U.S. GAO says control systems at risk of cyber attacks

The U.S. General Accounting Office recently reported that, besides increasing general cyber threats, several factors are contributing to escalated risks of cyber attacks against control systems. These factors include adoption of standardized technologies with known vulnerabilities and increased connectivity of control systems to other systems, according to GAO's report, "

By Staff May 1, 2004

The U.S. General Accounting Office recently reported that, besides increasing general cyber threats, several factors are contributing to escalated risks of cyber attacks against control systems. These factors include adoption of standardized technologies with known vulnerabilities and increased connectivity of control systems to other systems, according to GAO’s report and related white paper, "Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems," released in March 2004.

GAO reports that control systems can be vulnerable to a variety of attacks, and that some examples of these have already occurred. Successful attacks on control systems could have devastating consequences, such as endangering public health and safety. GAO adds that computerized control systems perform vital functions across many of the nation’s critical infrastructures. For example, in the natural gas distribution industry, they can monitor and control the pressure and flow of gas through pipelines.

The report states the risk of a cyber-based attack persists because securing control systems poses significant challenges, including limited specialized security technologies and lack of economic justification. However, the government, academia, and private industry already have initiated efforts to strengthen the cyber-security of control systems. The President’s National Strategy to Secure Cyberspace establishes a role for the U.S. Department of Homeland Security (DHS) to coordinate with these entities to improve cyber-security of control systems.

While some cooperation is occurring, DHS’s coordination of these efforts could accelerate the development and implementation of more secure systems. GAO’s report adds that without effective coordination of these efforts, there is a risk of delaying the development and implementation of more secure systems to manage the nation’s critical infrastructures. GAO recommends that the secretary of the DHS develop and implement a strategy for coordinating with the private sector and other government agencies to improve control system security, including an approach for coordinating the various ongoing efforts to secure control systems. DHS has concurred with GAO’s recommendation.

Avoiding ‘plug and plague’

More open systems have created "plug and plague concerns," says Stephen Thomas, associate project engineer for Olin Chlor Alkali Products (McIntosh, AL). "It’s so easy to connect to open systems, problems may not be detected until after the fact, and the problems can affect the entire network."

Don Richardson, Microsoft director of manufacturing solutions, suggested that control systems may be more vulnerable than once thought because of a number of misconceptions, including that security is an IT problem and that a firewall is all that’s needed for protection. Thomas and Richardson add there’s a need for better discipline by individuals and companies, as well as more proactive policies, procedures, and technologies to counter attacks.

For more of Thomas and Richardson’s views on security, presented April 21 at the ABB Automation World conference in Atlanta, see Control Engineering Online for April 23, 2004.

For more information or to read the latest version of the GAO report, visit Control Engineering ‘s new subscriber-based Resource Center online at www.controleng.com or visit https://www.gao.gov .