[LINK] GAO sees threats to industrial systems

Bernard Robertson-Dunn brd at austarmetro.com.au
Thu Apr 1 09:14:57 EST 2004 

GAO sees threats to industrial systems
BY Dibya Sarkar 
Federal Computer Week
Thursday, April 1, 2004 
http://www.fcw.com/fcw/articles/2004/0329/web-scada-03-30-04.asp

Risks to industrial computer-based systems that control vital critical
infrastructures, such as electrical grids, oil refining and pipelines, and
water treatment and distribution, are increasing and could have devastating
consequences, according to a General Accounting Office report released
today.

But an official with the Homeland Security Department said the government
is assessing vulnerabilities at such critical infrastructures and working
toward shoring up those problems.

In addition to increasing cyber threats, the GAO cited four factors
contributing to the problem:

* With the growing adoption of standardized technologies, such as Microsoft
Corp.'s Windows and Unix-like operating systems, there is also the risk of
exploitation of known vulnerabilities in those technologies.

* Further vulnerabilities are created as such control systems — often
referred to as Supervisory Control and Data Acquisition, or SCADA — are
connected to other networks and the Internet.

* Insecure connections, such as dial-up modems or wireless, without use of
authentication or encryption can jeopardize the data flow.

* Information about such control systems and infrastructures are widely
available to the public though industry and government publications, maps
and other materials and documents through the Internet.

"Control systems can be vulnerable to a variety of attacks that could have
devastating consequences, such as endangering public health and safety,
damaging the environment, or causing a loss of production, generation, or
distribution of public utilities," said Robert Dacey, GAO's director of
information security issues. "Control systems have already been subject to
a number of cyberattacks, including documented attacks on a sewage
treatment system in Australia in 1999 and, more recently, on a nuclear
power plant in Ohio."

Dacey and others testified today before the House Government Reform
Committee's Technology Information Policy, Intergovernmental Relations and
the Census Subcommittee.

"It had never occurred to me that the potential threat from a computer
somewhere half way around the world might exceed the harm that could be
perpetrated by Mother Nature," said Rep. Adam Putnam (R-Fla.), the
subcommittee's chairman. "I have learned that today's SCADA systems have
been designed with little or no attention to computer security."

GAO officials recommended better coordination among the public and private
sectors, better research and development of new security technologies,
development of security standards, implementation of effective security
management programs and better information sharing.

James McDonnell, director of DHS' Protective Security Division, which is
part of the Information Analysis and Infrastructure Protection Directorate,
said his group has identified 1,700 facilities that are targeted for
security improvement. 

"Of those sites, we have identified roughly 565 with process control
systems," he said. "As appropriate, reduction in SCADA vulnerabilities will
be undertaken just as reductions in physical vulnerabilities are."

While McConnell said there is increased cooperation between the public and
private sectors, Putnam questioned where the money would come from since
most of the country's critical infrastrucuture is owned by the private
sector. McDonnell replied if it's a risk based decision then the federal
government can find a way to fix it. He also said if corporate executives
are aware of the vulnerabilities then they can make a right decision
otherwise there could be a liability issue.

As far as information about SCADA systems available to the public, Putnam
asked whether policy changes should be considered to restrict access. Dacey
said while that might be an option, the real issue is to protect such
systems adequately. McDonnell added that a new IAIP program is asking the
private sector to submit sensitive information that would be exempt from
the Freedom of Information Act.

-- 
It is no longer a question of controlling a military-industrial complex,
but rather, of keeping the United States from becoming a totally military
culture
-- Jerome Weisner

Regards
brd

Bernard Robertson-Dunn
Canberra Australia
brd at austarmetro.com.au

More information about the Link mailing list