NCJ Number
204893
Date Published
March 2004
Length
47 pages
Annotation
This General Accounting Office (GAO) study assessed the potential risk of cyber attack against our Nation’s critical infrastructure control systems and identified challenges to securing control systems from cyber attack.
Abstract
Control systems for many of our Nation’s critical infrastructures have been computerized. As such, much critical infrastructure, such as natural gas distribution and drinking water systems, is considered vulnerable to cyber attacks. Moreover, the increasing use of standardized technologies and the increasing connectivity of computerized systems makes the threat of cyber attack very real. This study had four main objectives: (1) to assess the cybersecurity risks associated with critical control systems; (2) to assess potential and reported cyber attacks against these systems; (3) to assess the key challenges to securing control systems; and (4) to assess efforts to strengthen the cybersecurity of critical control systems. Research methodology included an analysis of previous research and GAO reports, document analysis, and interviews with manufacturers, users, and Federal officials with expertise in control systems and their security. Results revealed that several factors have contributed to the vulnerability to cyber attacks: (1) adoption of standardized technologies with known vulnerabilities; (2) increasing computer connectivity; (3) insecure remote connections; and (4) widespread availability of information about control system technology. The main challenges to securing control systems include limitations of current security technologies, the perception that securing control systems will be economically unfeasible, and conflicting priorities within organizations regarding the security of control systems. Greater collaboration among critical infrastructure entities is necessary for the increased security of our Nation’s control systems. The report recommends that the Department of Homeland Security develop and implement a coordinating strategy by December 2004 for private and government agencies to improve control system security. Tables, figures, appendix