Critical Infrastructure Protection: Multiple Efforts to Secure	 
Control Systems Are Under Way, but Challenges Remain (10-SEP-07, 
GAO-07-1036).							 
                                                                 
Control systems--computer-based systems that monitor and control 
sensitive processes and physical functions--perform vital	 
functions in many of our nation's critical infrastructures,	 
including electric power, oil and gas, water treatment, and	 
chemical production. The disruption of control systems could have
a significant impact on public health and safety, which makes	 
securing them a national priority. GAO was asked to (1) determine
cyber threats, vulnerabilities, and the potential impact of	 
attacks on critical infrastructure control systems; (2) determine
the challenges to securing these systems; (3) identify private	 
sector initiatives to strengthen the cybersecurity of control	 
systems; and (4) assess the adequacy of public sector initiatives
to strengthen the cybersecurity of control systems. To address	 
these objectives, we met with federal and private sector	 
officials to identify risks, initiatives, and challenges. We also
compared agency plans to best practices for securing critical	 
infrastructures.						 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-07-1036					        
    ACCNO:   A77409						        
  TITLE:     Critical Infrastructure Protection: Multiple Efforts to  
Secure Control Systems Are Under Way, but Challenges Remain	 
     DATE:   09/10/2007 
  SUBJECT:   Command and control systems			 
	     Computer systems					 
	     Critical infrastructure				 
	     Cyber security					 
	     Homeland security					 
	     Information infrastructure 			 
	     Information security				 
	     Information technology				 
	     Private sector					 
	     Risk assessment					 
	     Risk management					 
	     Strategic planning 				 
	     Security standards 				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-07-1036

United States Government Accountability Office:
GAO: 

Report to Congressional Requesters:  

September 2007: 

Critical Infrastructure Protection: 

Multiple Efforts to Secure Control Systems Are Under Way, but 
Challenges Remain: 

GAO-07-1036: 

GAO Highlights: 

Highlights of GAO-07-1036, a report to congressional requesters.  

Why GAO Did This Study: 

Control systemsï¿½computer-based systems that monitor and control 
sensitive processes and physical functionsï¿½perform vital functions in 
many of our nationï¿½s critical infrastructures, including electric 
power, oil and gas, water treatment, and chemical production. The 
disruption of control systems could have a significant impact on public 
health and safety, which makes securing them a national priority. GAO 
was asked to (1) determine cyber threats, vulnerabilities, and the 
potential impact of attacks on critical infrastructure control systems; 
(2) determine the challenges to securing these systems; (3) identify 
private sector initiatives to strengthen the cybersecurity of control 
systems; and (4) assess the adequacy of public sector initiatives to 
strengthen the cybersecurity of control systems. To address these 
objectives, we met with federal and private sector officials to 
identify risks, initiatives, and challenges. We also compared agency 
plans to best practices for securing critical infrastructures.  

What GAO Found: 

Critical infrastructure control systems face increasing risks due to 
cyber threats, system vulnerabilities, and the serious potential impact 
of attacks as demonstrated by reported incidents. Threats can be 
intentional or unintentional, targeted or nontargeted, and can come 
from a variety of sources. Control systems are more vulnerable to cyber 
attacks than in the past for several reasons, including their increased 
connectivity to other systems and the Internet. Further, as 
demonstrated by past attacks and incidents involving control systems, 
the impact on a critical infrastructure could be substantial. For 
example, in 2003, a computer virus was blamed for shutting down train 
signaling systems throughout the East Coast and in 2006, a foreign 
hacker was reported to have planted malicious software capable of 
affecting a water filtering plantï¿½s treatment operations.  

Critical infrastructure owners face both technical and organizational 
challenges to securing control systems. Technical challengesï¿½including 
control systemsï¿½ limited processing capabilities, real-time operations, 
and design constraintsï¿½hinder an infrastructure ownerï¿½s ability to 
implement traditional information technology security processes, such 
as strong user authentication and patch management. Organizational 
challenges include difficulty in developing a compelling business case 
for investing in control systems security and differing priorities of 
information security personnel and control systems engineers. 

Multiple private sector entities such as trade associations and 
standards setting organizations are working to help secure control 
systems. Their efforts include developing standards, providing guidance 
to members, and hosting workshops on control systems security. For 
example, the electricity industry has recently developed standards for 
cybersecurity of control systems and a gas trade association is 
developing guidance for members to use encryption to secure control 
systems.  

Federal agencies also have multiple initiatives under way to help 
secure critical infrastructure control systems, but more remains to be 
done to coordinate these efforts and to address specific shortfalls. 
Over the past few years, federal agenciesï¿½including the Department of 
Homeland Security, the Department of Energy, and the Federal Energy 
Regulatory Commission (FERC)ï¿½have initiated efforts to improve the 
security of critical infrastructure control systems. However, there is 
as yet no overall strategy to coordinate the various activities across 
federal agencies and the private sector. Further, DHS lacks processes 
needed to address specific weaknesses in sharing information on control 
system vulnerabilities. Until public and private sector security 
efforts are coordinated by an overarching strategy and specific 
information sharing shortfalls are addressed, there is an increased 
risk that multiple organizations will conduct duplicative work and miss 
opportunities to fulfill their critical missions.  

What GAO Recommends: 

GAO is making recommendations to the Department of Homeland Security 
(DHS) to develop a strategy for coordinating control systems security 
efforts and to enhance information sharing with relevant stakeholders. 
DHS officials did not agree or disagree with GAOï¿½s recommendations, but 
stated that they would take them under advisement.  

[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-1036]. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Dave Powner at (202) 512-
9286 or at [email protected].  

[End of section]  

Contents: 

Letter: 

Results in Brief: 

Background: 

Critical Infrastructure Control Systems Face Increasing Risks Due to 
Cyber Threats, Vulnerabilities, and the Potentially Serious Impact of 
an Attack: 

Critical Infrastructure Owners Face Technical and Organizational 
Challenges to Securing Control Systems: 

The Private Sector Has Multiple Initiatives Under Way to Help Secure 
Control Systems: 

Federal Agencies Have Multiple Initiatives to Help Secure Critical 
Infrastructure Control Systems, but More Remains to Be Done: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: The Department of Homeland Security's Control Systems 
Security Initiatives: 

Appendix III: The Department of Energy's Initiatives to Support Control 
Systems Security within the Energy Sector: 

Appendix IV: Other Agencies' Initiatives to Help Secure Critical 
Infrastructure Control Systems: 

Appendix V: GAO Contacts and Staff Acknowledgments: 

Tables: 

Table 1: Critical Infrastructure Sectors and Designated Sector-Specific 
Agencies: 

Table 2: Sources of Cyber Threats to Critical Infrastructures: 

Table 3: Comparing IT Systems to Control Systems Illustrates Security 
Challenges: 

Table 4: Key Control System Security Initiatives in the Electricity 
Sector: 

Table 5: Key Control System Security Initiatives in the Oil and Gas 
Sector: 

Table 6: Key Control System Security Initiatives in the Water Sector: 

Table 7: Control System Security Initiatives that Affect Multiple 
Sectors: 

Table 8: Selected DHS Control Systems Security Initiatives: 

Table 9: NIST Control Systems Security Efforts: 

Figures: 

Figure 1: Examples of Critical Infrastructures (clockwise from upper 
left: chemical plants, nuclear power plants, hydroelectric dams, and 
railroads): 

Figure 2: Control Room of an Electric Power Company: 

Figure 3: Major Components of a SCADA System: 

Figure 4: Components of a Control System in a Water Treatment and 
Distribution Facility: 

Figure 5: A Substation That Is Part of Idaho National Laboratory's 
Facilities for Testing Control Systems: 

Figure 6: The Pacific Northwest National Laboratory's Electricity 
Infrastructure Operations Center: 

Abbreviations: 

CIP: critical infrastructure protection: 
DHS: Department of Homeland Security: 
DOE: Department of Energy: 
FERC: Federal Energy Regulatory Commission: 
IT: information technology: 
NERC: North American Electric Reliability Corporation: 
NIST: National Institute of Standards and Technology: 
SCADA: supervisory control and data acquisition: 
US-CERT: United States Computer Emergency Readiness Team:  

[End of section]  

United States Government Accountability Office:  

Washington, DC 20548:  

September 10, 2007:  

Congressional Requesters: 

Control systems are computer-based systems that are used in many 
industries to monitor and control sensitive processes and physical 
functions. Control systems perform vital functions in many of our 
nation's critical infrastructures, including electric power generation, 
transmission, and distribution; oil and gas refining and pipelines; 
water treatment and distribution; chemical production and processing; 
railroads and mass transit; and manufacturing. Ten years ago, the 
President's Commission on Critical Infrastructure Protection 
highlighted the risk of cyber attacks on critical infrastructures, 
stating that "the widespread and increasing use of supervisory control 
and data acquisition systems for control of energy systems provides 
increasing ability to cause serious damage and disruption by cyber 
means." 

In 2003, the National Strategy to Secure Cyberspace[Footnote 1] (often 
called the cyberspace strategy) stated that the disruption of control 
systems could have significant consequences for public health and 
safety, and made securing these systems a national priority. The 
cyberspace strategy further states that both the private and public 
sectors have roles in securing control systems. The strategy directs 
the Department of Homeland Security (DHS), in coordination with the 
Department of Energy (DOE) and other agencies, to work in partnership 
with private industry in increasing awareness of the importance of 
efforts to secure control systems, developing standards, and improving 
policies with respect to control systems security. 

Given the importance of this issue, you asked us to (1) determine cyber 
threats, vulnerabilities, and the potential impact of attacks on 
critical infrastructure control systems; (2) determine the challenges 
to securing critical infrastructure control systems; (3) identify 
private sector initiatives to strengthen the cybersecurity of control 
systems; and (4) assess the adequacy of public sector initiatives to 
strengthen the cybersecurity of control systems. 

To accomplish these objectives, we assessed documentation of control 
system security incidents and analyzed research studies and reports, as 
well as our prior reports and testimonies on control systems, critical 
infrastructure protection (CIP), and national preparedness, among 
others. We analyzed reports by, and met with, private sector and 
federal officials who had expertise in control systems and their 
security. Our work was performed from March 2007 to July 2007 in 
accordance with generally accepted government auditing standards. 
Appendix I contains further details on our objectives, scope, and 
methodology. 

Results in Brief: 

Critical infrastructure control systems face increasing risks due to 
cyber threats, system vulnerabilities, and the serious potential impact 
of attacks as demonstrated by reported incidents. Threats can be 
intentional or unintentional, targeted or nontargeted, and can come 
from a variety of sources including foreign governments, criminal 
groups, and disgruntled organization insiders. Control systems are more 
vulnerable to cyber attacks than in the past for several reasons, 
including their increased connectivity to other systems and the 
Internet. Further, as demonstrated by past attacks and incidents 
involving control systems, the impact on a critical infrastructure 
could be substantial. For example, in 2003, a computer virus was blamed 
for shutting down train signaling systems throughout the East Coast; in 
2006, a foreign hacker was reported to have planted malicious software 
capable of affecting a water filtering plant's water treatment 
operations; and, also in 2006, excessive traffic on a nuclear power 
plant's control system network--possibly caused by the failure of 
another control system device--caused two circulation pumps to fail, 
forcing the unit to be shut down manually. 

Critical infrastructure owners face both technical and organizational 
challenges to securing control systems. Technical challenges-- 
including control systems' limited processing capabilities, real-time 
operations, and design constraints--hinder an infrastructure owner's 
ability to implement traditional information technology (IT) security 
processes, such as strong user authentication and patch management. 
Organizational challenges include difficulty in developing a compelling 
business case for investing in control systems security and differing 
priorities of information security personnel and control systems 
engineers. 

Multiple private sector entities such as trade associations and 
standards setting organizations are working to help secure control 
systems. These organizations include those specific to the electric, 
chemical, oil and gas, and water sectors. Their efforts include 
developing standards, providing guidance to members, and hosting 
workshops on control systems security. For example, the electricity 
industry has recently developed standards for cybersecurity of control 
systems, and a gas trade association is developing guidance for members 
to use encryption to secure control systems. 

Over the past few years, federal agencies--including DHS, DOE, the 
National Institute of Standards and Technology (NIST), the Federal 
Energy Regulatory Commission (FERC), and others--have initiated efforts 
to improve the security of critical infrastructure control systems. 
However, there is as yet no overall strategy to coordinate the various 
control systems activities across federal agencies and the private 
sector. Further, DHS lacks processes needed to address specific 
weaknesses in sharing information on control system vulnerabilities. 
Until public and private sector security efforts are coordinated by an 
overarching strategy, there is an increased risk that multiple 
organizations will conduct duplicative work and miss opportunities to 
learn from other organizations' activities. In addition, until 
information-sharing weaknesses are addressed, DHS risks not being able 
to effectively carry out its responsibility for sharing information on 
vulnerabilities with the private and public sectors. 

We are making recommendations to the Secretary of the Department of 
Homeland Security to develop a strategy for coordinating control 
systems security efforts and to enhance information sharing with 
control systems stakeholders. 

DHS officials, including the Deputy Director of the National Cyber 
Security Division, provided comments via e-mail on a draft of this 
report, but did not agree or disagree with our recommendations. 
Instead, agency officials stated that the agency would take the 
recommendations under advisement. DHS officials also discussed the 
agency's plans to develop a comprehensive strategy for control systems 
security and efforts to develop a process for sharing sensitive 
information on control system vulnerabilities. In addition, DHS 
officials and others who contributed information to this report 
provided technical comments, which we have incorporated in this report 
as appropriate. 

Background: 

Critical infrastructures are physical or virtual systems and assets so 
vital to the nation that their incapacitation or destruction would have 
a debilitating impact on national and economic security, public health, 
and safety. These systems and assets--such as the electric power grid, 
chemical plants, and water treatment facilities--are essential to the 
operations of the economy and the government. Recent terrorist attacks 
and threats have underscored the need to protect our nation's critical 
infrastructures. If vulnerabilities in these infrastructures are 
exploited, our nation's critical infrastructures could be disrupted or 
disabled, possibly causing loss of life, physical damage, and economic 
losses. 

Although the vast majority of our nation's critical infrastructures are 
owned by the private sector, the federal government owns and operates 
key facilities that use control systems, including oil, gas, water, 
energy, and nuclear facilities (see fig. 1). 

Figure 1: Examples of Critical Infrastructures (clockwise from upper 
left: chemical plants, nuclear power plants, hydroelectric dams, and 
railroads) (photographs):  

[See PDF for image]  

Sources (clockwise from upper left): Corbis, PhotoDisc, Corbis, Digital 
Vision.  

[End of figure]  

Control Systems Are Used in Many Critical Infrastructures: 

Control systems are computer-based systems that are used within many 
infrastructures and industries to monitor and control sensitive 
processes and physical functions. Typically, control systems collect 
sensor measurements and operational data from the field, process and 
display this information, and relay control commands to local or remote 
equipment. Control systems perform functions that range from simple to 
complex. They can be used to simply monitor processes--for example, the 
environmental conditions in a small office building--or to manage the 
complex activities of a municipal water system or a nuclear power 
plant. 

In the electric power industry, control systems can be used to manage 
and control the generation, transmission, and distribution of electric 
power (see fig. 2). For example, control systems can open and close 
circuit breakers and set thresholds for preventive shutdowns. The oil 
and gas industry uses integrated control systems to manage refining 
operations at plant sites, remotely monitor the pressure and flow of 
gas pipelines, and control the flow and pathways of gas transmission. 
Water utilities can remotely monitor well levels and control the wells' 
pumps; monitor flows, tank levels, or pressure in storage tanks; 
monitor water quality characteristics such as pH, turbidity, and 
chlorine residual; and control the addition of chemicals to the water. 
Control systems are also used in manufacturing and chemical processing. 
Chemical reactors may use control systems to produce chemicals or 
regulate temperatures within the production process. 

Figure 2: Control Room of an Electric Power Company (photograph):  

[See PDF for image] 

Source: Major electric utility.  

[End of figure]  

Installing and maintaining control systems requires a substantial 
financial investment. DOE cites research estimating the value of the 
control systems used to monitor and control the electric grid and the 
oil and natural gas infrastructure at $3 billion to $4 
billion.[Footnote 2] The thousands of remote field devices represent an 
additional investment of $1.5 billion to $2.5 billion. Each year, the 
energy sector alone spends over $200 million for control systems, 
networks, equipment, and related components and at least that amount in 
personnel costs. 

Control Systems: Types and Components: 

There are two primary types of control systems: distributed control 
systems and supervisory control and data acquisition (SCADA) systems. 
Distributed control systems typically are used within a single 
processing or generating plant or over a small geographic area, while 
SCADA systems typically are used for large, geographically dispersed 
operations. For example, a utility company may use a distributed 
control system to manage power generation and a SCADA system to manage 
its distribution. 

A SCADA system is generally composed of six components: instruments, 
operating equipment, local processors, short-range communication, host 
computers, and long-range communications. 

* Instruments sense conditions such as pH, temperature, pressure, power 
level, and flow rate. 

* Operating equipment includes pumps, valves, conveyors, and substation 
breakers that can be controlled by energizing actuators or relays. 

* Local processors communicate with the site's instruments and 
operating equipment. Local processors go by several different names, 
including programmable logic controller, remote terminal unit, 
intelligent electronic device, and process automation controller. A 
single local processor may be responsible for dozens of inputs from 
instruments and outputs to operating equipment. Local processors can 
collect instrument data; turn on and off operating equipment; translate 
protocols so different controllers, instruments, and equipment can 
communicate; and identify alarm conditions. 

* Short-range communication consists of the relatively short cables or 
wireless connections that carry analog and discrete signals between the 
local processors and the instruments and operating equipment. The 
communication uses electrical characteristics such as voltage and 
current or other established industrial communications protocols. 

* Host computers are the central point of monitoring and control. The 
host computer is where a human operator can supervise the process, 
receive alarms, review data, and exercise control. In some cases the 
host computer has logic programmed into it to provide control over the 
local processors. The host computer may be called the master terminal 
unit, the SCADA server, or a personal computer. 

* Long-range communication consists of the communication between the 
local processors and host computers. This communication typically 
covers miles using methods such as leased phone lines, satellite, 
microwave, and cellular packet data. 

Figure 3 illustrates the major components of a SCADA system and Figure 
4 illustrates how these components would be distributed in a typical 
water utility. 

Figure 3: Major Components of a SCADA System: 

This is an illustration of the major components of a SCADA system:  

* Host computers;
* Long-range communication; 
* Local processors; 
* Short-range communication; 
* Instruments; 
* Operating equipment.  

Source: GAO.  

[End of figure]  

These components can be adapted to perform specific functions in many 
industrial sectors. For example, the following graphic shows the 
application of these components in a water treatment and distribution 
system. 

Figure 4: Components of a Control System in a Water Treatment and 
Distribution Facility:  

[See PDF for image]  

This is an illustration of the components of a control system in a 
water treatment and distribution facility:  

* Reservoir; 
* Central control station; 
- Host computers; 
- Long-range communication; 
- Internet;
* Water treatment plant; 
-Short-range communication; 
* Pumping station; 
- Operating equipment; 
- Instruments; 
- Local processors; 
* End use.  

Source: GAO.  

[End of figure]  

The Federal Government Plays a Critical Role in Helping Secure Critical 
Infrastructures and Their Control Systems: 

Federal law and policies call for critical infrastructure protection 
activities to enhance the cyber and physical security of both public 
and private infrastructures that are essential to national security, 
national economic security, and national public health and 
safety.[Footnote 3] Federal policy designates certain federal agencies 
as lead points of contact for each key critical infrastructure sector 
(see table 1). Further, it assigns agencies responsibility for 
infrastructure protection activities in their assigned sectors and for 
coordination with other relevant federal agencies, state and local 
governments, and the private sector. In addition, federal policy 
establishes DHS as the focal point for the security of cyberspace-- 
including analysis, warning, information sharing, vulnerability 
reduction, mitigation, and recovery efforts for public and private 
critical infrastructure information systems. To accomplish this 
mission, DHS is to work with other federal agencies, state and local 
governments, and the private sector. 

Table 1: Critical Infrastructure Sectors and Designated Sector-Specific 
Agencies: 

Sector: Agriculture and food; 
Sector-specific agency: Department of Agriculture, Department of Health 
and Human Services, Food and Drug Administration[A]. 

Sector: Banking and finance; 
Sector-specific agency: Department of the Treasury. 

Sector: Chemical; 
Sector-specific agency: Department of Homeland Security. 

Sector: Commercial facilities; 
Sector-specific agency: Department of Homeland Security. 

Sector: Commercial nuclear reactors, materials, and waste; 
Sector-specific agency: Department of Homeland Security. 

Sector: Dams; 
Sector-specific agency: Department of Homeland Security. 

Sector: Defense industrial base; 
Sector-specific agency: Department of Defense. 

Sector: Drinking water and water treatment systems; 
Sector-specific agency: Environmental Protection Agency. 

Sector: Emergency services; 
Sector-specific agency: Department of Homeland Security. 

Sector: Energy; 
Sector-specific agency: Department of Energy. 

Sector: Government facilities; 
Sector-specific agency: Department of Homeland Security. 

Sector: Information technology; 
Sector-specific agency: Department of Homeland Security. 

Sector: National monuments and icons; 
Sector-specific agency: Department of the Interior. 

Sector: Postal and shipping; 
Sector-specific agency: Department of Homeland Security. 

Sector: Public health and health care; 
Sector-specific agency: Department of Health and Human Services. 

Sector: Telecommunications; 
Sector-specific agency: Department of Homeland Security. 

Sector: Transportation systems; 
Sector-specific agency: Department of Homeland Security.  

Source: The National Infrastructure Protection Plan, Homeland Security 
Presidential Directive 7, and the National Strategy for Homeland 
Security. 

[A] The Department of Agriculture is responsible for food (including 
meat, poultry, and eggs) and agriculture; and the Department of Health 
and Human Services, Food and Drug Administration, is responsible for 
food other than meat, poultry, and egg products. 

[End of table] 

Several key federal plans focus on securing critical infrastructure 
control systems. The cyberspace strategy [Footnote 4] calls for DHS and 
DOE to work in partnership with industry to develop best practices and 
new technology to increase the security of critical infrastructure 
control systems, to determine the most critical control systems-related 
sites, and to develop a prioritized plan for short-term cybersecurity 
improvements for those sites. In addition, DHS's National 
Infrastructure Protection Plan[Footnote 5] specifically identifies 
control systems as part of the cyber infrastructure, establishes an 
objective of reducing vulnerabilities and minimizing severity of 
attacks on these systems, and identifies programs directed at 
protecting control systems. Further, in May 2007, the critical 
infrastructure sectors issued sector-specific plans to supplement the 
National Infrastructure Protection Plan. Twelve sectors, including the 
chemical, energy, water, information technology, postal, emergency 
services, and telecommunications sectors, identified control systems 
within their respective sectors. Of these, most identified control 
systems as critical to their sector and listed efforts under way to 
help secure them. 

Critical Infrastructure Control Systems Face Increasing Risks Due to 
Cyber Threats, Vulnerabilities, and the Potentially Serious Impact of 
an Attack: 

Critical infrastructure control systems face increasing risks due to 
cyber threats, system vulnerabilities, and the potentially serious 
impact of an attack as demonstrated by reported incidents. Cyber 
threats can be unintentional or intentional, targeted or nontargeted, 
and can come from a foreign, domestic, or inside source. Control 
systems can have vulnerabilities that make them susceptible to cyber 
attacks, including the increased connectivity of control systems to 
other systems and the Internet. Further, based on past events, the 
impact of a control systems incident on a critical infrastructure could 
be substantial. 

Critical Infrastructures Face Multiple Cyber Threats: 

Cyber threats can be unintentional and intentional, targeted or 
nontargeted, and can come from a variety of sources. Unintentional 
threats can be caused by software upgrades or maintenance procedures 
that inadvertently disrupt systems. Intentional threats include both 
targeted and nontargeted attacks. A targeted attack is when a group or 
individual specifically attacks a critical infrastructure system. A 
nontargeted attack occurs when the intended target of the attack is 
uncertain, such as when a virus, worm, or malware[Footnote 6] is 
released on the Internet with no specific target. 

There is increasing concern among both government officials and 
industry experts regarding the potential for a cyber attack on a 
national critical infrastructure, including the infrastructure's 
control systems. The Federal Bureau of Investigation has identified 
multiple sources of threats to our nation's critical infrastructures, 
including foreign nation states engaged in information warfare, 
domestic criminals and hackers, and disgruntled employees working 
within an organization. Table 2 summarizes those groups or individuals 
that are considered to be key sources of threats to our nation's 
infrastructures. 

Table 2: Sources of Cyber Threats to Critical Infrastructures: 

Threat source: Criminal groups; 
Description: There is an increased use of cyber intrusions by criminal 
groups that attack systems for monetary gain.  

Threat source: Foreign nation states; 
Description: Foreign intelligence services use cyber tools as part of 
their information gathering and espionage activities. Also, several 
nations are aggressively working to develop information warfare 
doctrine, programs, and capabilities. Such capabilities enable a single 
entity to have a significant and serious impact by disrupting the 
supply, communications, and economic infrastructures that support 
military power--impacts that, according to the Director of the Central 
Intelligence Agency, can affect the daily lives of Americans across the 
country.[A].  

Threat source: Hackers; 
Description: Hackers sometimes crack into networks for the thrill of 
the challenge or for bragging rights in the hacker community. While 
remote cracking once required a fair amount of skill or computer 
knowledge, hackers can now download attack scripts and protocols from 
the Internet and launch them against victim sites. Thus, attack tools 
have become more sophisticated and easier to use.  

Threat source: Hacktivists; 
Description: Hacktivism refers to politically motivated attacks on 
publicly accessible Web pages or e-mail servers. These groups and 
individuals overload e-mail servers and hack into Web sites to send a 
political message.  

Threat source: Disgruntled insiders; 
Description: The disgruntled insider, working from within an 
organization, is a principal source of computer crimes. Insiders may 
not need a great deal of knowledge about computer intrusions because 
their knowledge of a victim system often allows them to gain 
unrestricted access to cause damage to the system or to steal system 
data. The insider threat also includes contractor personnel.  

Threat source: Terrorists; 
Description: Terrorists seek to destroy, incapacitate, or exploit 
critical infrastructures to threaten national security, cause mass 
casualties, weaken the U.S. economy, and damage public morale and 
confidence. However, traditional terrorist adversaries of the United 
States are less developed in their computer network capabilities than 
other adversaries. Terrorists likely pose a limited cyber threat. The 
Central Intelligence Agency believes terrorists will stay focused on 
traditional attack methods, but it anticipates growing cyber threats as 
a more technically competent generation enters the ranks.  

Threat source: Virus writers; 
Description: Virus writers are posing an increasingly serious threat. 
Several destructive computer viruses and worms have harmed files and 
hard drives, including the Melissa macro virus, the Explore.Zip worm, 
the CIH (Chernobyl) virus, Nimda, and Code Red.  

Source: Federal Bureau of Investigation, unless otherwise indicated. 

[A] Prepared statement of George J. Tenet, Director of Central 
Intelligence, before the Senate Select Committee on Intelligence, 
February 2, 2000. 

[End of table]  

Control Systems Are Vulnerable to Cyber Attacks: 

Control systems are vulnerable to flaws or weaknesses in system 
security procedures, design, implementation, and internal controls. 
When these weaknesses are accidentally triggered or intentionally 
exploited, they could result in a security breach. Vulnerabilities 
could occur in control systems' policies, platform (including hardware, 
operating systems, and control system applications), or networks. 

Federal and industry experts believe that critical infrastructure 
control systems are more vulnerable today than in the past. Reasons 
include the increased standardization of technologies, the increased 
connectivity of control systems to other computer networks and the 
Internet, insecure connections, and the widespread availability of 
technical information about control systems. Further, it is not 
uncommon for control systems to be configured with remote access 
through either a dial-up modem or over the Internet to allow remote 
maintenance or around-the-clock monitoring. If control systems are not 
properly secured, individuals and organizations may eavesdrop on or 
interfere with these operations from remote locations. 

Reported Control Systems Incidents Reveal the Potential for Substantial 
Impact: 

Reported attacks and unintentional incidents involving critical 
infrastructure control systems demonstrate that a serious attack could 
be devastating. Although there is not a comprehensive source for 
incident reporting, the following attacks, reported in government and 
media sources,[Footnote 7] demonstrate the potential impact of an 
attack. 

* Worcester air traffic communications. In March 1997, a teenager in 
Worcester, Massachusetts, disabled part of the telephone network using 
a dial-up modem connected to the system. This disabled phone service to 
the airport control tower, airport security, the airport fire 
department, the weather service, and the carriers that use the airport. 
Also, the tower's main radio transmitter and another transmitter that 
activates runway lights were shut down, as well as a printer that 
controllers use to monitor flight progress. The attack also disrupted 
phone service to 600 homes in a nearby town. 

* Maroochy Shire sewage spill. In the spring of 2000, a former employee 
of an Australian organization that develops manufacturing software 
applied for a job with the local government, but was rejected. Over a 2-
month period, this individual reportedly used a radio transmitter on as 
many as 46 occasions to remotely break into the controls of a sewage 
treatment system. He altered electronic data for particular sewerage 
pumping stations and caused malfunctions in their operations, 
ultimately releasing about 264,000 gallons of raw sewage into nearby 
rivers and parks. 

* Los Angeles traffic lights. According to several published reports, 
in August 2006, two Los Angeles city employees hacked into computers 
controlling the city's traffic lights and disrupted signal lights at 
four intersections, causing substantial backups and delays. The attacks 
were launched prior to an anticipated labor protest by the employees. 

In addition, the following incidents illustrate the consequences of 
nontargeted attacks and unintentional incidents on critical 
infrastructure control systems. According to experts, incidents such as 
these could also be triggered by a targeted attack. 

* CSX train signaling system. In August 2003, the Sobig computer virus 
was blamed for shutting down train signaling systems throughout the 
East Coast of the United States. The virus infected the computer system 
at CSX Corporation's Jacksonville, Florida, headquarters, shutting down 
signaling, dispatching, and other systems. According to an Amtrak 
spokesman, 10 Amtrak trains were affected. Train service was either 
shut down or delayed up to 6 hours. 

* Davis-Besse power plant. The Nuclear Regulatory Commission confirmed 
that in January 2003, the Microsoft SQL Server worm known as Slammer 
infected a private computer network at the idled Davis-Besse nuclear 
power plant in Oak Harbor, Ohio, disabling a safety monitoring system 
for nearly 5 hours. In addition, the plant's process computer failed, 
and it took about 6 hours for it to become available again. 

* Northeast power blackout. In August 2003, failure of the alarm 
processor in the control system of FirstEnergy, an Ohio-based electric 
utility, prevented control room operators from having adequate 
situational awareness of critical operational changes to the electrical 
grid. This problem was compounded when the state estimating program at 
the Midwest Independent System Operator failed due to incomplete 
information on the electric grid. When several key transmission lines 
in northern Ohio tripped due to contact with trees, they initiated a 
cascading failure of 508 generating units at 265 power plants across 
eight states and a Canadian province. 

* Zotob worm. In August 2005, a round of Internet worm infections 
knocked 13 of Daimler Chrysler's U.S. automobile manufacturing plants 
offline for almost an hour, leaving workers idle as infected Microsoft 
Windows systems were patched. Zotob and its variations also caused 
computer outages at heavy-equipment maker Caterpillar Inc., aircraft 
maker Boeing, and several large U.S. news organizations. 

* Taum Sauk Water Storage Dam failure. In December 2005, the Taum Sauk 
Water Storage Dam, approximately 100 miles south of St. Louis, 
Missouri, suffered a catastrophic failure, releasing a billion gallons 
of water. According to the dam's operator, the incident may have 
occurred because the gauges at the dam read differently than the gauges 
at the dam's remote monitoring station. 

* Bellingham, Washington, gasoline pipeline failure. In June 1999, 
237,000 gallons of gasoline leaked from a 16-inch pipeline and ignited 
an hour and a half later, causing three deaths, eight injuries, and 
extensive property damage. The pipeline failure was exacerbated by 
poorly performing control systems that limited the ability of the 
pipeline controllers to see and react to the situation. 

* Harrisburg, Pennsylvania, water system. In October 2006, a foreign 
hacker penetrated security at a water filtering plant. The intruder 
planted malicious software that was capable of affecting the plant's 
water treatment operations. The infection occurred through the Internet 
and did not seem to be an attack that directly targeted the control 
system. 

* Browns Ferry power plant. In August 2006, two circulation pumps at 
Unit 3 of the Browns Ferry, Alabama, nuclear power plant failed, 
forcing the unit to be shut down manually. The failure of the pumps was 
traced to excessive traffic on the control system network, possibly 
caused by the failure of another control system device.  

As control systems become increasingly interconnected with other 
networks and the Internet, and as the system capabilities continue to 
increase, so do the threats, potential vulnerabilities, types of 
attacks, and consequences of compromising these critical systems. 

Critical Infrastructure Owners Face Technical and Organizational 
Challenges to Securing Control Systems: 

Critical infrastructure owners face both technical and organizational 
challenges in securing their control systems. Technical challenges-- 
including control systems' limited processing capabilities and their 
real-time operations--hinder infrastructure owners' ability to 
implement traditional information security technologies and practices. 
Organizational challenges include the lack of a compelling business 
case to improve security and a reluctance to share information 
regarding incidents. 

Technical Challenges Hinder Use of Traditional Information Security 
Measures for Control Systems: 

According to industry experts, existing information security 
technologies and practices--such as strong user authentication and 
patch management--are generally not implemented in control systems due 
to several technical issues, including limited computational processing 
capabilities, the need for real-time operation, and the lack of 
consideration of cybersecurity in the original design of the system. 
These challenges are described here in more detail. 

Limited computational capabilities. Existing security technologies-- 
such as authorization, authentication, encryption, intrusion detection, 
and filtering of network traffic and communications--require more 
bandwidth, processing power, and memory than control system components 
typically have. Controller stations are generally designed to do 
specific tasks, and they often use low-cost, resource-constrained 
microprocessors. In addition, passwords and other data from control 
systems are often transmitted in a plain, unencrypted format. 
Encrypting this data could overload the processing abilities of the 
control system. 

Need for real-time operations. Complex passwords and other strong 
password practices are not always used to prevent unauthorized access 
to control systems, in part because they could hinder the operator's 
ability to respond rapidly during an emergency. As a result, according 
to security experts, weak passwords that are easy to guess, and shared 
and infrequently changed, are common in control systems. Some even use 
default passwords or no password at all. 

Design limitations. Historically, control systems vendors did not 
design their products with security in mind, although recently vendors 
have begun including more security-related features in their products. 
In addition, although modern control systems are based on standard 
operating systems, they are typically customized to support control 
system applications. Consequently, software patches may either be 
incompatible with the customized version of the operating system or 
difficult to implement without compromising service by shutting down 
"always-on" systems or affecting interdependent operations. 

Table 3 illustrates the technical challenges in securing control 
systems by contrasting them with conventional information technology 
(IT) systems. 

Table 3: Comparing IT Systems to Control Systems Illustrates Security 
Challenges: 

System characteristic: Performance requirements; 
Information technology system: 
* Generally not real time; 
* Response must be consistent; 
* High throughput is demanded; 
* Delay may be acceptable; 
Control system: 
* Real time; 
* Response is time critical; 
* Modest throughput is acceptable; 
* Delay is a serious concern; 
Security challenge for control systems: Real-time operations: The 
security solution should not delay system response time.  

System characteristic: Availability requirements;
Information technology system: 
* Responses such as rebooting are acceptable; 
* Availability deficiencies can often be tolerated, depending on the 
system's operational requirements;
Control system: 
* Responses such as rebooting may not be acceptable because of process 
availability requirements; 
* Outages must be planned and scheduled days/weeks in advance; 
* High availability requires exhaustive predeployment testing;
Security challenge for control systems: Design limitations: The 
security solution should not require rebooting or cause unplanned 
outages.  

System characteristic: Risk management requirements; 
Information technology system: 
* Data confidentiality and integrity are paramount; 
* Fault tolerance is less important-momentary downtime is not a major 
risk; 
* Major risk impact is delay of business operations;
Control system: 
* Human safety is paramount, followed by protection of the process; 
* Fault tolerance is essential: even momentary downtime is not 
acceptable; 
* Major risk impact is regulatory noncompliance or loss of life, 
equipment, or production;
Security challenge for control systems: Design limitations: The 
security solution should not impose unacceptable risk by endangering 
lives or affecting the process being controlled; the security solution 
should not cause downtime.  

System characteristic: Time-critical interaction; 
Information technology system: 
* Less critical emergency interaction; 
* Tightly restricted access control can be implemented to the degree 
necessary;
Control system: 
* Response to human and other emergency interaction is critical; 
* Access to control system should be strictly controlled, yet not 
hamper human-machine interaction; 
Security challenge for control systems: Real-time operations: Increased 
security of stringent access controls must be balanced against the need 
for fast response times in emergencies.  

System characteristic: System operation; 
Information technology system: 
* Systems are designed for use with typical operating systems; 
* Upgrades are straightforward with the availability of automated 
deployment tools; 
Control system: 
* Differing and custom operating systems often do not have security 
capabilities; 
* Software changes must be carefully made, usually by software vendors, 
because of the specialized control algorithms and perhaps modified 
hardware and software involved;
Security challenge for control systems: Design limitation: Additional 
testing and modification of off-the-shelf products may be required; 
additional time may be required for vendors to implement upgrades.  

System characteristic: Resource constraints; 
Information technology system: 
* Systems are specified with enough resources to support the addition 
of third party applications such as security solutions; 
Control system: 
* Systems are designed to support the intended industrial process, with 
minimal memory and computing resources to support the addition of 
security technology; 
Security challenge for control systems: Processing capabilities: It is 
more difficult to add additional security technology or processes to 
control systems.  

System characteristic: Communications; 
Information technology system: 
* Standard communications protocols; 
* Primarily wired networks with some localized wireless capabilities; 
* Typical IT networking practices; 
Control system: 
* Many proprietary and standard communication protocols; 
* Several types of communications media used including dedicated wire 
and wireless (radio and satellite); 
* Networks are complex and sometimes require the expertise of control 
engineers; 
Security challenge for control systems: Design limitation: Standard IT 
solutions may not operate on control system networks.  

System characteristic: Change management; 
Information technology system: 
* Software changes are applied in a timely fashion in the presence of 
good security policies and procedures. The procedures are often 
automated; 
Control system: 
* Software changes must be thoroughly tested and deployed incrementally 
throughout a system to ensure that the integrity of the control system 
is maintained; 
* Control system outages often must be planned and scheduled days/weeks 
in advance; 
Security challenge for control systems: Real-time operations: 
Additional planning, testing, and slower deployment are required when 
implementing security solutions.  

System characteristic: Managed support; 
Information technology system: 
* Allow for diversified support methods; 
Control system: 
* Service support is usually via a single vendor; 
Security challenge for control systems: Design limitations: Solutions 
may be limited to those provided or supported by vendor.  

System characteristic: Component lifetime; 
Information technology system: 
* Lifetime on the order of 3-5 years;
Control system: 
* Lifetime on the order of 15-20 years; 
Security challenge for control systems: Design limitation: Security 
solution should not become obsolete quickly.  

System characteristic: Access to components; 
Information technology system: 
* Components are usually local and easy to access; 
Control system: 
* Components can be isolated, remote, and require extensive physical 
effort to gain access to them; 
Security challenge for control systems: Design limitation: Additional 
time and effort required to access network components.  

Source: GAO analysis of NIST, Guide to Supervisory Control and Data 
Acquisition (SCADA) and Industrial Control Systems Security, Special 
Publication 800-82 (Initial Public Draft). 

[End of table] 

Organizational Issues Pose Challenges to Securing Control Systems: 

In addition to the technical challenges of securing control systems, 
critical infrastructure owners face organizational challenges in 
securing control systems, including difficulty in developing a 
compelling business case for improving control systems security, a 
reluctance to share information on control system incidents (which 
could help build a business case), and the division of technical 
responsibilities within an organization. 

Experts and industry representatives reported that organizations may be 
reluctant to devote resources to securing control systems. These 
resources include money, personnel, training, and the early replacement 
of equipment that may have been originally designed to last 20 years or 
more. Until industry users of control systems have a business case to 
justify why additional security is needed, there may be little market 
incentive for the private sector to develop and implement more secure 
control systems. 

Another challenge is the reluctance to share information on control 
systems incidents and the resulting lack of attention to this risk. 
While incidents and attacks on critical infrastructure control systems 
have occurred, to date there is no authoritative, centralized process 
for collecting and analyzing information about control systems 
incidents. Experts we interviewed stated that companies are reluctant 
to share details of incidents due to factors such as legal liability 
and impact on their reputation. Several experts stated that they 
believed incidents were occurring, but are not being reported by 
industry. One expert suggested that since there have been no reports of 
significant disruptions caused by cyber attacks on U.S. control 
systems, industry representatives may believe the threat of such an 
attack is low. We have previously recommended that the government work 
with the private sector to improve the quality and quantity of 
information being shared among industries and government about attacks 
on the nation's critical infrastructures.[Footnote 8] 

Another challenge involves the way security responsibilities are 
structured within organizations that use control systems. Several 
experts and industry representatives stated that two separate groups 
often have responsibility for securing control systems: (1) IT security 
personnel and (2) control system engineers and operators. IT security 
personnel focus on securing enterprise systems, while control system 
engineers and operators focus on the reliable performance of their 
control systems. Because each has a different focus, the two groups 
face challenges in collaborating to implement secure control systems. 
For example, IT security personnel may be unaware of the special 
requirements of a control system and the control systems personnel may 
be unaware of the full range of security technologies that may be 
available. 

Certain challenges are inherent to control systems. However, according 
to experts, many of these challenges can be addressed by both the 
private and public sectors through proper implementation of existing 
technology, development of new technologies, and implementation of 
organizational policies and procedures and training. 

The Private Sector Has Multiple Initiatives Under Way to Help Secure 
Control Systems: 

Industry-specific organizations in various sectors, including the 
electricity, chemical, oil and gas, and water sectors, have initiatives 
under way to help improve control system security. These initiatives 
include developing standards, publishing guidance, and hosting 
workshops. 

Electricity: 

The electricity system of the United States and Canada has more than $1 
trillion in asset value, more than 200,000 miles of transmission lines, 
and more than 800,000 megawatts of generating capability serving over 
300 million people. The effective functioning of this infrastructure is 
highly dependent on control systems. As a result, private sector 
organizations in the electricity sector have several activities under 
way related to control systems security, including establishing 
mandatory reliability standards, developing guidelines for compliance 
with these standards, hosting workshops, and other activities. See 
table 4 for a description of key control systems security initiatives 
in the electricity sector. 

Table 4: Key Control System Security Initiatives in the Electricity 
Sector: 

Organization: North American Electric Reliability Corporation (NERC); 
NERC's mission is to ensure that the major transmission components of 
the electric system in North America are reliable, adequate, and 
secure. It is a self-regulatory organization that sets standards for 
the reliable operation and planning of the major transmission 
components of the electric system and monitors, assesses, and enforces 
compliance with those standards. 
Initiative: NERC promotes the development of a new mandatory system of 
reliability standards, authorized by the Federal Energy Regulatory 
Commission. The standards are meant to apply to systems such as control 
systems that, if compromised, could cause a threat to the large-scale 
power distribution system. The Energy Policy Act of 2005 established a 
process through which NERC is authorized to enforce compliance with 
these reliability standards.[A] NERC began implementing cybersecurity 
reliability standards that apply to control systems in June 2007. 
Electric utilities must be fully compliant with the standards by 2010.  

Organization: Electric Power Research Institute; 
The institute is an independent nonprofit center for energy and 
environmental research. It brings together members, participants, the 
institute's scientists and engineers, and other experts to work on 
solutions to the challenges of electric power. Its members represent 
over 90 percent of the electricity generated in the United States. 
Initiative: The institute has released guidelines on control systems 
security, including a report in 2003 and another in 2005. A recent 
institute report, Compliance Guidelines for Cyber Security Reliability 
Standards-2006 Update, provides information, recommendations, and tools 
to help the electric power industry comply with the mandatory NERC 
cybersecurity reliability standards. The institute is currently 
developing a tool to help asset managers create better business cases 
for control system security technology. According to a manager of the 
institute's CIP efforts, the institute also: 
* has a forum that meets about three times per year during which its 
members discuss cybersecurity incidents, including those related to 
control systems; 
* performs research on policies and procedures for securing control 
systems, but has not been able to develop security technology for 
control systems given current funding levels (the institute's security 
research has included various reviews of SCADA systems, determining how 
to secure certain products that are being used by the electric power 
industry, reviewing how a facility could recognize and recover from a 
control systems attack, and studying the use of wireless technology for 
SCADA systems and the inherent security risks); and; 
* has worked on control systems-related projects with the national 
laboratories, and has collaborated with DOE. For example, in 2006, the 
institute worked with the Pacific Northwest National Laboratory to 
identify the risks and vulnerabilities associated with using broadband 
communications for control systems and to develop mitigation 
strategies. According to a laboratory official, the institute and the 
laboratory are currently working on a project on electric power 
utilities' use of wireless technologies. The project is to produce two 
papers addressing best practices for wireless deployment in the 
electric sector, and guidelines for securing wireless networks, 
training personnel, and securely integrating wireless and wired 
networks.  

Organization: Institute of Electrical and Electronics Engineers; 
The institute is responsible for developing international standards for 
telecommunications, IT, and power generation products and services.
Initiative: The Institute of Electrical and Electronics Engineers has 
several working groups that address issues related to control systems 
security in the electric power industry. Some of these work groups are 
developing standards for defining, specifying, and analyzing control 
systems. For example, the institute is developing P1689, a standard for 
retrofitting cybersecurity to various communications links in a control 
system, and P1711, a cryptographic standard for the same links. The 
institute is also developing P1686, which will define the functions and 
features to be provided in substation intelligent electronic devices to 
accommodate critical infrastructure protection programs.  

Organization: International Electrotechnical Commission; 
The commission prepares and publishes international standards for all 
electrical, electronic, and related technologies. World Trade 
Organization agreements permit use of these standards in international 
trade. 
Initiative: The commission's Technical Committee 57 is working to 
develop standards for control systems and control system components of 
power transmission and distribution systems, including communications 
and end devices called remote terminal units. It is also establishing 
data and communications security and communications standards for 
substations. The commission's Technical Committee 65 is chartered to 
produce standards in the area of industrial process measurement and 
control. Working Group 10 of the committee is developing commission 
standard 62443, which is a three-part standard that will address 
network and system cybersecurity of industrial process measurement and 
control systems.  

Source: GAO analysis of information provided by North America Electric 
Reliability Corporation, interviews with Federal Energy Regulatory 
Commission officials, Electric Power Research Institute, Institute of 
Electrical and Electronics Engineers, and the International 
Electrotechnical Commission. 

[A] Pub. L. No. 109-58, sec. 1211 (Aug. 8, 2005), 16 U.S.C. ï¿½ 824o 
(2006).  

[End of table] 

Chemical: 

Control systems are used to monitor and control processes within the 
chemical industry. A $460 billion critical infrastructure sector, the 
chemical industry contributes nearly 3 percent of the U.S. gross 
domestic product and generates 6.2 million jobs. Chemical reactors may 
use control systems to produce chemicals or regulate temperatures 
within the production process. 

The American Chemistry Council is a trade association that represents 
major companies in the U.S. chemical manufacturing sector. The council 
supports research and initiatives related to federal regulation on 
health, safety, security, and the environment. 

The council established a Chemical Sector Cyber Security Program in 
2002 to facilitate implementation of the Chemical Sector Cyber Security 
Strategy. Updated in 2006, the strategy, as well as the Guidance for 
Addressing Cyber Security in the Chemical Industry, addresses 
manufacturing and control system security efforts and guidance on how 
to secure these systems. Further, within the cybersecurity program, the 
Manufacturing and Control Systems Security Work Team was developed to 
collect, identify, and facilitate the use of practices for securing 
manufacturing and control systems and to establish a network of 
manufacturing and control systems subject matter experts. 

Oil and Gas: 

The United States has more than 2 million miles of pipelines delivering 
oil and natural gas. In 2005, the consumption of natural gas totaled 
about 22,000 billion cubic feet, and in the United States, 20,802,000 
barrels of petroleum were consumed per day. Both the gas and oil 
industries use control systems for process management and monitoring 
purposes. Employing integrated control systems, these industries can 
control the refining operations at a plant site, remotely monitor the 
pressure and flow of gas pipelines, and control the flow and pathways 
of gas transmissions. The sector-specific plan for the energy sector 
(which includes oil and gas) includes a discussion of selected control 
systems security efforts within the sector. The oil and gas sector has 
multiple control systems security activities under way, in particular, 
standards relating to security of control systems. See table 6 for a 
description of key control systems security efforts in the oil and gas 
sector. 

Table 5: Key Control System Security Initiatives in the Oil and Gas 
Sector: 

Organization: American Gas Association; 
A trade organization that advocates for local natural gas utility 
companies and provides a broad range of programs and services for 
member natural gas pipelines, marketers, international gas companies, 
and industry associates. 
Initiative: The American Gas Association's Automation and 
Telecommunication and Gas Control committees supported the development 
of a report that would recommend how to apply encryption to protect gas 
utility control systems. A task group was organized to develop Standard 
AGA Report No.12, Cryptographic Protection of SCADA Communications, 
which consists of four parts. The first part, Background, Policies, and 
Test Plan, published in March 2006, is intended to serve as a guideline 
for voluntary implementation of a comprehensive cybersecurity posture. 
This report sets up the risk assessment process and allows owners and 
operators to determine if encryption is a good security practice for 
their control systems. The second part, Retrofit Link Encryption for 
Asynchronous Serial Communications, has not yet been finalized. This 
part contains functional requirements and details technical 
specifications for AGA-12 compliant retrofit devices used in control 
systems. Both the third and fourth parts have not yet been developed. 
The third part, Protection of Networked Systems, is to focus on high-
speed communication systems for control systems, including the 
Internet. The final part, Protection Embedded in SCADA Components, is 
to focus on protecting control systems by incorporating cryptography 
into system components at the time of manufacture. The second, third, 
and fourth parts of this report are expected to be developed under the 
leadership and technical expertise of the Gas Technology Institute with 
user input from the membership of the American Gas Association.  

Organization: American Petroleum Institute; 
A national trade association for America's oil and natural gas 
industry. The institute's corporate members include various segments of 
the oil industry, such as producers, refiners, suppliers, pipeline 
operators and marine transporters, as well as service and supply 
companies that support all segments of the industry; 
Initiative: The institute published standard 1164, Pipeline SCADA 
Security, in September 2004. This standard provides guidance to the 
operators of oil and gas liquid pipeline systems for managing critical 
infrastructure control systems integrity and security. This guideline 
is specifically designed to provide the operators with a description of 
industry practices in critical infrastructure control systems security 
and to provide the framework needed to develop sound security practices 
within the operator's individual companies. The institute published 
standard 1165, Recommended Practice for Pipeline SCADA Displays, in 
January 2007. This recommended practice focuses on the design and 
implementation of displays used for displaying, monitoring, and 
controlling information on pipeline control systems.  

Source: GAO analysis of information provided by American Gas 
Association, Interview with Department of Energy officials, American 
Petroleum Institute. 

[End of table] 

Water: 

The water sector includes drinking water and water treatment systems. 
The sector's infrastructures are diverse, complex, and distributed, 
ranging from systems that serve a few customers to those that serve 
millions. The sector includes about 150,000 water, wastewater, and 
storm water organizations; federal water offices at the national, 
regional, and state levels belonging to several agencies; some 100 
state water agency organizations; and many other local government water 
organizations. Members of the water sector have worked with the 
Environmental Protection Agency on development of the Water Sector- 
Specific Plan, which includes some efforts on control systems security. 
Members of the water sector are also participating in the Process 
Control Security Forum's activities. See table 7 for a list of key 
control system security initiatives by various organizations in the 
water sector. 

Table 6: Key Control System Security Initiatives in the Water Sector: 

Organization: Awwa Research Foundation; 
An international nonprofit organization that sponsors research to 
enable water utilities, public health agencies, and other professionals 
to provide safe and affordable drinking water to consumers. 
Initiative: The foundation is currently working on two research 
projects. The first is the Cryptographic Protection of SCADA 
Communications for Water Systems #2969, which will develop a standard 
suite of equations and protocols to provide cybersecurity for water 
utility SCADA systems. The second, which is in collaboration with DHS, 
is the Control Systems Cyber Security Self Assessment Tool #3045, which 
is to identify, organize, prioritize, and describe the most probable 
electronic security threats; risks associated with vulnerabilities, 
available prevention technology, best practices, and critical areas of 
uncertainty. In 2002, the foundation developed a vulnerability 
assessment methodology for large drinking water utilities to assist 
them in meeting federally mandated vulnerability assessments. Now that 
deadlines for vulnerability assessments have passed, utilities may 
still use the methodology to develop emergency response plans. The 
methodology has also been adapted for use at small and medium-sized 
utilities.  

Organization: Association of Metropolitan Water Agencies; 
An organization of the largest publicly owned drinking water systems in 
the United States. The association collects and exchanges management, 
security, legislative, and technical information to support competitive 
utility operations, effective utility leadership, safe and secure water 
supplies, and effective public communication on drinking water quality. 
Initiative: The association served as the U.S. EPA-designated liaison 
between the water sector and the federal government on critical 
infrastructure protection and currently operates the Water Information 
Sharing and Analysis Center and the Water Security Channel. The Water 
Information Sharing and Analysis Center offers a secure database, 
expert analysis, information gathering, and the rapid distribution of 
reports and government alerts about threats to America's drinking water 
and wastewater utilities, including control systems. The center went 
online in December 2002. The Water Security Channel is a free service 
of the center designed to disseminate security information to the 
broadest wastewater and drinking water community, including information 
about control systems security issues. Members of the association have 
held workshops, events, formed committees, and written papers that deal 
with cyber and control systems security.  

Source: American Water Works Association, Association of Metropolitan 
Water Agencies. 

[End of table] 

Other Organizations: 

Other organizations are working on efforts to improve control systems 
security that are not sector-specific. The organization formerly known 
as the Instrumentation, Systems, and Automation Society, and now called 
ISA, is currently working on control systems security efforts, and 
InfraGard, a nonprofit organization associated with the Federal Bureau 
of Investigation, has recently started a control systems-related 
effort. See table 8 for a description of these initiatives. 

Table 7: Control System Security Initiatives that Affect Multiple 
Sectors: 

Organization: ISA (formerly the Instrumentation, Systems, and 
Automation Society); 
The society develops standards, certifies industry professionals, 
provides education and training, and publishes books and technical 
articles. 
Initiative: The society's industrial automation and control systems' 
Security Standards Committee is composed of representatives from many 
industries, including water/wastewater, fossil fuels, nuclear energy, 
food and beverages, pharmaceuticals, chemicals, petrochemicals, U.S. 
government labs and organizations, and automotive and educational 
institutions. The committee intends to establish standards, recommend 
practices, and develop technical reports and related information that 
will define procedures for implementing electronically secure 
industrial automation and control systems and security practices and 
assess electronic security performance. The committee has finished two 
technical reports. One report documents the current state of 
cybersecurity technologies as they are applied to the control systems 
environment to clearly define what can reasonably be deployed today and 
to define areas where more research is needed. A second report presents 
an approach for developing, implementing, and operating a program that 
addresses security for control systems. The committee is currently 
working on a standard to establish and operate an industrial automation 
and control systems security program and specific security requirements 
for industrial automation and control systems. The first part deals 
with terminology and has been approved by the society. The second part 
deals with establishing a security program and is currently awaiting 
approval by the committee. The third part deals with operating the 
program and has not been started. The fourth part deals with technical 
security requirements and was started in October 2006. The committee 
has also recently started a related working group on patch management.  

Organization: InfraGard/SCADAGard; 
InfraGard is a nonprofit organization associated with the Federal 
Bureau of Investigation. The program consists of 86 regional chapters 
with representatives from the public and private sectors. The program 
focuses on activities related to critical infrastructure protection and 
cyber crime. 
Initiative: InfraGard recently established a SCADAGard special interest 
group. According to the head of the group, the group will be used to 
share control systems security information with InfraGard members who 
are control systems vendors, owners, and operators and have previously 
been vetted by the Federal Bureau of Investigation.  

Source: GAO analysis of information provided by ISA and InfraGard. 

[End of table] 

Federal Agencies Have Multiple Initiatives to Help Secure Critical 
Infrastructure Control Systems, but More Remains to Be Done: 

Over the past few years, federal agencies--including DHS, DOE, NIST, 
FERC, and others--have initiated efforts to improve the security of 
critical infrastructure control systems. However, DHS has not yet 
established a strategy to coordinate the various control systems 
activities across federal agencies and the private sector. Further, 
more can be done to address specific weaknesses in DHS's ability to 
share information on control systems vulnerabilities. Until DHS 
develops an overarching strategy, there is an increased risk that the 
federal government and private sector will invest in duplicative 
initiatives and miss opportunities to learn from other organization's 
activities. Further, until DHS addresses specific weaknesses in sharing 
information, there is an increased risk that the agency will not be 
able to effectively carry out its responsibility for sharing 
information on vulnerabilities, and that there could be a disruption to 
our nation's critical infrastructures. 

Federal Agencies Have Many Initiatives Under Way, but DHS Lacks a 
Comprehensive Strategy that Delineates Responsibilities and Coordinates 
Activities: 

There are many federal efforts under way to help improve the security 
of critical infrastructure control systems. For example, DHS is 
sponsoring multiple control systems security initiatives across 
critical infrastructure sectors, including a program to improve control 
systems cybersecurity that includes vulnerability reporting and 
response, activities to promote security awareness within the control 
systems community, and efforts to build relationships with control 
systems vendors and infrastructure asset owners. See appendix II for a 
detailed description of DHS's key initiatives and projects involving 
control systems security. 

Additionally, DOE sponsors control systems security efforts within the 
electric, oil, and natural gas industries. These efforts include the 
National SCADA Test Bed Program, which funds testing, assessments, and 
training in control systems security and the development of a road map 
for securing control systems in the energy sector. Also, several of 
DOE's national laboratories play an important role in implementing many 
DHS and DOE efforts and provide support directly to asset owners and 
vendors. For example, the national laboratories perform site 
assessments, test vendor equipment, and conduct outreach and awareness 
activities for infrastructure asset owners and vendors. See appendix 
III for more information on DOE's initiatives. 

Other federal agencies, such as NIST and FERC, have also undertaken 
efforts to help secure control systems. For example, NIST is working 
with federal and industry stakeholders to develop standards, 
guidelines, checklists, and test methods to help secure critical 
control systems, while FERC is working to implement electricity 
reliability standards that address control systems. See appendix IV for 
more information on these and other initiatives. 

Several industry experts we spoke with stated that many federal 
programs in control systems security have been helpful. For example, 
experts stated that developing the road map was a positive step for the 
energy sector. An official who participated in the development of DOE's 
road map stated that the process succeeded in identifying industry 
needs and was a catalyst for bringing agencies and government 
coordinating councils together and that it was a good idea for other 
industries to develop plans similar to the road map. In addition, 
experts we interviewed said the testing and site assessments conducted 
by the national laboratories for DHS and DOE made individual products 
more secure and helped improve overall attention to control systems 
security. 

However, the federal government does not yet have an overall strategy 
for guiding and coordinating control systems security efforts across 
the multiple agencies and sectors. To evaluate activities related to 
critical infrastructure protection, we developed a risk management 
framework for protecting critical infrastructures based on the 
standards and practices of leading organizations.[Footnote 9] The first 
phase of this framework is the development of a strategy that includes 
the goals, objectives, constraints, specific activities, milestones, 
and performance measures needed to achieve a particular end result. In 
2004, we reported that federal agencies, standards organizations, and 
the private sector were leading various initiatives on control systems 
security, but lacked coordination and oversight to effectively improve 
the cybersecurity of the nation's control systems.[Footnote 10] We 
recommended that DHS develop and implement a strategy for coordinating 
control systems security efforts among government agencies and the 
private sector. 

DHS agreed with our recommendation to develop a control systems 
security strategy and, in 2004, issued a strategy that focuses 
primarily on DHS's initiatives. However, the strategy does not include 
ongoing work by DOE, FERC, NIST, and others. Further, it does not 
include the various agencies' responsibilities, goals, milestones, or 
performance measures. Agency officials stated they have convened a 
federal working group that will develop a list of control systems 
security activities across the government. Further, in commenting on a 
draft of this report, DHS officials stated that this baseline list of 
activities will serve as the foundation for a comprehensive strategy 
across the public and private sectors. However, they did not provide a 
date for when the baseline and the comprehensive strategy would be 
completed. In addition, they did not state whether the list or the 
strategy would include responsibilities, goals, milestones, or 
performance measures. 

Until DHS develops an overarching strategy that delineates various 
public and private entities' roles and responsibilities and uses it to 
guide and coordinate control systems security activities, the federal 
government and private sector risk investing in duplicative activities 
and missing opportunities to learn from other organization's 
activities. 

DHS Faces Challenges in Sharing Sensitive Information on Control 
Systems Vulnerabilities: 

DHS is responsible for sharing information with critical infrastructure 
owners on control systems vulnerabilities, but faces challenges in 
doing so. In 2006, DHS developed a formal process for managing control 
systems vulnerabilities reported to the U.S. Computer Emergency 
Readiness Team (US-CERT).[Footnote 11] DHS gathers this information and 
works with vendors and others to identify mitigation strategies. It 
then releases this information to critical infrastructure owners and 
operators, control systems vendors, and the public. 

However, DHS's sharing of sensitive information on control systems to 
date has been limited. As of June 2007, US-CERT has issued only nine 
notices related to control systems security since the inception of the 
control systems security program in 2003. DHS's information sharing is 
limited in part because of reluctance by those in the private sector to 
inform the agency of vulnerabilities they have identified and in part 
because of weaknesses in DHS's ability to disseminate potentially 
sensitive information to the private sector. We previously reported on 
difficulties DHS has had in collecting information from, and sharing it 
with, the private sector.[Footnote 12] Industry officials stated that 
they are reluctant to share information about incidents because of 
uncertainties about how the information will be used and the value of 
reporting such incidents. 

In addition, DHS lacks a rapid, efficient process for disseminating 
sensitive information to private industry owners and operators of 
critical infrastructures. An agency official noted that sharing 
information with the private sector can be slowed by staff turnover and 
vacancies at DHS, the need to brief agency and executive branch 
officials and congressional staff before briefing the private sector, 
and difficulties in determining the appropriate classification level 
for the information. DHS's control systems security program manager 
acknowledged the need to share information more quickly. In commenting 
on a draft of this report, DHS officials stated that after the start of 
our review, the agency began developing a process to formalize and 
improve information sharing. However, this process was not evident 
during our review. Further, DHS did not provide evidence of this 
process or examples of how the process had actually been used to share 
information. 

Until DHS establishes an approach for rapidly assessing the sensitivity 
of vulnerability information and disseminating it--and thereby 
demonstrates the value it can provide to critical infrastructure 
owners--the agency's ability to effectively serve as a focal point in 
the collection and dissemination of sensitive vulnerability information 
will continue to be limited. Without a trusted focal point for sharing 
sensitive information on vulnerabilities, there is an increased risk 
that attacks on control systems could cause a significant disruption to 
our nation's critical infrastructures. 

Conclusions: 

Control systems are an essential component of our nation's critical 
infrastructure. Past incidents involving control systems, system 
vulnerabilities, and growing threats from a wide variety of sources 
highlight the risk facing these systems. The public and private sectors 
have begun numerous activities to improve the cybersecurity of these 
systems. However, the federal government lacks an overall strategy for 
coordinating public and private sector efforts. DHS also lacks an 
efficient process for sharing sensitive information on vulnerabilities 
with private sector critical infrastructure owners. Until an 
overarching strategy is in place, public and private sectors risk 
undertaking duplicative efforts. Also, without a streamlined process 
for advising private sector infrastructure owners of vulnerabilities, 
DHS is unable to fulfill its responsibility as a focal point for 
disseminating this information. If key vulnerability information is not 
in the hands of those who can mitigate its potentially severe 
consequences, there is an increased risk that attacks on control 
systems could cause a significant disruption to our nation's critical 
infrastructures. 

Recommendations for Executive Action: 

To improve federal government efforts to secure control systems 
governing critical infrastructure, we recommend that the Secretary of 
the Department of Homeland Security implement the following two 
actions: 

* develop a strategy to guide efforts for securing control systems, 
including agencies' responsibilities, as well as overall goals, 
milestones, and performance measures, and: 

* establish a rapid and secure process for sharing sensitive control 
system vulnerability information with critical infrastructure control 
system stakeholders, including vendors, owners, and operators. 

Agency Comments and Our Evaluation: 

We received comments via e-mail on a draft of this report from DHS 
officials, including the Deputy Director of the National Cyber Security 
Division. In the comments, agency officials neither agreed nor 
disagreed with our recommendations. Instead, they stated that DHS would 
take the recommendations under advisement. Additionally, officials 
stated that the agency has recently begun working with its partners in 
the Federal Control System Security Working Group to establish a 
baseline of ongoing activities. This baseline is to serve as a 
foundation for developing a comprehensive strategy that will encompass 
the public and private sectors, set a vision to secure control systems, 
describe roles and responsibilities, and identify future requirements 
for resources and action. Moreover, officials stated that the agency 
has recently developed a process to formalize the sharing of sensitive 
information related to control systems vulnerabilities. The officials 
reported that this process describes the information flow from 
vulnerability discovery, to validation, public and private 
coordination, and outreach and awareness. Further, it identifies the 
deliverables and outcomes expected at each step in the process. 

While DHS's intention to develop a comprehensive public/private 
strategy is consistent with our recommendation, the agency did not 
provide a date by which this strategy will be completed. Until DHS 
completes the comprehensive strategy, the public and private sectors 
risk undertaking duplicative efforts. 

Additionally, while DHS officials stated that the agency had developed 
a process for sharing sensitive information on control system 
vulnerabilities, it did not have such a process in place during our 
review. Further, the agency has not provided evidence of its process 
for sharing control system vulnerability information or evidence that 
this process has been used to share information. Until such a process 
is formalized and implemented, key vulnerability information may not be 
available to those who can mitigate its potentially severe 
consequences, therefore increasing the risk that attacks on control 
systems could cause a significant disruption to our nation's critical 
infrastructures. 

DHS officials and officials from other agencies who contributed to this 
report provided technical comments, which we have incorporated as 
appropriate. 

As agreed with your offices, unless you publicly announce the contents 
of this report earlier, we plan no further distribution of it until 30 
days from the report date. At that time, we will send copies of this 
report to interested congressional committees, the Secretary of the 
Department of Homeland Security, and other interested parties. In 
addition, this report will be available at no charge on GAO's Web site 
at [hyperlink, http://www.gao.gov]. 

If you have any questions on matters discussed in this report, please 
contact Dave Powner at (202) 512-9286 or Keith Rhodes at (202) 512- 
6412, or by e-mail at [email protected] and [email protected]. Contact 
points for our Offices of Congressional Relations and Public Affairs 
may be found on the last page of this report. GAO staff who made major 
contributions to this report are listed in appendix V. 

Signed by:  

David A. Powner: 
Director: 
Information Technology Management Issues:  

Signed by:  

Keith A. Rhodes: 
Chief Technologist Director: 
Center for Technology and Engineering:  

List of Requesters: 

The Honorable Joseph I. Lieberman: 
Chairman: 
The Honorable Susan M. Collins: 
Ranking Member: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate:  

The Honorable James R. Langevin: 
Chairman: 
The Honorable Michael T. McCaul: 
Ranking Member: 
Subcommittee on Emerging Threats, Cybersecurity, and Science and 
Technology: 
Committee on Homeland Security: 
House of Representatives:  

The Honorable Sheila Jackson-Lee: 
Chairwoman: 
The Honorable Daniel L. Lungren: 
Ranking Member: 
Subcommittee on Transportation Security and Infrastructure Protection: 
Committee on Homeland Security: 
House of Representatives:  

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

Our objectives were to (1) determine cyber threats, vulnerabilities, 
and the potential impact of attacks on critical infrastructure control 
systems; (2) determine the challenges to securing critical 
infrastructure control systems; (3) identify private sector initiatives 
to strengthen the cybersecurity of control systems; and (4) assess the 
adequacy of public sector initiatives to strengthen the cybersecurity 
of control systems. 

To determine the cyber threats, vulnerabilities, and the potential 
impact of attacks on critical infrastructure control systems, we 
reviewed prior GAO reports on control systems as well as reports 
prepared by other government agencies and private organizations, 
including documentation of prior control system security incidents. We 
conducted interviews with individuals in the private sector, including 
representatives of private companies that operate control systems. 
These individuals were selected based on their knowledge of and 
participation in both private and public sector control system security 
activities. We also met with representatives from trade associations 
and federal agencies. On the basis of the information and documentation 
we received from these individuals, and information we collected during 
site visits to three of the national laboratories, we were able to 
compile information on the cyber threats, vulnerabilities, and the 
potential impact of attacks on critical infrastructure control systems. 

To determine the challenges to securing critical infrastructure control 
systems, we reviewed prior GAO reports and testimonies and materials 
written by other public and private organizations on control systems 
security, critical infrastructure protection, and national 
preparedness. We conducted interviews with experts and industry 
representatives, including managers of federal control systems programs 
at the Department of Homeland Security (DHS) and Department of Energy 
(DOE), experts from the national laboratories, vendors, owners and 
operators, and standards and trade associations. 

To identify the private sector initiatives to strengthen cybersecurity 
of control systems, we researched current standards and accepted trade 
practices and analyzed current efforts to better secure control 
systems. We spoke to private sector owners and operators, vendors, 
trade associations, industry experts, and standards associations. These 
organizations included the North American Electric Reliability 
Corporation (NERC), the American Gas Association, and ISA. 

To assess the adequacy of public sector initiatives to strengthen the 
cybersecurity of control systems, we researched relevant federal laws 
and regulations and initiatives by federal agencies to better secure 
control systems, and reviewed documentation and project plans on 
federal control systems efforts. We also reviewed GAO's prior work 
analyzing best practices from leading organizations and interviewed 
private sector and other experts in control systems security for their 
perspectives on federal efforts. We interviewed officials from federal 
agencies including DHS, DOE, the National Institute of Standards and 
Technology (NIST), and the Federal Energy Regulatory Commission (FERC). 
In addition, we visited three of the national laboratories that are 
leading control systems security research and outreach efforts. These 
labs were selected because of their extensive participation in DOE and 
DHS control systems security programs. We then compared the activities 
of federal agencies with best practices and the perspectives of 
experts. 

Our work was conducted from March 2007 to July 2007 at agencies' 
headquarters in Washington, D.C., and at national laboratories in 
Idaho, New Mexico, and Washington state in accordance with generally 
accepted government auditing standards. 

[End of section] 

Appendix II: The Department of Homeland Security's Control Systems 
Security Initiatives: 

DHS supports multiple control systems security initiatives across 
government and the private sector. Table 9 lists key initiatives and 
projects conducted by DHS in control system security. 

Table 8: Selected DHS Control Systems Security Initiatives: 

Initiative: Coordination with US-CERT; 
Description: DHS's control systems program is working to enhance 
management of control system incidents and provide timely situational 
awareness information to control systems owners and operators through 
coordination with the United States Computer Emergency Readiness Team 
(US-CERT). According to agency officials, a person from the program 
works in the US-CERT operations center and handles any incoming threats 
or vulnerabilities related to control systems. The Idaho National 
Laboratory provides backup technical support if needed. DHS also 
provides outreach and awareness on the role of US-CERT in reporting and 
mitigating control systems cyber vulnerabilities, and is developing the 
capability to analyze software harmful to control systems.  

Initiative: Control System Cyber Security Self Assessment Tool; 
Description: DHS has developed the Control Systems Cyber Security Self 
Assessment Tool to assist control systems owners and operators in 
evaluating vulnerabilities and recommending mitigation strategies. This 
software takes users through a series of questions to determine the 
current status of their control systems network. It includes specific 
control systems architectures recommended by the National Institute of 
Standards and Technology as examples for end users and uses existing 
standards and recommended practices to provide the user a set of 
requirements for addressing specific security measures. The software 
was piloted in 2006 in several critical infrastructure sectors, and was 
deployed to the water sector in June 2007. According to agency 
officials, the software has also been tested in the electric sector and 
oil and gas sectors. According to DHS officials, in the future, the 
department plans to turn over development and maintenance of the 
software to a commercial vendor.  

Initiative: Process Control System Forum; 
Description: In February 2005, DHS launched the first Process Control 
System Forum. The forum is primarily a means for the government to 
reach out to academia, vendors, and owners and operators of critical 
infrastructure. In March 2007, the forum was held in Atlanta, Georgia, 
and included approximately 200 attendees.  

Initiative: Cyber Security Procurement Language for Control Systems; 
Description: The Cyber Security Procurement Language for Control 
Systems project is an initiative that DHS sponsored together with Idaho 
National Laboratory, the Multi-State Information Sharing and Analysis 
Center, and private industry. The purpose of the project is to 
summarize security principles that should be considered when designing 
and procuring control systems products and provide examples of language 
to incorporate into procurement specifications. According to an 
industry expert, the language has been used by owners procuring new 
control systems equipment. NIST officials stated that they are 
considering integrating this project into the Control System Cyber 
Security Self Assessment Tool (see previous section), by identifying 
the procurement language that would be necessary to address an 
identified vulnerability. In January 2007 the National Infrastructure 
Advisory Council[A] issued a report recommending that the Office of 
Management and Budget mandate that federal agencies apply the 
procurement language when procuring control systems and services.  

Initiative: Catalog of Control System Security Requirements; 
Description: DHS is also in the process of developing a Catalog of 
Control System Security Requirements. This initiative will provide a 
catalog of recommended requirements to facilitate the development and 
implementation of control systems cybersecurity standards to be applied 
to critical infrastructure. DHS and NIST officials stated that this 
will provide a common terminology that can be used for standards 
development and can therefore promote collaboration or convergence of 
industry standards. The catalog was used by NIST during the development 
of control systems- related guidance and, according to agency 
officials, was sent to ISA, a standards association, and the 
International Electrotechnical Commission for consideration. The 
catalog is currently in draft form.  

Initiative: Monthly Vendor Phone Calls; 
Description: DHS hosts monthly teleconference meetings with control 
systems vendors to provide a forum for the vendors to share information 
and common concerns, and to discuss control systems security needs for 
legacy and next generation products. According to agency officials, 
approximately 30 vendors representing most of the sectors using control 
systems are participating in the calls. At the most recent Process 
Control System Forum conference, the vendors held their first face-to-
face meeting. The DHS Control System Security Program Director stated 
that approximately 90 percent of the control systems manufacturers in 
the United States were represented at this meeting.  

Initiative: Federal Control Systems Working Group; 
Description: This group represents the federal control systems 
community and it is currently working on development of a baseline of 
federal control systems security efforts and enhancing information 
sharing with relevant stakeholders.  

Initiative: National Laboratory Assessments and Training; 
Description: DHS funds initiatives at DOE laboratory facilities 
including control systems site and vendor assessments and training. For 
more information, see appendix III.  

Initiative: Institute for Information Infrastructure Protection; 
Description: In January 2002, the Institute for Information 
Infrastructure Protection, a consortium made up of 27 entities managed 
by Dartmouth College, began operation. In 2005, the institute launched 
the Process Control Systems Security Research Project. This project 
focuses on cybersecurity-related research in the oil and gas sector. 
Initiatives completed include a source code checking tool, an intrusion 
detection and event correlation tool for process control systems, and a 
tool for building a business case for investing in security. According 
to program officials, currently there are two main bodies of work: (1) 
work that is drawing to a close from $8.5 million in funding from DHS's 
Science and Technology Directorate and (2) a new body of work that 
received $4.1 million in funding from DHS's National Cyber Security 
Division. Institute officials stated that the new work is under way as 
of April 2007, and will also focus on solutions for survivability and 
recovery of process control systems in the oil, gas, and chemical 
industries.  

Initiative: Linking the Oil and Gas Industry to Improve Cyber Security; 
Description: The Linking the Oil and Gas Industry to Improve Cyber 
Security project was a cooperative initiative between DHS's Science and 
Technology Directorate and companies in the oil and gas industry that 
ran from July 2005 to June 2006. The program's purpose was to identify 
new technologies for protecting process control systems. The program 
included a 14-member consortium of private sector oil and gas 
companies. DHS officials stated that the project was a precompetitive 
research and development project, and therefore the agency was able to 
provide support to begin the project and will likely play a role in the 
technology transfer process. The consortium of companies selected six 
vendor products to be included in the project. The consortium worked 
with Sandia National Laboratories on integrating and testing the six 
products, which resulted in a potentially viable security solution. The 
integrated solution was demonstrated to the participating organizations 
at a wrap-up meeting in Houston, Texas, on September 11, 2006.  

Initiative: Small Business Innovation Research Awards; 
Description: According to agency officials, from 2004 to 2005 DHS's 
Science and Technology Directorate funded 13 research proposals related 
to control systems security. The proposals received individual awards 
of up to $100,000 and lasted no more than 6 months in duration. On the 
basis of the results of these proposals, DHS awarded five small 
business innovation research awards. These awards were up to $750,000 
and typically were for no more than 2 years in duration. The last of 
these awards was completed in February 2007. Agency officials stated 
that oil and gas owners and operators have shown particular interest in 
continuing work on intrusion detection, encryption, and authentication 
of users.  

Initiative: Chemical Facilities Security Standards; 
Description: The 2007 DHS Appropriations Act required that DHS issue 
interim final regulations establishing security standards for chemical 
facilities. The regulations require vulnerability assessments and the 
development and implementation of site security plans for these 
facilities, and DHS must audit and inspect the facilities. DHS issued 
the regulations in April 2007, explicitly extending their applicability 
to control systems.  

Initiative: Pipeline Control Systems Safety; 
Description: The Transportation Security Administration's Pipeline 
Security Division conducts a corporate security review process for 
major pipeline operators that includes a high-level review of control 
systems security. As of June 2007, the division has conducted 
approximately 65 reviews. In addition, the administration is working on 
a pilot project involving assessments of security policies and control 
systems security for a particular pipeline operator.  

Source: GAO analysis of information provided by DHS and the Institute 
for Information Infrastructure Protection. 

[A] The National Infrastructure Advisory Council was chartered on July 
1, 2005 to provide the President, through the Secretary of the 
Department of Homeland Security, with advice on the security of the 
critical infrastructure sectors and their information systems. 

[End of table] 

[End of section] 

Appendix III: The Department of Energy's Initiatives to Support Control 
Systems Security within the Energy Sector: 

Since 2003, the Department of Energy's Office of Electricity Delivery 
and Energy Reliability has led control systems security efforts within 
the electric, oil, and natural gas industries by establishing the 
National SCADA Test Bed Program and developing a 10-year strategic 
framework for securing control systems in the energy sector. DOE's 
national laboratory facilities also play an important role in control 
systems security research. In particular, the Idaho National 
Laboratory, Sandia National Laboratories, and the Pacific Northwest 
National Laboratory lead key efforts in control systems security 
research for DOE, DHS, and other public and private organizations. 

The National SCADA Test Bed Program: 

In 2004, DOE launched the National SCADA Test Bed Program, a 
multilaboratory effort to identify control systems vulnerabilities, 
conduct control systems research and development, and provide 
cybersecurity training and outreach to industry. The test bed program 
includes five DOE laboratories and has a budget of $10 million for 
fiscal year 2007. To date, the test bed program has completed 12 
control systems vulnerability assessments in cooperation with control 
systems vendors and energy sector owners and operators. As a result of 
these assessments, the test bed team has provided vendors with 
recommendations to improve control systems security, and owners and 
operators with strategies for mitigating existing system security 
risks. The test bed program also has 10 ongoing control systems 
research and development projects that are peer-reviewed biannually to 
ensure they meet the needs of the government and the end users. In 
addition to its testing and research efforts, the program has led 
training workshops on control systems security for over 1,500 industry 
personnel, and has established a working group to evaluate control 
systems security standards in the energy sector. 

Strategic Framework for Securing Control Systems in the Energy Sector: 

In January 2006, DOE released the Roadmap to Secure Control Systems in 
the Energy Sector, a collaborative public-private strategy for securing 
control systems infrastructures over the next 10 years. Developed 
jointly by energy owners and operators, researchers, vendors, and the 
government, the road map links near-, mid-, and long-term security 
needs with four main goals: (1) measure and assess the current security 
posture; (2) develop and integrate protective measures; (3) detect 
intrusion and implement response strategies; and (4) sustain security 
improvements. 

The road map outlines the energy sector's top control systems security 
concerns and existing mitigation efforts, and is serving as a model for 
other sectors to develop similar plans. For example, in January 2007, 
DHS's National Infrastructure Advisory Council recommended that DHS and 
the sector-specific agencies develop plans using DOE's road map as a 
model. DOE has used the road map to align its test bed projects with 
strategic goals. In addition, DOE has created an online road map that 
uses the strategic framework to track public and private sector control 
systems security projects. 

National Laboratories Are Leading Significant Portions of Control 
Systems Security Work: 

DOE owns 17 laboratories and research facilities around the country 
that play an important role in control systems security research. In 
particular, the Idaho National Laboratory, the Sandia National 
Laboratories, and the Pacific Northwest National Laboratory manage and 
conduct key efforts in control systems security research for DOE, DHS, 
and other public and private organizations. Using their research 
facilities, the laboratories are able to conduct work for DHS, DOE, and 
other organizations. 

Research Facilities: 

The laboratories are able to use a number of unique research facilities 
to test control systems equipment. For example, Idaho National 
Laboratory operates its own electrical power transmission facility, 
which consists of 61 miles of high-voltage transmission lines, feeders, 
transformers, and independent substations (see fig. 5). According to 
laboratory officials, because portions of the transmission facility are 
easy to separate from the overall power grid, control systems equipment 
can be tested on the grid without fear of effects on the larger power 
grid. 

[End of section] 

Figure 5: A Substation That Is Part of Idaho National Laboratory's 
Facilities for Testing Control Systems (photograph): 

[See PDF for image]  

[End of figure]  

The Pacific Northwest National Laboratory has the Electricity 
Infrastructure Operations Center, which is a replica of a typical 
operations center used in the electric industry, with consoles, 
displays, hardware, and software that can be used for control of 
electricity transmission (see fig. 6). The center receives live 
transmission data from actual utility control systems, and is used as a 
platform for research, development, and demonstration. 

[End of section] 

Figure 6: The Pacific Northwest National Laboratory's Electricity 
Infrastructure Operations Center (photograph):  

[See PDF for image]  

[End of figure]  

DHS Sponsors Laboratory Activities Involving Control Systems Security: 

The national laboratories manage key efforts for DHS related to control 
systems security. For example, the Idaho National Laboratory is the 
lead laboratory to support and execute the DHS Control Systems Security 
Program. According to laboratory officials, the laboratories coordinate 
activities funded through DHS with those funded through the National 
SCADA Test Bed of the Department of Energy. For example, Idaho National 
Laboratory has conducted five vendor assessments and six site 
assessments using DHS funds and eight vendor assessments and four site 
assessments using DOE funds. 

Additionally, the Idaho, Pacific Northwest, and Sandia National 
Laboratories developed training for asset owners and operators. The 
Idaho National Laboratory has developed 4-and 8-hour classes on control 
systems security that it has given to approximately 1,500 industry 
personnel since 2005. In 2006, the Pacific Northwest National 
Laboratory developed online control systems security awareness training 
that has been published on US-CERT's Web site. In 2007, Sandia National 
Laboratories developed training to educate owners and operators on how 
to effectively use red teaming to improve the security posture of their 
control systems.[Footnote 13] Further, the Idaho National Laboratory 
has worked with George Mason University and New York University to 
develop a draft master's level course curriculum on critical 
infrastructure and control systems security. 

DOE's National SCADA Test Bed Sponsors Laboratory Activities: 

Under DOE's National SCADA Test Bed Program, the national laboratories 
have worked both independently and collaboratively on performing vendor 
vulnerability assessments, conducting control systems research and 
development, and leading industry training and outreach.[Footnote 14] 
For example, between 2004 and 2007, the Idaho National Laboratory 
conducted assessments of eight different control systems for the 
electricity sector. According to laboratory officials, vendors provide 
the lab with the hardware, software, and training necessary to run the 
control system; this represents a $1 million to $1.5 million investment 
by the vendor. Largely on the basis of the results of these 
assessments, vendors have chosen to develop system patches, reconfigure 
system architectures, and build enhanced systems, which have been 
retested by the laboratory. Furthermore, according to an agency 
official, the results of the vendor assessments have helped inform 
other federal control systems efforts, such as the development of the 
control system self assessment tool. In addition, the Idaho National 
Laboratory has conducted four on-site control system assessments for 
electricity sector owners and operators. 

In addition to vendor assessments, the laboratories are engaged in 10 
research projects that are to help industry stakeholders analyze 
control systems operations and improve the security and reliability of 
architectures for control systems. For example, the Pacific Northwest 
National Laboratory has developed a technology to encapsulate control 
systems communications between two devices with a unique identifier and 
authenticator. This technology enables the devices to verify that the 
communication has not been tampered with. Unlike comparable 
technologies for standard information technology (IT) systems, the 
authentication technology does not require substantial amounts of 
bandwidth or processing power. Importantly, this technology has the 
potential to be applied to both new systems and older control systems. 
In addition, the Idaho, Pacific Northwest, and Sandia National 
Laboratories are working on identifying vulnerabilities in the current 
communications protocol used between control centers, testing 
mitigation techniques, and, ultimately, assisting industry in 
implementing a secure version of the protocol. 

Other Organizations Sponsor Laboratory Activities: 

In addition to work for DHS and DOE, the laboratories have conducted 
control systems security work for other public and private 
organizations, including research, security assessments, and training. 
For example, the laboratories have performed security assessments of 
control systems for federal operators of critical infrastructure, 
including the Bureau of Reclamation, Tennessee Valley Authority, 
Bonneville Power Administration, and the Strategic Petroleum Reserve, 
as well as private sector utility companies. Moreover, the Pacific 
Northwest National Laboratory worked with the Nuclear Regulatory 
Commission and the Nuclear Energy Institute to develop a self- 
assessment methodology for nuclear plants to determine compliance with 
standards. 

[End of section] 

Appendix IV: Other Agencies' Initiatives to Help Secure Critical 
Infrastructure Control Systems: 

In addition to DHS and DOE, multiple other federal agencies and 
entities are working to help secure critical infrastructure control 
systems. Initiatives undertaken by the Federal Energy Regulatory 
Commission, the National Institute of Standards and Technology, the 
Environmental Protection Agency, and others are described here. 

Federal Energy Regulatory Commission: 

Under the Energy Policy Act of 2005, the Federal Energy Regulatory 
Commission (FERC) was authorized to (1) appoint an electricity 
reliability organization to develop and enforce mandatory electricity 
reliability standards, including cybersecurity, and (2) approve, 
remand, or require modification to each proposed standard. The agency 
may also direct the reliability organization to develop a new standard 
or modify existing standards. Both the agency and the reliability 
organization have the authority to enforce approved standards, 
investigate incidents, and impose penalties (up to $1 million a day) on 
noncompliant electricity asset users, owners, or operators. 

FERC has conducted several activities to begin implementing the 
requirements of the act. In July 2006, FERC certified the North 
American Electric Reliability Corporation (NERC) as the electric 
reliability organization. In December 2006, FERC released a staff 
assessment of NERC's eight Critical Infrastructure Protection (CIP) 
reliability standards, which include standards for control systems 
security. FERC found that while the standards were a good start, there 
were a number of items that required improvement, including ambiguous 
language for standards requirements, measurability, and degrees of 
compliance; insufficient technical requirements to ensure grid 
reliability; and the use of "fill-in-the-blank standards," which are 
not enforceable. NERC agreed that the standards represented a starting 
point and has proposed a work plan to address the deficiencies. In July 
2007, FERC issued a notice of public rulemaking in which it proposed to 
approve eight CIP reliability standards while directing NERC to modify 
the areas of these standards that require improvement. After 
considering public comments on the notice of public rulemaking, which 
are due in late September 2007, FERC plans to issue its final rule on 
the CIP reliability standards. 

The National Institute of Standards and Technology Is Developing 
Standards and Guidance to Improve Control Systems Security: 

The National Institute of Standards and Technology (NIST) is working 
with federal and industry stakeholders to develop standards, 
guidelines, checklists, and test methods to help secure critical 
control systems. For example, NIST is currently developing guidance for 
federal agencies that own or operate control systems to comply with 
federal information system security standards and guidelines.[Footnote 
15] The guidance identifies issues and modifications to consider in 
applying information security standards and guidelines to control 
systems. Table 10 lists key NIST efforts. 

Table 9: NIST Control Systems Security Efforts: 

Initiative: Industrial Control Systems Security Project; 
Description: The project intends to build on current federal security 
standards and provide targeted extensions and/or interpretations of 
those standards for industrial and process control systems where 
needed.  

Initiative: Special Publication 800-53, Recommended Security Controls 
for Federal Information Systems, Revision 1 --Appendix I: Industrial 
Control Systems: Interim Guidance on the Application of Security 
Controls; 
Description: NIST is currently working on applying Special Publication 
(SP) 800-53, Recommended Security Controls for Federal Information 
Systems, to control systems. NIST SP 800-53 was originally developed 
for the traditional IT environment, and it treats control systems as 
information systems. However, organizations have had difficulties in 
using SP 800-53 to protect their control systems due to the unique 
needs of control systems. Through the results of NIST workshops held in 
April 2006 and March 2007, NIST developed and, in July 2007, released 
an augmentation to SP 800-53 that addresses control systems. According 
to agency officials, while most controls in SP 800-53 are applicable to 
control systems as written, several controls do require supplemental 
guidance and enhancements. NIST officials stated they plan to hold a 
workshop in late summer 2007, to include representatives from national 
and international control systems communities to share information, 
obtain input, and determine their level of interest in voluntarily 
adopting and using NIST's industrial control system interpretation of 
SP 800-53.  

Initiative: Special Publication 800-82, Guide to Supervisory Control 
and Data Acquisition (SCADA) and Industrial Control Systems Security; 
Description: NIST is developing Special Publication 800-82, Guide to 
Supervisory Control and Data Acquisition (SCADA) and Industrial Control 
Systems Security. The publication is a guidance document on how to 
secure control systems, including the security of legacy systems. An 
initial public draft was released in September 2006, and the 
publication is due for second public draft release in August 2007.  

Initiative: NIST Special Publication 1058, Using Host-Based Antivirus 
Software on Industrial Control Systems: Integration Guidance and a Test 
Methodology for Assessing Performance Impacts; 
Description: NIST and Sandia National Laboratories, under the guidance 
and sponsorship of DOE's Office of Electricity Delivery and Energy 
Reliability and its National SCADA Test Bed Program, investigated and 
tested the impacts of commercial, off-the-shelf antivirus software on 
control system performance. A guidance document was released in 
September 2006.  

Initiative: Process Controls Security Requirements Forum; 
Description: NIST organized the Process Controls Security Requirements 
Forum to establish security specifications that can be used in the 
procurement, development, and retrofit of industrial control systems. 
The forum's membership includes representatives from the water, 
electric, chemical, and petrochemical industries; U.S. government 
laboratories and organizations; and vendors of control systems. Its 
immediate goal is to increase the security of control systems through 
the definition and application of a common set of information security 
requirements for these systems.  

Initiative: Catalog of Control System Security Requirements; 
Description: In collaboration with DHS, NIST is developing a catalogue 
of requirements that provides a detailed list of security requirements 
to facilitate the development and convergence of cybersecurity 
standards applied to control systems across the industries, domestic 
and foreign.  

Initiative: NIST Industrial Control System Security Test Bed; 
Description: NIST initiated the development of a test bed consisting of 
several implementations of typical industrial control systems including 
SCADA, networking equipment, and relevant sensors. The test bed is 
being used at NIST to develop test methods for validation and 
conformance testing of security implementations. The test bed is also 
being used to help identify system vulnerabilities and to establish 
best practices. 

Source: NIST. 

[End of table] 

Other Federal Agencies Are Working with DHS, DOE, and NIST on Control 
Systems Security Initiatives: 

Environmental Protection Agency: 

The Environmental Protection Agency (EPA) assisted DHS in developing a 
control systems self-assessment tool, a software program that assists 
owners and operators in identifying control systems vulnerabilities and 
mitigation strategies for addressing these vulnerabilities. EPA began 
work on a water security assessment tool in response to the Public 
Health Security and Bioterrorism Preparedness and Response Act of 2002, 
which required the agency to conduct vulnerability assessments of 
community water systems serving more than 3,300 individuals. EPA's 
preliminary work in this area served as the foundation for DHS's 
Control Systems Cyber Security Self Assessment Tool project. The agency 
initially launched the tool within the water sector in July 2007. 

In addition, EPA actively participates in control systems security 
information sharing activities through the Water Information Sharing 
and Analysis Center and DHS's Homeland Infrastructure Threat and Risk 
Analysis Center, and has been involved with control systems standards 
development efforts. 

Federal Bureau of Investigation: 

The Federal Bureau of Investigation's Cyber Crime division participates 
in DHS's US-CERT program and coordinates with DHS's National Cyber 
Security Division on general cybersecurity issues. According to an 
agency official, the Cyber Crime division is in the process of 
establishing a control systems work group within its Intelligence and 
Information Sharing group. 

In addition, since 1996, the bureau's cyber division has sponsored 
InfraGard, a cooperative government and private sector program to 
exchange information about infrastructure threats and vulnerabilities. 
As previously mentioned, SCADAGard, a special interest group within 
InfraGard, is to be used to share information with control systems 
owners and operators who have been vetted by the bureau. 

Nuclear Regulatory Commission: 

The Nuclear Regulatory Commission has conducted several activities 
related to enhancing the cybersecurity of control systems. The 
commission, which has regulatory authority over nuclear power plant 
safety control systems, completed a cybersecurity self-assessment 
project with technical assistance from the Pacific Northwest National 
Laboratory in October 2004 and documented the results in two technical 
reports published in 2004 and 2005.[Footnote 16] According to agency 
officials, on the basis of the information in these reports, a nuclear 
industry task force developed NEI 04-04, Cyber Security Program for 
Power Reactors, to provide nuclear power reactor licensees a means for 
developing and maintaining effective cybersecurity programs at their 
sites. In December 2005, the commission's staff accepted this document 
as an acceptable method for establishing and maintaining cybersecurity 
programs at nuclear power plants. 

In January 2006, the commission issued a revision to Regulatory Guide 
1.152, Criteria for Use of Computers in Safety Systems of Nuclear Power 
Plants, which provides cybersecurity-related guidance for the design of 
nuclear power plant safety systems. In addition, the commission has 
initiated a rulemaking process providing security requirements for 
digital computer and communication networks, including systems that are 
needed for safety, security, or emergency response. The public comment 
period for this rulemaking closed in March 2007. 

According to agency officials, in May 2007, all nuclear plants had 
completed an inventory and assessment of their critical digital 
systems. Agency officials stated that the commission staff is planning 
to conduct oversight inspections after completion of ongoing security- 
related rulemaking that will clearly establish the requirements for 
nuclear power plant cybersecurity programs. 

[End of section] 

Appendix V: GAO Contacts and Staff Acknowledgments: 

GAO Contacts: 

David A. Powner, (202) 512-9286 or [email protected]: 

Keith A. Rhodes, (202) 512-6412 or [email protected]: 

Staff Acknowledgments: 

In addition to those named above, Scott Borre, Heather A. Collins, Neil 
J. Doherty, Vijay D'Souza, Nancy Glover, Sairah Ijaz, Patrick Morton, 
and Colleen M. Phillips (Assistant Director) made key contributions to 
this report. 

(310841): 

[End of section]  

Footnotes:  

[1] The White House, The National Strategy to Secure Cyberspace 
(Washington, D.C.: February 2003). 

[2] Newton-Evans Research Company, Inc., World Market Study of SCADA, 
Energy Management Systems and Distribution Management Systems in 
Electrical Utilities: 2005-2007, (Ellicott City, Maryland: June 2005) 
as cited in U.S. Department of Energy, Roadmap to Secure Control 
Systems in the Energy Sector (Washington, D.C.: January 2006). 

[3] These laws and policies include, for example, the Homeland Security 
Act of 2002 (Pub. L. No. 107-296, sec. 214 (Nov. 25, 2002)); Homeland 
Security Presidential Directive 7, the Energy Policy Act of 2005 (Pub. 
L. No. 109-58, sec. 1211 (Aug. 8, 2005)); and The National Strategy to 
Secure Cyberspace. 

[4] The White House, The National Strategy to Secure Cyberspace 
(Washington, D.C.: February 2003). 

[5] Department of Homeland Security, National Infrastructure Protection 
Plan (Washington, D.C.: June 2006).  

[6] "Malware" (malicious software) is defined as programs that are 
designed to carry out annoying or harmful actions. They often 
masquerade as useful programs or are embedded into useful programs so 
that users are induced into activating them. 

[7] See National Institute of Standards and Technology, Special 
Publication 800-82 Guide to Supervisory Control and Data Acquisition 
(SCADA) and Industrial Control Systems Security: Recommendations of the 
National Institute of Standards and Technology, (Gaithersburg, 
Maryland. September 2006); Los Angeles County District Attorneys Office 
(da.co.la.ca.us/mr/010507a.htm), Two City Engineers Charged with 
Allegedly Hacking Into City's Traffic Computer (Los Angeles, 
California: Jan. 5, 2007); and ISA (www.isa.org/content/contentgroups/ 
news/2006/november29/hackers_hit_pennsylvania_water_system.htm), 
Hackers Hit Pennsylvania Water System, (Research Triangle Park, North 
Carolina: November 2,, 2006). 

[8] See GAO, Information Sharing: DHS Should Take Steps to Encourage 
More Widespread Use of Its Program to Protect and Share Critical 
Infrastructure Information, GAO-06-383 (Washington, DC,: Apr. 17, 
2006); Critical Infrastructure Protection: Improving Information 
Sharing with Infrastructure Sectors, GAO-04-780 (Washington, D.C.: July 
9, 2004); and Critical Infrastructure Protection: Challenges for 
Selected Agencies and Industry Sectors, GAO-03-233 (Washington, DC.: 
Feb. 28, 2003). 

[9] See GAO, Risk Management: Further Refinements Needed to Assess 
Risks and Prioritize Protective Measures at Ports and Other Critical 
Infrastructure, GAO-06-91, (Washington, D.C.: Dec. 15, 2005).  

[10] GAO, Critical Infrastructure Protection: Challenges and Efforts to 
Secure Control Systems, GAO-04-354, (Washington, D.C.: Mar. 15, 2004). 

[11] US-CERT's mission is to protect the nation's Internet 
infrastructure. US-CERT coordinates defense against and responses to 
cyber attacks by analyzing and reducing cyber threats and 
vulnerabilities, disseminating cyber threat warning information, and 
coordinating incident response activities. 

[12] See GAO, Critical Infrastructure Protection: Improving Information 
Sharing with Infrastructure Sectors, GAO-04-780 (Washington, D.C.: July 
9, 2004), and GAO-06-383. 

[13] Red teaming is assembling a team to attack a computer system for 
the purpose of identifying and reporting its vulnerabilities. 

[14] Five national laboratories currently participate in the National 
SCADA Test Bed program: Idaho National Laboratory, Sandia National 
Laboratories, Pacific Northwest National Laboratory, Oak Ridge National 
Laboratory, and Argonne National Laboratory. 

[15] See National Institute of Standards and Technology, Special 
Publication 800-82 Guide to Supervisory Control and Data Acquisition 
(SCADA) and Industrial Control Systems Security: Recommendations of the 
National Institute of Standards and Technology, (Gaithersburg, 
Maryland, September 2006). 

[16] U.S. Nuclear Regulatory Commission, NUREG/CR-6847: Cyber Security 
Self-Assessment Method for U.S. Nuclear Power Plants, (Washington D.C., 
October, 2004) and NUREG/CR-6852: An Examination of Cyber Security at 
Several U.S. Nuclear Power Plants, (Washington D.C.: May, 2005).  

[End of section]  

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "Subscribe to Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548:  

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061:  

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: [email protected]: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Gloria Jarmon, Managing Director, [email protected]: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548:  

Public Affairs: 

Susan Becker, Acting Manager, [email protected]: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548:

*** End of document. ***