement is \ndisincentivized by a minimum standard. In our view, industry groups \nworking together should come up with the best practice for their \nindustry segments. The electric utility, chemical industry, and oil and \ngas industry have all come up with some type of best practice and they \nshould be encouraged to make more widespread use of these practices. \nSimilarly, other industries should come up with best practices for \ntheir segments with help from the federal government in terms of \ntesting vulnerabilities and developing mitigation measures.\n    The DHS (CSSC Program) and DOE (NSTB Program) both include tasks to \nsupport improvements to industry security standards. In addition to an \nongoing review of standards applicable to control system security (with \nthe goal of identifying areas that should be strengthened), activities \ninclude support to drafting ISA\'s SP-99 and a technical review and \nassessment of the standard for Secure ICCP.\n\n    3. (b) What would a minimum floor look like?\n    A minimum baseline standard should address areas that are important \nto cyber security in general, with an additional emphasis on areas that \nare of particular concern to control system security. Control systems \nare complicated and varied depending on their application. Developing \nstandards that address security needs has begun (as outlined below, \nQuestion 3-e) but addressing the hundreds of needs for securing the \ncomplexities of control systems will require a large concentrated \neffort.\n    Topics that should be addressed include: the assessment of risk, \ndevelopment of a security policy, organization of information security, \nmanagement of assets, human resources, physical and environmental \nsecurity, management of operations, access control, the acquisition, \ndevelopment, and maintenance of process and information systems, \nincident and business continuity management, compliance with legal and \ncompany policies. Standards should also address next generation systems \nto help ensure that security in ``built into\'\' emerging components and \nsystems.\n    Another area of concern is system integrators. Standards must also \naddress network architecture to ensure that security vulnerabilities \nare eliminated at the system level.\n    The CSSC has developed a cyber security protection framework that \nincludes hundreds of high-level security requirements for the various \ncomponents and communication links in control systems. These \nrequirements have been compared with the myriad of existing cyber \nstandards to identify gaps and overlaps in these standards. In FY-06, \nthe findings of this review, along with continued reviews, will be used \nto recommend specific changes and improvements to the various standards \nbodies.\n\n    3. (c) Have industries leaders begun the process of developing \nthose standards already?\n    Several industries, particularly chemical, oil and gas, and \nelectrical, have made great strides in the development of control \nsystem cyber security standards. In addition, professional \norganizations and government bodies have contributed to the development \nof these standards.\n\n    3. (d) Has the government established any ``best practices\'\' that \ncan be modeled by industry?\n    As mentioned above (Question 3-b), CSSC has collected an initial \nset of industry best-practices for complying with security requirements \nand standards. NSTB program is developing best practices aimed at \nmitigating the common vulnerabilities discovered during control system \ntesting.\n    Through both NSTB and CSSC Programs, best practices are being \nidentified and shared with industry as stated in II-5.\n\n    3. (e) What other standards activities are being developed besides \nAGA 12?\n    Several cyber security standards aimed at industrial control \nsystems have been developed or are in the process of development. Some \nof these may not be considered as standards in the strictest sense, but \nstill provide guidance and direction. These include:\n    AGA 12--The American Gas Association is in the process of \ndeveloping a series of four standards recommending practices designed \nto protect SCADA communications against cyber attacks. To date, Parts 1 \nand 2, which address Cryptographic Protection of SCADA Communications, \nare still in draft form.\n    API 1164--The American Petroleum Institute released this standard \non SCADA security to provide guidance to the operators of oil and gas \nliquid pipeline systems for managing SCADA system integrity and \nsecurity. This document was released in September 2004.\n    CIDX--The Chemical Industry Data Exchange has developed a Guidance \nfor Addressing Cybersecurity in the Chemical Sector Version 2.1. This \ndocument describes key elements of a cybersecurity management system in \nthe chemical sector.\n    IEC 62351--The International Electrotechnical Commission is in the \nprocess of developing ``Data and Communication Security.\'\'\n    ISA TR 99 Parts 1 and 2--The Instrumentation, Systems and \nAutomation Society (ISA) has published two technical reports addressing \ncontrol system security with suggestions for securing control systems \nagainst cyber attack.\n    ISA SP99 Parts 1 and 2--ISA is in the process of developing two \ncontrol system cyber security standards. These standards, still in \ndraft form, will provide requirements for securing control systems.\n    NIST SPP-ICS--NIST has developed and released a System Protection \nProfile (SPP) to formally state security requirements associated with \nindustrial control systems (ICS).\n    NIST 800-82--NIST has developed SP800-82, a Guide for SCADA and ICS \nSecurity. It is in draft form with scheduled release January 2006.\n    NERC 1200--The North American Electric Reliability Council (NERC) \nhas developed and released this temporary standard to establish a set \nof defined security requirements related to the energy industry and to \nreduce risks to the reliability of the bulk electric systems from any \ncompromise of critical cyber assets.\n    NERC CIP-002 through--009--NERC is in the process of developing a \nseries of standards aimed at entities performing various electric \nsystem functions. When released, it will replace NERC 1200.\n\n    4. (Not Assigned)\n    5. (Not Assigned)\n    6. (Not Assigned)\n\n    7. Some have mentioned the value of a ``vendor\'\' incentives system \nthat would provide tax and other financial incentives to manufacturers \nwho are producing control systems that are already in ``best \npractices\'\' compliance. How feasible is this, and have there been \nevaluations of the cost to the federal government?\n    The first step in incentivization is enabling full reporting and \ndisclosure of cyber security incidents, without attribution, similar to \nthe FAA\'s Airline Pilot Reporting System. Included in this Cyber \nSecurity Reporting should be disclosure of the stringency level and \nthoroughness level of the reporting and assessments, so the frequency \nand magnitude of the problems can be analyzed. Then appropriate \nmitigation steps and incentives for implementation of these steps could \nbe developed. With this incident information, other incentive options \ncould be considered in light of the overall risk/benefit ratio.\n    Another incentive would be to enable independent third-party \ntesting and evaluation of control systems and techniques to mitigate \nvulnerabilities as is now provided through the DOE/NSTB Program to \nutilities and through the DHS/CSSC Program to all other industry \nsectors.\n    The feasibility and cost of incentives would need to be studied \nclosely to ensure the approach provided the right reward to maximize \nresponsible action by vendors. The best vehicle, approach and resulting \ncost to implement have not been studied.\n\n    8. (Not Assigned)\n\nV. Dam Security\n\n    (None Assigned)\n\n   Donald Andy\'\' Purdy Responses to the Honorable Bennie G. Thompson \n                               Questions\n\n    THE THREAT: PROBABILITY/IMPACT OF ATTACKS ON SCADA SYSTEMS\n\n    <bullet> Based on all available research, how likely is an attack \non a SCADA system?\n    Response: Attacks are already occurring against Supervisory Control \nand Data Acquisition (SCADA) systems/control systems; however, the \nnumber of incidents reported is few and the consequences associated \nwith these reported attacks are generally not very significant. The \nNCSD Control System Security Program (CSSP) has reviewed data on \napproximately 120 documented cyber incidents against SCADA/control \nsystems over the last 20 years. This data shows that the number of \ncyber attacks reported against SCADA/control systems has been \nincreasing over the last several years and also shows that a larger \npercentage of attacks are coming from external sources as opposed to \ninternal sources.\n    As SCADA/control systems have greater interconnectivity to \ninformation technology (IT) systems external to the SCADA/control \nsystems operating environment and increase their utilization of common \nopen standards and protocols, the exposure of systems to outside \nentities and the number of vulnerabilities present in the control \nsystem environment will continue to increase.\n    Insufficient data currently exists to accurately calculate the \nlikelihood of a successful cyber attack against a SCADA/control system \nthat would result in a catastrophic consequence. However, based on \ncurrent scenarios developed by industry and the National Labs, the \nNational Cyber Security Division (NCSD) believes that as the number of \nvulnerabilities, the number of people with intent to cause the U.S. \nharm, and the number of people with sufficient skills and capability to \nsuccessfully execute an attack continue to increase, the likelihood of \na successful cyber attack of significant consequence against SCADA/\ncontrol systems will continue to rise. The NCSD CSSP is working under \nthe assumption that a cyber attack resulting in a significant \nconsequence is likely to occur some time in the future. We are \naggressively pursuing mitigation remedies to reduce the likelihood of \ncyber attacks on SCADA/control systems.\n    NCSD is establishing a control system cyber attack response center \nthrough the United States Computer Emergency Readiness Team (US-CERT) \nwith technical response teams active within the CSSP. The Cyber Storm \nexercise beginning in February 2006 will provide additional information \non readiness and response capabilities and needs.\n    NCSD is also working with the Intelligence Community to better \ncollaborate on SCADA/control systems threat requirements and provide \ninput on intelligence products.\n\n    <bullet> Based on all available research, how frequently are SCADA \nnetworks attacked?\n    Response: Historically, there has been no consensus on a formal \ncenter in the U.S. for all critical infrastructure owners and operators \nto report cyber attacks against SCADA/control systems. US-CERT recently \ninitiated efforts to serve as the central focal point for the nation\'s \ncritical infrastructures to report SCADA/control systems cyber \nincidents and vulnerabilities.\n    A reporting center operated by the British Columbia Institute of \nTechnology (BCIT) also accepts voluntary submissions of SCADA/control \nsystem incidents. Owners and operators of U.S. critical infrastructures \nare hesitant to report SCADA/control system cyber incidents both \nbecause of concerns about how the information could potentially be used \nto harm the reporting organization, and also due to the absence of a \nclearly designated place to report cyber incidents.\n    The NCSD CSSP combined cyber incident information from BCIT with \ninformation from other sources to examine approximately 120 documented \ncases occurring over the past 20 years. A majority of these reported \nSCADA/control system incidents (>70%) have occurred in the past 5 \nyears. However, it is widely viewed that the number of incidents are \nhighly underreported. We are working with SCADA/control system vendors, \nowners and operators to raise awareness and increase cyber incident \nreporting to the US-CERT.\n\n    <bullet> I am interested in your assessment of the type of damage \nthat you believe can actually result from a terrorist attack on SCADA \nsystems. I think many people were shocked when on September 11, 2001, \nthey learned that a single airplane could cause one of the World Trade \nTowers to collapse with huge loss of life. What are the corresponding \nscenarios for catastrophic damage that can be caused by someone who has \ntaken the time to learn to control SCADA systems?\n    Response: Intermittent or properly timed loss of control of a \ncritical infrastructure control system can enhance the probability of \nincorrect operator responses, which can lead to accidents with serious \nphysical results, such as fire, explosion, collisions, or loss of \nproduction.\n    Two historic events affecting critical infrastructures where \ncontrol systems could have played a contributing role include \nexplosions at the Piper Alpha North Sea Platform and the Texas City oil \nrefinery. The Piper Alpha platform explosion in July 1988 killed 167 \nand resulted in losses which are estimated up to $15.2 Billion US. \nAlthough there was a combination of events that lead to this accident, \nincorrectly interpreted signals and early loss of the control room \ncontributed to the disaster. The March 23, 2005 Texas City oil refinery \nexplosion killed 15 and injured 170, and cost close to $1 Billion US. \nThis accident did not involve a cyber attack, but the accident evolved \nas a result of the misinterpretation of signals and indicators, which \ncould be affected by a cyber attack.\n    The following are some examples of scenarios that show how cyber \nintrusions could result in physical damage, loss of life, environmental \ndamage, economic loss, and/or loss of production in our nation\'s \ncritical infrastructures.\n    --The breach of security controls in the transmission mechanism for \na regional power grid system could potentially allow a strategic attack \nto develop into a widespread blackout due to the unique cascading \naspects of power transmission. Although the August 2003 East Coast \nblackout was not caused by a cyber attack, the failure mechanisms that \ncaused that blackout are similar to those that could be achieved \nthrough a cyber attack.\n    --The readings on chemical mixing tanks during the batch process \ncould be tampered with by unauthorized network intrusion, forcing \nlethal and highly combustible reactions to occur without warning to the \noperators. Misinformation, exacerbated by improper response, is the \ncause of many industrial accidents.\n    --Rogue access into the railway switching system within a major \ncity could cause significant gridlock to commuter traffic and import/\nexport functions or potentially result in a train collision.\n    --In a blended physical and cyber attack, quality and safety \ntriggers in a metropolitan water facility could be subtly compromised \nallowing for normally unallowable levels of toxins or chlorine to be \ndistributed into the city reservoirs and pumping systems.\n    --According to the Network Reliability and Interoperability Council \n(NRIC),\\1\\ the growing use of Voice Over Internet Protocol (VOIP) and \nthe interconnected nature of networks pose an increasing risk to the \ntelecommunications infrastructure, in part because internet-based \nprotocols are not as robust against security breaches as is traditional \ntelephone technology. If operations centers or network management \nfunctions are compromised by combinations of cyber and physical attacks \nthere could be a cascading effect that disrupts the communications \ncapabilities of consumers, businesses and emergency first responders.\n---------------------------------------------------------------------------\n    \\1\\ The Network Reliability and Interoperability Council (NRIC) is \na partnership of private sector entities and the Federal Communications \nCommission (FCC) that develops recommendations designed, in part, to \nassure optimal reliability, security and sustainability of the nation\'s \ntelecommunications infrastructure during periods of exceptional stress, \nincluding terrorist attacks or similar occurrences. http://\nwww.nric.org/\n\nTHE FEDERAL GOVERNMENT\'S ROLE IN CYBER SECURITY\n    <bullet> We saw during Hurricane Katrina that the federal \ngovernment is unprepared to respond to a large natural disaster. Today \nwe\'ve heard about the devastation that may be caused if a terrorist or \na natural disaster hits our control systems. Just last week, a headline \nin the New York Times read: ``US cyber security due for FEMA-like \ncalamity?\'\' Are we prepared for a cyber attack on our control systems? \nSimilarly, if a natural disaster hits our control systems, are we \nprepared to respond to that?\n    Response: The NCSD CSSP is being proactive in preparing for events, \nboth natural and man-made, that could potentially disrupt our nation\'s \ncontrol systems and the critical processes and functions they monitor \nand manage.\n    A major initiative being pursued by NCSD CSSP to prepare for \ncatastrophic events against our nation\'s control systems is the on-\ngoing effort to expand the US-CERT\'s current capability for responding \nto cyber incidents and vulnerabilities to include the ability to \nrespond to incidents involving control systems. The NCSD CSSP provides \nthe US-CERT Operations Center with control system expertise and support \nin responding to control system related incidents and in managing \nvulnerabilities affecting our nation\'s critical control systems. An \nimportant component of this US-CERT control system support is the \nutilization of the knowledge, resources, and control system expertise \nand cyber security expertise available among the national laboratories \nand the control systems community.\n    NCSD is creating the infrastructure and processes to specifically \ndeal with both cyber attacks against control systems and also natural \ndisasters that affect control systems. NCSD received positive feedback \nfrom the control system community in response to the informational \nfocus paper the US-CERT released to the control system community to \nassist owners and operators in restarting their control systems safely \nand securely in response to Hurricane Katrina. This document is \navailable on the US-CERT web site: http://www.us-cert.gov/reading_room/\nKatrinaCSA.pdf.\n\n    <bullet> On August 12, committee staff was told in a briefing with \nDHS officials that there are only two full-time DHS employees working \non control system issues. How many DHS employees are currently working \non SCADA/control system issues?\n    Response: NCSD has authorized three government full time equivalent \n(FTE) billets for the CSSP. Currently, two of those three positions are \nfilled and the third is expected to be filled in Q2 of FY06. In FY04, \nNCSD\'s CSSP determined that the control systems expertise necessary for \nthe program to perform its mission was not readily available within the \ngovernment and sufficient authorized FTE billets were not available at \nthat time. In FY04, the CSSP conducted research to identify programs, \nfacilities, capabilities, and resources, including national \nlaboratories, which possess control systems and associated cyber \nsecurity expertise and resources. NCSD utilizes these identified \nresources and capabilities to achieve mission goals and objectives.\n\n    <bullet> The Department established the Process Control System \nForum (PCSF) to facilitate communication between government, industry, \nvendors, and academia. How effective has this endeavor been? How \nfrequent have the meetings been?\n    Response: The PCSF is a relatively new endeavor and it is difficult \nto assess its effectiveness at this point in time. DHS plans to conduct \nan independent audit of the effectiveness of the PCSF in Q3-FY06. The \nvalue of the PSCF is its ability to reach out to representatives from \nall of these stakeholder groups in all critical infrastructure sectors \n(such as chemical, water, energy and others) that utilize and rely on \nSCADA/control systems. The PCSF met four times in FY05 with its next \nmeeting scheduled for June 6-7, 2006 in La Jolla, California\n    <bullet> DHS has gone through four cyber security managers--Richard \nClarke, Howard Schmidt, Amit Yoran, and Robert Liscouski. How has \nturnover on the DHS cyber security team impacted the effectiveness of \nDHS to deal with a cyber attack? Mr. Liscouski left in January--Why \nhasn?t Secretary Chertoff appointed a replacement?\n    Response: Addressing organizational issues is central to Secretary \nChertoff\'s ``Second Stage Review\'\' (2SR) of the Department. The 2SR \ndetails a six-point agenda that includes improving DHS financial \nmanagement, human resource development, procurement, and information \ntechnology, and realigning the DHS organization to maximize mission \nperformance. Recognizing the importance of protecting critical cyber \nassets, Secretary Chertoff is increasing the authority for cyber \nsecurity by placing the coordinated activities of the NCSD and National \nCommunications System (NCS) under an Assistant Secretary for Cyber \nSecurity and Telecommunications. The new Assistant Secretary will \nreport to the new Under Secretary of Preparedness. We expect that the \nnew Assistant Secretary will be named in the near future.\n    <bullet> There are several SCADA test beds across the country. Is \nthere any risk of duplicating efforts with the lab beds at Sandia and \nIdaho and other research? Is there any way to consolidate these \nefforts?\n    Response: The NCSD CSSP completed an evaluation that identifies \ncontrol system security-related programs among national laboratories, \nacademic institutions, and agencies. This initiative evaluated the \nrespective value of other\'s work to the CSSP; and provided \nrecommendations on how selected program activities could be leveraged \nto reduce control system vulnerabilities. The focus was on domestic \npublic sector programs because they could be more readily leveraged \nthan activities in the private and international sectors. The results \nof this evaluation were utilized to identify where duplication of \nefforts might exist and also served as a roadmap to identify which \ngroups the CSSP should work with.\n    The Department of Energy\'s Idaho National Laboratory (INL) has been \ndesignated as the lead national laboratory in supporting the CSSP. \nHowever, the CSSP funds initiatives with several DOE national \nlaboratories and the control systems community through a contract with \nINL. INL has been assigned the role of coordinating and leveraging \nefforts between labs utilizing specific expertise, facilities, and \ncapabilities at each laboratory to perform its work. In January 2005, a \nLeadership Steering Group was organized, which consists of members from \nINL, Sandia National Lab, Pacific Northwest National Lab, and Lawrence-\nLivermore National Lab. The Group meets on a quarterly basis to discuss \nthe direction of the program, coordinate efforts and deliverables, and \nidentify expertise that is needed to solve issues and challenges. Ideas \nare exchanged and security products that are developed for various \ngovernmental customers are shared.\n    Moreover, utilizing more than one lab allows for additional \ndevelopment and verification of efforts. If only one group is able to \naddress an issue, then the best achievable results are limited to what \nthat group develops. Competition is a motivating force that compels \npeople to work harder and faster to produce the greatest advances and \nbest solutions. Constructive competition exists among those who are \nattacking SCADA/control systems, and therefore it is important to \nencourage competition among those seeking to protect our systems.\n    <bullet> This is more of a general question about fundamental \nInternet protocols. There has been significant discussion in the \ntechnology world about the security of the basic, underlying Internet \nprotocols. In your opinion, how secure are these protocols? Is this \nsomething that DHS is examining?\n    Response: There are, and likely will continue to be, security \nissues with Internet protocols. The Internet Engineering Task Force has \na Security Area, http://www.ietf.org/html.charters/wg-\ndir.html#Security%20Area, which has a number of individual working \ngroups addressing these issues. NCSD currently does not have any \nefforts or projects dedicated specifically to studying a particular \nprotocol, although efforts are underway within DHS to model SCADA/\ncontrol systems to better understand the disruptive effects of internet \ncongestion to SCADA/control systems and the effectiveness of Next \nGeneration Priority Services (NGPS) against these disruptions.\n    There is a significant challenge with the lack of security, or \nverifiable security, in core internet protocols. Some application level \nprotocols (such as Secure Shell and Secure Socket Layer) and their \nimplementations have improved their security over the last few years. \nHowever, the core security problems with underlying protocols, \ntransport layer and below (e.g., Transmission Control Protocol/Internet \nProtocol and Address Resolution Protocol), create long term security \nproblems. Although some credible attempts at improving these underlying \nprotocols are ongoing (e.g., Internet Protocol Version 6), the question \nof their overall security remains unanswered.\n    The National Strategy to Secure Cyberspace (NSSC) calls out the \nfact that there are challenges with the existing Internet \ninfrastructure. As a step toward fulfilling its responsibility for \ncoordinating implementation of the NSSC with respect to the domain name \nsystem (DNS) infrastructure, DHS S&T is working to deploy the DNS \nSecurity Extensions (DNSSEC) protocol. The DNSSEC effort will enhance \nthe security of a fundamental element of the Internet infrastructure. \nDNS is the hierarchical naming system that maps IP (Internet Protocol) \naddresses to more user-friendly but structured names; the extensions to \nthe original protocol consist of a hierarchy of cryptographic \nsignatures that assure the integrity of the DNS queries by providing \norigin authentication of DNS data, data integrity and authenticated \ndenial of existence. These measures protect against tampering in caches \nand transmission and enhance the infrastructure\'s security, thus \ncontributing to increased trust in the Internet and systems, services \nand markets that rely upon its secure operation. The DNSSEC protocol \nhas been under development for more than10 years and was approved by \nthe IESG in October 2004; it is awaiting final publication. The goal of \nthis effort is to enable all DNS traffic on the Internet to be DNSSEC \ncompliant. In operational terms, this goal translates into the \nfollowing ideal: Every lookup request requires and receives only \nDNSSEC-validated answers. Achieving this operational goal occurs within \nthe framework of four principal and interrelated tracks: technical, \norganizational, education and outreach, and public policy. The primary \nfocus of this effort is on the technical issues and process of adoption \nand the organizational and outreach/ educational activities required to \nachieve resolution of the technical objectives and activities. DHS S&T \nhas been responsible for coordination among government agencies, namely \nDepartment of Commerce (DOC), Office of Management and Budget (OMB), \nGeneral Services Administration (GSA), Department of Defense (DOD), and \nseveral others.\n    The NSSC also calls out the fact that there are challenges with the \nexisting Internet routing infrastructure. As a step toward fulfilling \nits responsibility for coordinating implementation of the NSSC with \nrespect to the routing infrastructure, DHS S&T is working with \ngovernment and industry through the Secure Protocols for the Routing \nInfrastructure (SPRI) program within the S&T Directorate. DHS S&T has \norganized a series of workshops in the SPRI program to formulate an \napproach and a roadmap for securing the Border Gateway Protocol (BGP) \nin the Internet routing infrastructure. This workshop series has \nbrought together people from academia, research institutions, \ngovernment, and industry who have a thorough understanding of BGP \ntechnology, of BGP use in the Internet today, and of the business of \nproviding internet service. Several techniques to secure BGP have been \nsuggested, but none has won acceptance in terms of completeness, \nscalability or deployability. The workshops have been working towards a \nconsensus of an acceptable, deployable security technique and a \nstrategy for deployment. The SPRI initiative has been successful at \nbringing together the major Internet Service Providers (ISPs), router \nvendors, large-scale end users, government, and academia to identify a \npath forward to harden the routing structure of the Internet. This has \nincluded working with the major Internet registries, such as the \nAmerican Registry of Internet Numbers (ARIN) and Reseaux IP Europeens \n(RIPE), and international participants from forward-looking countries, \nsuch as Sweden, Netherlands, and Japan.\n    Relative to control systems, this issue is important because many \ncompanies are now using standard Internet protocols to communicate \nbetween the control room and the enterprise network. Control systems \nvendors are beginning to use core Internet protocols as their bottom-\nmost communication mechanisms on control system local area networks. \nControl system specific protocols tend to be insecure because they were \nnot designed with security as a dominant focus, many are proprietary \nand depend on ``security through obscurity,\'\' and control system \nprotocols have generally not been exposed and stressed from a large \nnumber of concentrated attacks from hacker groups.\n    <bullet> In 2003, the President, as part of an initiative to \nprotect American infrastructure, ordered the Department of Homeland \nSecurity to create The National Infrastructure Protection Plan. This \nplan was due in December 2004. DHS released an Interim Report in \nFebruary, 2005, which was criticized by the GAO for being incomplete. \nAt the time the Interim Report was created, DHS pushed the due date for \nthe Final NIPP back to November, 2005. When will the Office of \nInfrastructure Protection finalize the NIPP? What is the role of the \nNational Cyber Security Division (NCSD) in NIPP? What role will your \noffice be playing in the ``Final NIPP\'\'?\n    Response: The draft NIPP Base Plan was released for final review \nand comment on November 2nd, and addresses the Federal, State, \nterritorial, tribal, local, and private sector roles and \nresponsibilities for critical infrastructure protection. It will be \ncompleted in early 2006. The 17 critical infrastructure and key \nresource (CI/KR) Sector-Specific Plans (SSPs) will further detail risk \nreduction strategies related to their respective critical cyber \ninfrastructure.\n    As part of NCSD\'s participation in the development of the National \nInfrastructure Protection Plan (NIPP), NCSD is ensuring that the NIPP \nBase Plan includes content to address cyber security and the cross-\nsector/cross-border cyber element of CI/KR protection across all 17 \nsectors. NCSD also highlights cyber security concerns in an appendix to \nthe Base Plan that provides additional details on processes, \nprocedures, and mechanisms needed to achieve NIPP goals and the \nsupporting objectives for cyber security. The cyber security appendix \nspecifies cyber responsibilities for security partners, processes and \ninitiatives to reduce cyber risk, and milestones to measure progress on \nenhancing the Nation\'s protection of cyber infrastructure.\n    After the release of the ``Final NIPP,\'\' NCSD will continue to work \nwith the relevant stakeholders to address cyber security and the cross-\nsector cyber element of CI/KR protection as outlined in the draft. This \nwill include developing the Information Technology Sector Specific Plan \nas the designated Sector Specific Agency for the IT Sector, providing \nguidance to other Sector Specific Agencies to address cyber security, \nand coordinating international aspects of cyber infrastructure \nprotection.\n    <bullet> According to a New York Times article last week, DHS is \nspending $17 million of its $1.3 billion science and technology budget \non cyber security. Committee staff was told in a briefing with DHS \nofficials that there are only two full-time DHS employees working on \ncontrol systems issues. Do you think the Department is devoting enough \nattention and resources for cyber security?\n    Response: The Department is devoting significant resources and \nattention to the important area of cyber security, as described in the \ndetailed answers to the questions above. NCSD and S&T continue to \npartner effectively to produce tangible results in an area that is \nconstantly evolving. As described above, the NIPP provides a framework \nand roadmap for progress and unites Federal, State, local, and tribal \ngovernments and the private sector in the process for studying and \nidentifying solutions to mitigate cyber risk. Additionally, recognizing \nthe importance of protecting critical cyber assets, Secretary Chertoff \nis increasing the authority for cyber security by placing the \ncoordinated activities of the NCSD and NCS under an Assistant Secretary \nfor Cyber Security and Telecommunications. The new Assistant Secretary \nwill report to the new Under Secretary of Preparedness. We expect that \nthe new Assistant Secretary will be named in the near future.\n\n  Questions for the Record from the Honorable Bennie G. Thompson for \n                               Larry Todd\n\n    TOPIC I. THE THREAT: PROBABILITY/IMPACT OF ATTACKS ON SCADA SYSTEMS\n    Question: Based on all available research, how likely is an attack \non a SCADA system?\n    Answer: The Bureau of Reclamation has no specific statistics on \nprobability of attacks against SCADA systems in industry or the federal \ngovernment at large. Reclamation assumes, however, given the importance \nof water and power infrastructure, that SCADA could be the target of an \nattack.\n\n    Question: Based on available research, how frequently are SCADA \nnetworks attacked?\n    Answer: The Bureau of Reclamation has no specific statistics on \nattacks against SCADA systems in industry or the federal government at \nlarge. Reclamation has monitoring systems in place and, to date, has \nnot identified any attacks against our SCADA systems throughout the \nhistory of their operation. We believe this is due to the isolation of \nour SCADA systems from the internet.\n\nTOPICS II-IV--No questions pertain to the Bureau of Reclamation\n\nTOPIC V. DAM SAFETY\n\n    Ouestion: Does the Bureau of Reclamation monitor only the 17 or so \ndams that it has created? Or is the bureau monitoring and conducting \nthreat assessments to private dams as well?\n    Answer: Reclamation has constructed manages 471 dams, 58 \nhydroelectric powerplants, and other related facilities in the 17 \nWestern states. For security purposes, Reclamation has identified 280 \nof these facilities as critical for completing security assessments. \nReclamation reassesses these facilities on a periodic basis. A security \nrisk assessment examines the threats, vulnerabilities, and consequences \nof a security event at a facility. Although Reclamation has provided \nsome assistance to other Federal agencies, it does not monitor or \nconduct threat assessments for private dams.\n\n    Question: Help me understand further the way that the control \nsystems at our nation\'s dams are connected to computers far from the \ndams and what specific defenses you have put in place to protect those \ncommunications links?\n    Answer: Reclamation uses leased lines and federal microwave \nchannels to address nearly all long-haul communications between SCADA \ncontrol centers and their outlying controlled sites. This is true of \nall significant and critical SCADA communications. In some instances \nUHF or radio communication hops may be employed to support less \nsignificant SCADA functionality where data collection and low-risk \ncontrol functionality are involved. Short-haul communications employ \nfiber-optic copper cabling for communication between control system \ncomponents that are widely distributed geographically. We use \nfederally-owned microwave-based telecommunications systems. In a few \ncases, we also lease point-to-point circuits from telecommunications \ncompanies. These SCADA communications circuits are dedicated (not \nshared). Reclamation uses several protection methods including non-\nInternet communications protocols and one-way communications paths. No \nSCADA system communication takes place over the Internet.\n\n    Follow-up Question: Can those connections be used to open flood \ngates? And if in the when the reservoirs are full, someone did that. \nwould there be a high probability of lives being lost? Have you had \ndamage estimates done at maior Federal dams? Do know how many lives \nmight be lost?\n    Answer: None of the Reclamation spillway gates under SCADA control \nhave a capacity greater than the safe channel capacity. Therefore, no \nlives can be lost by flooding outside the safe channel capacity by the \nmere operation of Reclamation SCADA systems. Instead, Reclamation \ntypically relies on manual, on-site operation of the gates. For the few \nspillways that are operated with SCADA systems, safety measures are in \nplace. The safety measures in place include: remote monitoring of gate \nposition; control action timing relays that allow only limited raise or \nlower motion based on a single control action the gate will only raise \nor lower a certain percentage of its full travel based on one command); \nand manual SCADA control lockouts that must be physically and \nprocedurally bypassed to enable SCADA control, thereby preventing SCADA \ncontrol of critical fully supervised. In addition, some gates have \nlimiting switches that only permit them to be moved a small amount at a \ntime.\n    From our dam safety program, we have estimates for each high and \nsignificant hazard dam of population at risk (number of individuals \ndamaged including owned property) and loss of life in the event of \ncomplete dam failure. In many cases, we also have estimates of \npopulation at risk and loss of life in other flood situations such as \nfailure of gates. We would be willing to give you a secure briefing to \nprovide more information, at your request.\n\n    Question: We have heard the story of a hacker control of some \nsystems of the Roosevelt dam in Arizona, which holds 400 trillion \ngallons of water. What is the worst damage that could be done there? Is \nit possible to shut out on-site control? In other words, if someone \nhacked the system and tried to release the water, switch off a hydro-\ngenerator, etc., one would assume that there is an on-site, physical \noverride of the SCADA or Process Control System Is that true in all \ncases?\n    Answer: It is true that, in 1994, a hacker dialed into a system \nthat monitored the water levels of canals in the Phoenix, Arizona, \narea. This system was designed for water level monitoring only, and \ninvestigators concluded that the hacking incident posed no threat to \nsafety. The story of a 12-year old hacker control of the floodgates at \nTheodore Roosevelt dam in Arizona in 1998 is, fortunately, only a myth \nof unknown origin.\n    The discharge capacity of the one powerplant unit at Roosevelt Dam \nthat can be controlled remotely by SCADA is small and well within the \nsafe discharge capacity of the downstream Salt River. Such a discharge \ncould also be easily handled at Horse Mesa Dam, Mormon Flat Dam, \nStewart Mountain Dam, and Granite Reef Diversion Dam, all downstream of \nRoosevelt Dam. An intruder into the SCADA system cannot cause any \nreleases of water from the dam that will result in any downstream flood \ndamage or threaten the safety of any downstream populations.\n    SCADA control capabilities can always be disabled at the controlled \ndevice (generator, gate, valve, etc.) via a manually operated local \ncontrol switch.\n\n    Question: Are stand-alone networks used at dams, or do you \npiggyback on the local phone network, the Internet, or some other \nexisting outside network? Is there a Bureau of Reclamation policy on \nwhat networks can be used for SCADA/PCS?\n    Answer: SCADA networks are isolated from networks other than \nsimilar SCADA networks. Reclamation\'s policy addresses all networks \n(including SCADA) and includes network expansions and extensions, which \nmust be approved by Reclamation\'s Chief Information Officer. Approval \nadheres to guidance of the National Institute for Standards and \nTechnology (NIST) and is based on internal vulnerability assessments.\n\n    Question: Generally are the Cyber Security requirements of the \nBureau of Reclamation department-wide or do have different requirements \nfor each dam? If you have a Bureau of Reclamation Standard, is it the \nsame as the Army Corps of Engineers, the Tennessee Valley Authority, \nand other federal agencies/entities?\n    Answer: Reclamation applies the same baseline cyber security \nrequirements to all of its systems, regardless of the type of system or \nits location. In some instances, additional security requirements are \nimposed because of the higher criticality or sensitivity of the \ninformation or functions processed by a cyber system. Many SCADA \nsystems fall into this higher criticality or sensitivity category and \nare consequently held to higher security requirements. In all cases, \nhowever, these additional requirements are consistent with NIST and \nFederal Information Processing Standards (FIPS) guidance.\n    Although the security foundation requirements for all federal \nentities are very similar for systems of similar sensitivity and \ncriticality, civilian agencies, such as the Department of the Interior, \nare subject to the cyber security guidance published by NIST. Agencies \nunder the Department of Defense, such as the Army Corps of Engineers, \nare subject to a different set of policy, standards, and guidance. \nCyber security policy developed by the Department of the Interior and \nthe Bureau of Reclamation will probably not be identical to that \nprepared by the Army Corps of Engineers, the Tennessee Valley \nAuthority, or other federal entities. The differences, though, are \nlikely to be in details related to meeting mission and organizational \nneeds and requirements, not in foundational cyber security requirements \nor security best practices.\n\n    Question: Do all Bureau of Reclamation dams use the Risk Assessment \nfor Dams to assess the threat, vulnerabilities, consequences, and \nultimate risk that the faces?\n    Answer: Reclamation uses three methodologies depending on facility \ncriticality. For National Critical Infrastructures, Reclamation uses \nthe Defense Threat Reduction Agency assessments. For 50 of our critical \nfacilities, we use the RAM-D methodology. For lower priority \nfacilities, Reclamation uses the Matrix Security Risk Analysis (MSRA)\n\n    Question: How Bureau of Reclamation facilities have done RAM-D or \nother assessments? Have those vulnerabilities been addressed so that \nsecurity is up to an acceptable level?\n    Answer: Following the events of 9-11, security was enhanced at all \nReclamation facilities, with full time guards and patrols being \ndeployed to the most critical facilities. Reclamation initiated \ncomprehensive security risk assessments at all 280 critical facilities, \ncompleting the most critical facilities in 2002 and the less critical \nones this past year. The assessments identified potential threats, \nvulnerabilities, and consequences. The assessments resulted in numerous \nrecommendations for enhancing security through both procedures and \nfacility fortifications. Recommendations for enhancing security \nprocedures were implemented upon completion of the assessments, as they \ngenerally did not require new funding. Recommendations for facility \nfortifications require additional funding, and those are being \nprogrammed and implemented on a priority basis. Security fortifications \nare complete at one National Critical Infrastructure (NCI) facility and \nin progress at the other and several Major Mission Critical (MMC) \nfacilities. Over 73% of all recommendations resulting from the risk \nassessments have already been implemented.\n\n    Question: Dams are one of the Key Asset Sectors identified in \nHomeland Presidential Directive 7. Since the issuance of HSPD 7, how \nmuch has the Bureau of Reclamation\'s increased? Have you had to shift \nspending from other priorities to pay for security?\n    Answer: Reclamation\'s enacted and requested security budgets have \nincreased over the FY 2003 appropriated security budget of $28,440,000. \nReclamation continues to take its security responsibilities seriously, \nand aligns security priorities with all other mission critical \nprograms.\n    Following is a brief summary of Reclamation funding for security \nfor Fiscal Years 2003 through 2006:\n        FY 2003: $28,440,000 appropriated\n        FY 2004: $28,583,000 appropriated\n        FY 2005: $43,216,000 appropriated 2006:\n        FY 2006: $50,000,000 ($40 million appropriated $10 million from \n        beneficiaries)\n\n  Responses from Dr. Sam Varnado to the Honorable Bennie G. Thompson \n                               Questions\n\n    I. THE THREAT: PROBABILITY/IMPACT OF ATTACKS ON SCADA SYSTEMS\n        <bullet> (To all) Based on all available research, how likely \n        is an attack on a SCADA system?\n    The probability of an attack by a dedicated adversary is not known. \nThe probability of nuisance acts, occurring on a daily basis, is 100%.\n    There is no current, reliable, classified or unclassified estimate \nof the specific probability of a malevolent attack on SCADA systems. \nHowever, we know SCADA systems are vulnerable. We also note an article \nin the June 27, 2002 Washington Post that these systems have been \ntargeted by al-Qa\'ida terrorists who have a great deal of capability \nand patience. There are signs that hacker coalitions and nation states \nare collecting information on SCADA systems. The sophisticated threats \nhave significant financial resources and can attack at will. Because of \nthe commonality of computing platforms in a networked system, an attack \nthat is successful against one will almost surely succeed against them \nall, and at only slight additional cost to the attacker.\n    SCADA systems are now moving from the old stand-alone legacy \nsystems to systems that use the internet or local enterprise networks \nas the backbone. This means that all the current computer attack \nmodes--worms, viruses, denial of service-can now deny or disable \ncontrol systems. It is no longer a requirement for a successful \nattacker to be a control systems expert to bring down a SCADA system. \nThese types of attacks occur daily.\n\n        <bullet> (To any of the labs) What cyber security failures and \n        incidents have you seen with SCADA networks?\n    Sandia National Laboratories has performed numerous critical \ninfrastructure assessments that identified common vulnerabilities in \nSCADA systems. The results are published in a paper entitled ``Common \nVulnerabilities in Critical Infrastructure Control Systems\'\' that can \nbe found at http://www.sandia.gov/scada/documents/031177C.pdf. This \npaper describes the types of vulnerabilities we have identified.\n    In addition to our assessments, there have been the following \ndocumented incidents:\n        It has been reported that in June 1982, exploitation of SCADA \n        software created a damaging attack on the Trans-Siberian \n        pipeline. The software that was used to run the pumps, \n        turbines, and valves of the pipeline was programmed to \n        malfunction after a specific time interval. The malfunction \n        caused the control system to reset the pump speeds and value \n        settings to produce pressures beyond the failure ratings of the \n        pipeline joints and welds. The result was the largest non-\n        nuclear explosion (3 kilotons) ever seen from space.\n    In January 2003, the ``Slammer\'\' worm disabled a monitoring system \nat the Ohio Davis-Besse nuclear power plant. The worm entered through \nan improperly secured network connection to a contractor\'s facility. \nThe worm crashed the computerized panel used to monitor the plants most \ncrucial safety indicators. This incident did not pose a safety threat \nat the time because the reactor was offline for repairs and the \nredundant analog monitoring systems were still in operation. However, \nthis event illustrates the impact that a computer worm can have on a \nSCADA System. Reference: ``Slammer worm crashed Ohio nuke plant \nnetwork\'\', Kevin Poulsen, Security Focus (19 august 2003): http://\nwww.securityfocus.com/news/6767\n    In May 2001, attackers were apparently able to gain access to one \nof the computer networks at the California Independent System Operator \n(Cal-ISO) corporation. This hacking incident was apparently \nunsuccessful at penetrating any process control system network, yet it \nuncomfortably extended over a period of more than two weeks. Reference: \n``California hack points to possible IT surveillance threat,\'\' Dan \nVerton, Computerworld (12 June 2001): http://www.computerworld.com/\nindustrytopics/energy/story/0,10801,61313,00.html\n    One verified attack occurred in April 2000 at Maroochy Shire, \nQueensland. Disruption of the SCADA systems that controlled the plant \nresulted in release of copious quantities of sewage into parks, rivers, \nand a hotel, severely fouling the environment. Reference: ``Hacker \njailed for revenge sewage attacks,\'\' Tony Smith, The Register (UK) (31 \nOctober 2001): http://www.theregister.co.uk/content/4/22579.html\n    At about 3:28 PM Pacific Daylight Time on June 10, 1999, a 16-inch-\ndiameter steel pipeline owned by Olympic Pipe Line Company ruptured and \nreleased about 237,000 gallons of gasoline into a creek that flowed \nthrough Whatcom Falls Park in Bellingham, Washington. About 1.5 hours \nafter the rupture, the gasoline ignited and burned approximately 1.5 \nmiles along the creek. Two 10 year-old boys and an 18-year-old young \nman died as a result of the accident. Eight additional injuries were \ndocumented. A single-family residence and the city of Bellingham\'s \nwater treatment plant were severely damaged. As of January 2002, \nOlympic estimated that total property damages were at least $45 \nmillion. The National Transportation Safety Board listed five reasons \nfor the rupture. The fifth was Olympic Pipe Line Company\'s practice of \nperforming database development work on the SCADA system while the \nsystem was also being used to operate the pipeline, which led to the \nsystem\'s becoming nonresponsive at a critical time during pipeline \noperations. Reference: http://www.ntsb.gov/publictn/2002/PAR0202.htm\n\n    <bullet> (To all) Based on all available research, how frequently \nare SCADA networks attacked?\n    Again, the answer depends in part on how one defines ``attack\'\'. If \nattack includes active scanning, attempts to take advantage of \nunpatched vulnerabilities, worms, viruses, and spyware, then any \ncontrol system network connected directly or through a business network \nto the Internet is under constant attack. It is reasonable to assume \nthat network-connected SCADA systems across the country are probed \ndaily.\n    There have not been many documented malevolent attacks of SCADA or \ncontrol systems. Attacks do happen, and there are more attacks then we \nknow about because some infrastructure owners are reluctant to report \nSCADA attacks. They worry about loss of public confidence and \ncompetitive issues. We have seen a few targeted attacks in our 10 years \nof experience.\n\n    <bullet> (To any of the labs) Is it possible to devise an attack to \ndisable or disrupt a SCADA network for an extended period of time? If \nso, what is being done to mitigate such attacks?\n    Yes, it is possible to disable or disrupt a SCADA network for an \nextended period of time. The exact method of attack depends on the \nindividual circumstances of the SCADA network. The Maroochy Shire \nwastewater SCADA system attack in Australia is often cited because the \ndetails are unclassified. Whether one considers the consequences \nsignificant or not, the fact remains that disgruntled computer expert \nVitek Boden caused a chronic disruption of a SCADA network for three \nmonths. His attack could have been more sophisticated and, possibly, \nmight have caused greater consequences. More significantly, the SCADA \ncomponents he attacked are commonly used in domestic water treatment \nsystems. Sandia\'s internal research and development has discovered \nforms of attack that could result in even greater consequences. The \ndetails of these attacks are classified and would need to be shared in \na different venue.\n    The responsibility for mitigation is distributed among the SCADA \nnetwork owner/operators, the SCADA network integrators, the SCADA \nequipment vendors, industry groups, and regulators. Even when one of \nthe players takes responsibility for security, they can only mitigate \nthe portion they control. Operators can put in place security policies, \nplans, and implementation, but they are at the mercy of vendors who may \nnot provide features necessary for security. For this reason, the \ndegree of mitigation of SCADA networks is highly variable.\n    Mitigation effects may not be implemented for several reasons. \nFirst, a business case for industry to invest in SCADA security has not \nbeen clearly made. As a result, funding for security personnel and \nequipment are often inadequate.\n    A second problem is natural attrition through aging of key \npersonnel in utility operations. Taken together, it is probable that \nquick automation repairs will no longer be possible for many utilities \nin the very near future, primarily because of a shortage of trained \npersonnel and old equipment. Backup manual operation is further \nexacerbated by the paucity of skilled and experienced personnel. There \nare also limitations on the number of field operators, to deploy to \nremote locations in manual situations when data are unavailable to the \nSCADA system. Therefore, if the loss of some automation functionality \nwill likely cause severe problems for utility operations (including \nsystem management functions, system/plant automated control, or any of \nthe supporting data categories), a redundant system and/or network is \nrequired.\n    Third, classification, anti-trust, and proprietary issues get in \nthe way of the open sharing of threat and vulnerability information \namong industry stakeholders.\n    Sandia has been teaching courses on SCADA security assessment and \nbest practices for mitigation to industry and government for several \nyears. In that time, our message has been heard by some entities, who \nare now asking for more information. We have performed vulnerability \nassessments that continue to confirm the presence of common \nvulnerabilities.\n\n    <bullet> (To KP Ananth or Sam Varnado) Electric power is important \nfor nearly all the things that Americans do--from businesses to schools \nto government to many forms of recreation. Has your research shown that \nthe SCADA systems that control our power generation and distribution \nare fully protected from attacks launched from the Internet? If not, \nwhat kind of damage do your researchers believe smart, well researched \nattacks could cause?\n    SCADA networks that control electric power generation, \ntransmission, and distribution are not fully protected from attacks \nlaunched from the internet. Well researched attacks can cause burn-out \nof expensive, hard-to-replace equipment such as transformers. The \nduration of such outages could extend to several months. Other computer \nattacks, such as worms or viruses, could create outages lasting for \ndays.\n    Further information about the consequences of a smart, well-\nresearched attack is available at a classified level and could be \nprovided in another venue.\n\n    <bullet> (To Sam Varnado, KP Ananth, Bill Rush) We\'ve heard a lot \nabout the impact of a terrorist attack on a control system. But as we \nsaw during Katrina, natural disasters can cause devastating impacts to \nour control system infrastructure too. What kind of impact would a \nnatural disaster have on control systems in California (earthquakes), \nOregon (tidal waves/tsunamis), the Gulf Coast (hurricanes), and \nelsewhere?\n    Terrorist attacks differ from natural disasters in that the \nterrorists take a functional attack perspective. In other words, they \nlook to destroy or alter the functionality of a SCADA system. In \ncontrast, a natural disaster is random and geographically dependant. \nAnything within the physical range of the disaster is affected. \nAnything outside is less likely to be affected. Many companies have \ncreated redundant control centers to better prepare for such disasters. \nThe critical assets are identified and duplicated, and risk-mitigation \nplans are usually in effect.\n    In some respects, certain natural disasters are easier to handle \nthan focused cyber attacks. A crew made up of control specialists and \nphysical facilities members can very quickly determine what physical \nassets have been damaged. These assets can be reordered and replaced \nlike any other field equipment. Typically, control systems are composed \nof off-the-shelf parts and reordering is not usually a problem.\n    Lack of warning is one aspect that makes response to some disasters \nmore difficult. Hurricanes are different than earthquakes, tsunamis, \nand terrorist events. Damage can be minimized if there is enough \nwarning to allow shut down. When the event happens with little or no \ntime to prepare, the chance for damage increases. Listed below are the \nareas of concern, the disaster being considered, and the potential \nimpact.\n\nGulf Coast:\nNatural Disaster: Hurricane\nInfrastructure: Oil, Gas, chemical, electrical\nImpact: Because of pre-warning, these infrastructures are reasonably \nwell equipped to deal with the disaster. Control system equipment can \nbe damaged or destroyed, resulting in outages of service. However, if \nthe infrastructure elements are shut down prior to the storm, damage \ncan be minimized.\n\nCalifornia:\nNatural Disaster: Earthquake\nInfrastructure: Oil, Electricity, Telecommunication, Natural Gas\nImpact: Without warning, many of the infrastructure control systems \ncould be severely damaged through physical destruction of computer \nfacilities. Impacts could be severe and widespread. However, backup \nsystems located in unaffected areas will help minimize the impact and \nhelp in system recovery.\n\nOregon:\nNatural Disaster: Earthquake, Tidal Wave\nInfrastructure: Oil, Electricity, Natural Gas\nImpact: Tidal waves are of less concern than earthquakes. Most \ninfrastructure assets are well protected from tidal waves by \nlandmasses, but they lie in a critical area for earthquakes. Loss of \nelectricity because of extensive physical damage could lead to failures \nin other infrastructures because they need electricity in order to \nsafely shut down. In addition, the economy in the pacific Northwest \ncould be severely impacted if electrical failures caused a disruption \nof port activities.\n    The Department of Homeland Security\'s (DHS\'s) Infrastructure \nSimulation and Analysis Center (NISAC) at Sandia has created a number \nof relevant reports on the economic consequences of natural disasters \nas follows:\n        <bullet> Numerous Katrina reports on damage from Katrina both \n        before and after land fall\n        <bullet> A report entitled ``Infrastructure Assets in \n        Seismically Active Zones in the Pacific Northwest\'\'; this \n        report addresses assets located in Washington, Oregon, and \n        Idaho\n        <bullet> Analysis of economic impacts of port disruptions in \n        the Pacific Northwest.\n    Natural disasters affect all critical infrastructures. The \ninterdependent nature of the infrastructure amplifies the consequences \nof disruption in any one sector. Fortunately, preparing for the \nabnormal natural disaster event also helps prepare for the malevolent \nattack. Many of the practices that Sandia teaches in our course on \nsustainable security are equally applicable to sustaining operations \nduring natural disasters and recovering after those disasters.\n\nII. THE PUBLIC/PRIVATE RELATIONSHIP IN DEVELOPING A SCADA SOLUTION\n        <bullet> (To any of the labs) I understand the National Labs \n        are conducting extensive research into SCADA and control \n        systems. What resources are you currently lacking? How are you \n        coordinating these efforts with the private sector? What can \n        the federal government do to provide you with more resources?\n    Our biggest need is predictable, sustainable, multi-year funding \ntied to a well-defined research and development plan. We have \noutstanding well-trained staff who are experts in cyber security. \nHowever, cyber research has not been emphasized by DHS. DHS should \nensure that the best technical capability in the country is applied to \nthis problem. The national labs--particularly Sandia and Idaho national \nlaboratories--have the necessary talent, but DHS needs more funding to \napply to the problem.\n    In addition, existing DHS programs, emphasize the conventional \nhacker threat. There is a need to address the more sophisticated \nthreats such as those coming from terrorists and nation states. Sandia \nhas outstanding capabilities in these areas, but they are not being \napplied to the SCADA problem.\n\n        <bullet> How are you coordinating these efforts with the \n        private sector?\n    We are currently working with DOE and private industry to develop a \nroadmap for securing the nation\'s energy infrastructure from the cyber \nthreat. In addition, we currently engage in a variety of outreach and \nawareness activities, including teaching vulnerability assessment and \nSCADA security courses to industry, making technical presentations, and \nproviding the products of our research on a website, http://\nwww.sandia.gov/scada/. We participate in programs such as the Institute \nfor Information Infrastructure Protection (I3P), Linking the Oil and \nGas Industry to Improve Cyber Security (LOGI2C), Process Control \nSystems Forum (PCSF), and the National SCADA Test Bed (NSTB); all are \naimed at fostering cooperation and coordination with industry. We also \nfrequently host visits from industry to Sandia.\n    Additionally, we provide training on risk assessment methodology \nand vulnerability mitigation to a wide range of industrial customers.\n\n        <bullet> What can the Federal Government do to provide you with \n        more resources?\n    Funding should be increased for improvements in cyber security \ntechnology so that DHS can provide tools for\n        <bullet> high speed intrusion detection systems\n        <bullet> software assurance\n        <bullet> attack attribution and trace-back\n        <bullet> security modeling of existing and proposed SCADA \n        systems\n        <bullet> network visualization for mapping cyber disruptions\n        <bullet> triage of threat scenarios across many vectors\n        <bullet> assuring the reliable performance of commercial off-\n        the-shelf (COTS) products. We need funding of $15M/yr to apply \n        to this problem\n        <bullet> models and simulations to understand the large-scale, \n        transient consequences of attacks on the power grid.\n    Funding for a new program to address the sophisticated threat \nshould also be provided. We anticipate that more sophisticated and \nstrategically integrated cyber attacks--such as those that might be \nmarshaled by a well-funded and highly capable terrorist or nation-state \nactor--will occur against control systems. An effort is needed to \ndevelop the analytic resources and technologies required to detect and \npredict these threats based on control system vulnerabilities, to \nstrengthen our preventive measures, to increase our ability to respond \nexpediently, and to model these more sophisticated threats and analyze \nthe operational impacts they have on control systems. In general, this \nis a better role for national laboratories than for universities and \nprivate industry vendors. Sandia could lead this program. This effort \nshould include a strong emphasis on the problems of building trusted \nsystems from untrusted COTS components.\n    Further, we need funds to work more closely with industry to \nprovide in-depth vulnerability assessments of existing systems, to help \nindustry utilize existing risk assessment models, and to formulate a \nbusiness case for investment in cyber security.\n    Finally, DHS needs to identify the commonalties in SCADA systems \nacross all infrastructure elements and then define and coordinate \nefforts for improving SCADA system security across these \ninfrastructures. Industry infrastructures owners should be provided a \nsingle point of contact for their interactions with DHS.\n\n        <bullet> (To any of the labs) It has been widely reported that \n        both industry and the federal government find it difficult to \n        estimate the economic impact of a cyber security attack. Has \n        the lack of actual quantifiable damages made the private sector \n        leery of investing in cyber security?\n    At the I3P SCADA Security Conference in June 2005, held in Houston, \npanelists from industry made exactly this point. They said:\n        ``The lack of quantifiable damages is one of the missing \n        components that would feed into the private sector\'s cost-\n        benefit and return-on-investment analysis. The economic case \n        for investing in cyber security has to be stronger than the \n        economic case for investing in anything else before the private \n        sector will be compelled to make cyber security investments.\'\'\n    This observation illustrates the difficulty that industry is having \nin making a business case for investment in cyber security. There are \ntwo steps that will help overcome the noted deficiency. First, DHS \nshould fund the national laboratories to work with industry in \nutilizing the lab\'s risk assessment methodology to help industry make \nthe business case. Second, DHS should apply the skills of NISAC, run by \nSandia and Los Alamos labs, to the problem of determining the economic \nconsequences of infrastructure outages caused by cyber attacks.\n\n        <bullet> (To Sam Varnado, KP Ananth, Bill Rush) Can you tell us \n        specifically how your research on SCADA has, to date, impacted \n        the way SCADA systems in the field are secured, and what \n        percentage of those systems have been impacted? If that\'s not a \n        big number, what is stopping us from putting the results of \n        your research into practice in the field?\n    We have directly affected relatively few systems, on the order of \ntens. Unfortunately, our program is small and the number of control \nsystems is huge. We have indirectly affected--either by developing \nself-assessment methodologies or through outreach--on the order of \nhundreds of control systems. We have diffused our standards work to \nthousands of control systems. In spite of such efforts, we have only \naffected a small fraction of the control systems on which the nation \ndepends for its current infrastructure security.\n    The biggest obstacle to technology transfer is the business case \nissue. Even when industry believes there is a business case for \nsecurity measures, they believe that they need only increase security \nenough to protect against the low-level threat--background noise, \nindividual hackers, and possibly hacktivists. It is industry\'s \ncontention that government should protect against the larger threats--\norganized crime, terrorists, and nation-state threats--either through \nlaw-enforcement or national defense. We need to expand our public/\nprivate partnerships to define best industry practices as a function of \nrisk and cost, then develop and disseminate the appropriate technology.\n\n        <bullet> (To Sam Varnado, KP Ananth, Bill Rush) What has the \n        money we have already spent on SCADA research done to improve \n        SCADA security in the field?\n    A specific instance of improved SCADA security is the work \nconducted to develop RAM-W, a self-assessment methodology for water \nutilities. Hundreds of water utilities used that methodology to help \nsecure their SCADA systems. One particular utility, Washington \nAqueduct, operated by the US Army Corp of Engineers, has benefited \ndirectly from the assessment and the secure design requirements that \nSandia provided for their new SCADA system as a follow-on project.\n    We have been active in international standards organizations by \nhelping to provide a security perspective to their guidelines, by \ndeveloping training classes, and by developing self-assessment \nmethodologies. We have also developed technology to secure \ncommunication links and improve cryptographic research.\n    We have published and distributed to industry a report entitled \n``Common Vulnerabilities in Critical Infrastructure Control Systems.\'\' \nWe have also provided training courses to industry on vulnerability \nassessments of SCADA systems as well as risk assessment methodologies \nto help industry solve its own problems.\n    Further, we have identified specific vulnerabilities in SCADA \nsystems from several vendors. We have also explained to those vendors \nhow the vulnerabilities can be mitigated.\n    Over the last ten years, Sandia has invested in SCADA security \nresearch, through its own internal research and development funds, on \nthe order of $4 million. Currently we are funded through external \nsources--DHS, DOE, industry, and university collaborations--at \napproximately $3 million this fiscal year. This level of funding is not \nadequate to address the very hard problems that SCADA security \npresents.\n\n        <bullet> (To Sam Varnado, KP Ananth, Bill Rush) Is there any \n        risk of duplicating efforts with the lab beds at Sandia and \n        Idaho and other research around the country?\n    There is no duplication. The efforts are complementary, with each \nlab applying its unique capabilities to different parts of the \nproblems.\n    The test bed at Idaho National Laboratory is designed to \ndemonstrate the effects of cyber attacks on large scale physical \nstructures. It is a unique facility.\n    The test bed at Sandia is in reality a SCADA security laboratory \nthat conducts leading-edge research on cyber security methods such as \nvulnerability assessments, cryptography, security of wireless networks, \nand threat analysis. It provides the capability to test the robustness \nof SCADA systems from various vendors in a laboratory environment at \nlow cost. It is also set up to evaluate the more sophisticated \nadversaries.\n    Further, DHS manages the work at both labs and provides a program \nmanager to make sure tasks are assigned in a way that avoids \nduplication. It is important that DHS understands and acknowledges the \nuniqueness of each lab and works to make sure that the participants at \none lab do not duplicate existing capabilities at the other lab.\n\nIII. THE FEDERAL GOVERNMENT\'S ROLE IN CYBER SECURITY\n        <bullet> (To Andy Purdy and ALL) There are several SCADA test \n        beds across the country. Is there any risk of duplicating \n        efforts with the lab beds at Sandia and Idaho and other \n        research? Is there any way to consolidate these efforts?\n    See our answer on duplication under the preceding question.\n    Consolidating these facilities does not make sense because they \nhave separate roles. One is a large, full-scale test and demonstration \nfacility; the other is a state-of-the-art research facility needed for \ndeveloping countermeasures for the increasingly sophisticated threat \nenvironment.\n\nIV. THE FEDERAL ROLE IN THE FUTURE\n        <bullet> (To Sam Varnado and K.P Ananth) Based on your \n        knowledge of the SCADA research field, what are the most \n        promising technological breakthroughs you see that can protect \n        our SCADA systems in the short term? I realize there are no \n        silver bullets, but please list the solutions that will \n        actually work to protect our SCADA systems.\n    First, industry infrastructure owners need to define security \npolicies and best practices for their own systems. Security is not just \na technology problem. It is one of sustainable security--hardware, \nsoftware, people, and procedures. Employees need to be trained in \ndetecting attacks. Widespread adoption of best security practices has \nhigh payoff and low costs. If all control systems implement best \nsecurity practices, the bar will be raised against all adversaries.\n    Second, the latest security advances such as intrusion detection \nsystems, firewalls, encryption, and other technologies should be \napplied. For example, the application of new Layer 3 firewalls in \nswitches is emerging and shows promise for improving the security of \ncontrol systems.\n    Third, vulnerability assessments need to be performed on all major \nSCADA systems. Then the identified vulnerabilities need to be \nmitigated.\n    Finally, a strong, sustainable R&D program needs to be implemented \nto continue to develop technology for countering new, more \nsophisticated threats by hackers and cyber terrorists who change their \nattack methods on a very frequent basis.\n\n        <bullet> (To any of the labs) How do we make rapid progress in \n        improving security in the field?\n    We must help infrastructure owners develop security policies and \ntrain their people.\n    We must provide incentives and liability relief to developers and \nadopters of security technology. The Safety Act is a good step in this \ndirection.\n    We must support more research into robust, distributed, \nintrospective systems; more research into secure operating systems; \nand--to achieve a high level of security--implement a dedicated \ninternet protocol (IP) and a redesigned IP stack for SCADA use only.\n    We must enable greater access to, and partnerships among, vendors, \nlabs, and asset owner/operators in order to better understand industry \nfacilities, processes, and more technology from the labs to the field.\n    We must provide better and clearer communication among \norganizations working on cyber security to help us develop consensus on \nthe best security solutions. We must also promote opportunities to \nprovide awareness and training to vendors and asset owner/operators.\n\n    <bullet> (Any of the labs) Has the federal government advocated for \nstandards establishing a minimum floor for securing control systems? \nWhat would a minimum floor look like? Have industry leaders begun the \nprocess of developing those standards already? Has the government \nestablished any ``best practices\'\' that can be modeled by industry? \nWhat other standards activities are being developed besides AGA 12?\n    To our knowledge, three government initiatives exist today to \naddress securing control systems by providing guidelines and/or cyber \nsecurity requirements to industry: (a) the Technical Support Working \nGroup (TSWG) ``Securing Your Industrial Control System\'\' guide book; \n(b) the NIST release of the ``Guide to Supervisory Control and Data \nAcquisition and Industrial Control System Security\'\'; and (c) the DHS \nUS-CERT Control Systems Security Center (CSSC) Program cyber security \nprotection framework, which includes a set of cyber-security \nrequirements planned to be released in 2006. Whether these individual \ngovernment released documents constitute a ``minimum level of \nstandards/guidelines\'\' is not clear.\n    From our experience, a minimum set of security control system \nstandards would not come from a single standards body but would most \nlikely comprise the work of various standards bodies. There is no \nsingle standards body to provide a comprehensive list of control \nsystems cyber security standards.\n    Industry-led standards bodies have begun developing standards to \naddress the issue of securing control systems. However, dozens of \ngroups/organizations currently exist that are working on control \nsystems security standards. Coordination of these efforts is both \nessential and, at the same time, difficult. Inconsistent and \nconflicting standards generated from these various groups confuse \nindustry and asset owners/providers. A more concerted effort on the \npart of the government is needed to assist industry and asset owners in \n(1) maneuvering through the abundance of control systems cyber security \nstandards and (2) encouraging them to develop consistent control \nsystems cyber security standards across all critical infrastructure \nsectors. A single point of contact within DHS for cross-sector \ninvolvement in control systems cyber security standards is needed. This \npoint of contact would facilitate and assist in directing industry \npartners to relevant security guidelines, practices, and standards, and \nit would encourage consistent application of cyber security standards.\n    Other standards bodies include API 1164, CIDX, FIPS Pub 200, ISA \nSP99, NERC, and NIST SP800-53--as well as others too numerous to list. \nThe international standards bodies (e.g., IEC) are an important group \nbecause the majority of SCADA vendors are international and follow \nthose guidelines.\n\n    <bullet> (To any of the labs) Some have mentioned the value of a \n``vendor\'\' incentives system that would provide tax and other financial \nincentives to manufacturers who are producing control systems that are \nalready in ``best practice\'\' compliance. How feasible is this, and have \nthere been evaluations of the cost to the federal government?\n    Best practice compliance can be conducted at a component or sub-\nsystem level if clear metrics are established to define the practice. \nBut even here care must be taken not to impose a standard on something \nthat a later technology might supersede. Cyber security technology is a \nrapidly changing field.\n    Great care would need to be taken to insure that the ``best \npractice\'\' standards would not be negotiated down to the point that \ncompanies just need to fill out the right forms and jump through the \nright legal hoops--doing little to actually improve security. A third \nparty, Underwriter\'s Laboratory approach may be necessary to properly \nevaluate vendor\'s products and validate claims. Some analysis should \nalso be performed to determine the appropriate incentives for \ncompliance (industry, company, product, etc.).\n\n                                 <all>\n\x1a\n</pre></body></html>\n'