United States General Accounting Office GAO Report to Congressional Requesters March 2004 CRITICAL INFRASTRUCTURE PROTECTION Challenges and Efforts to Secure Control Systems GAO-04-354 March 2004 CRITICAL INFRASTRUCTURE PROTECTION Highlights of GAO-04-354 a report to congressional requesters Computerized control systems perform vital functions across many of our nation’s critical infrastructures For example in natural gas distribution they can monitor and control the pressure and flow of gas through pipelines In October 1997 the President’s Commission on Critical Infrastructure Protection emphasized the increasing vulnerability of control systems to cyber attacks The House Committee on Government Reform and its Subcommittee on Technology Information Policy Intergovernmental Relations and the Census asked GAO to report on potential cyber vulnerabilities focusing on 1 significant cybersecurity risks associated with control systems 2 potential and reported cyber attacks against these systems 3 key challenges to securing control systems and 4 efforts to strengthen the cybersecurity of control systems Challenges and Efforts to Secure Control Systems In addition to general cyber threats which have been steadily increasing several factors have contributed to the escalation of the risks of cyber attacks against control systems These include the adoption of standardized technologies with known vulnerabilities and the increased connectivity of control systems to other systems Common control system components are illustrated in the graphic below Control systems can be vulnerable to a variety of attacks examples of which have already occurred Successful attacks on control systems could have devastating consequences such as endangering public health and safety Securing control systems poses significant challenges including limited specialized security technologies and lack of economic justification The government academia and private industry have initiated efforts to strengthen the cybersecurity of control systems The President’s National Strategy to Secure Cyberspace establishes a role for DHS to coordinate with these entities to improve the cybersecurity of control systems While some coordination is occurring DHS’s coordination of these efforts could accelerate the development and implementation of more secure systems Without effective coordination of these efforts there is a risk of delaying the development and implementation of more secure systems to manage our critical infrastructures Typical Components of a Control System Enterprise network Internet business partners Control System GAO recommends that the Secretary of the Department of Homeland Security DHS develop and implement a strategy for coordinating with the private sector and other government agencies to improve control system security including an approach for coordinating the various ongoing efforts to secure control systems DHS concurred with GAO’s recommendation Supervisory control and monitoring station Redundant application servers Engineering workstation Human-machine interface HMI Communications network can be the Internet a public switched telephone network a wireless network or a hardwired network Remote local station 1 Controller Sensor Control equipment Sensor Control equipment A control system may have multiple remote local stations Remote local station N Controller Sensor Control equipment Sensor Control equipment www gao gov cgi-bin getrpt GAO-04-354 To view the full product including the scope and methodology click on the link above For more information contact Robert F Dacey at 202 512-3317 or daceyr@gao gov Modem Modem Handheld device Source GAO analysis Art Explosion clipart Handheld device Contents Letter 1 Results in Brief Background What Are Control Systems Control Systems Are at Increasing Risk Cyber Threats to Control Systems Securing Control Systems Poses Significant Challenges Efforts to Strengthen the Cybersecurity of Control Systems Under Way but Lack Adequate Coordination Conclusions Recommendation for Executive Action Agency Comments 21 24 24 24 Appendix I Objectives Scope and Methodology 26 Appendix II Initiatives to Address Cybersecurity Challenges of Control Systems 27 Department of Homeland Security Department of Defense Department of Energy Environmental Protection Agency Food and Drug Administration National Institute of Standards and Technology and National Security Agency Technical Support Working Group National Science Foundation National Academies Interagency Working Group on Information Technology Research and Development North American Electric Reliability Council Electric Power Research Institute International Council on Large Electric Systems The Oil Pipeline Industry Gas Technology Institute and American Gas Association Chemical Sector Cybersecurity Program Instrumentation Systems and Automation Society International Electrotechnical Commission Institute of Electrical and Electronics Engineers Partnership for Critical Infrastructure Security Page i 2 3 8 11 14 18 27 28 28 30 31 32 32 32 33 34 34 35 35 36 36 36 37 38 39 39 GAO-04-354 Cybersecurity of Control Systems Appendix III CERT CC and KEMA Consulting Process Control Systems Cyber Security Forum 39 39 Comments from the Department of Homeland Security 41 Table Table 1 Threats to Critical Infrastructures Observed by the FBI 4 Figures Figure 1 Security Vulnerabilities 1995–2003 Figure 2 Computer Security Incidents 1995–2003 Figure 3 Typical Components of a Control System 6 7 10 Abbreviations AGA ANL CERT CC CIDX CIGRE CIP CIPAG DCS DHS DOD DOE EPA EPRI FBI FDA FERC IAIP IEC IEEE ISA Page ii American Gas Association Argonne National Laboratory CERT® Coordination Center Chemical Industry Data Exchange International Council on Large Electric Systems Critical Infrastructure Protection Critical Infrastructure Protection Advisory Group Distributed Control Systems Department of Homeland Security Department of Defense Department of Energy Environmental Protection Agency Electric Power Research Institute Federal Bureau of Investigation Food and Drug Administration Federal Energy Regulatory Commission Information Analysis and Infrastructure Protection International Electrotechnical Commission Institute of Electrical and Electronics Engineers Instrumentation Systems and Automation Society GAO-04-354 Cybersecurity of Control Systems ISAC IT IT R D JPO-STC NCSD NERC NIPC NIST NSA NSF OEA PCIS PCSCS PCSRF PLC PNNL RAM-W RTU SCADA S T TSWG Information Sharing and Analysis Center Information Technology Information Technology Research and Development Joint Program Office for Special Technology Countermeasures National Cyber Security Division North American Electric Reliability Council National Infrastructure Protection Center National Institute of Standards and Technology National Security Agency National Science Foundation Office of Energy Assurance Partnership for Critical Infrastructure Security Process Control Systems Cyber Security Forum Process Controls Security Requirements Forum Programmable Logic Controller Pacific Northwest National Laboratory Risk Assessment Methodology–Water remote terminal unit Supervisory Control and Data Acquisition Science and Technology Directorate Technical Support Working Group This is a work of the U S government and is not subject to copyright protection in the United States It may be reproduced and distributed in its entirety without further permission from GAO However because this work may contain copyrighted images or other material permission from the copyright holder may be necessary if you wish to reproduce this material separately Page iii GAO-04-354 Cybersecurity of Control Systems United States General Accounting Office Washington DC 20548 March 15 2004 The Honorable Tom Davis Chairman Committee on Government Reform House of Representatives The Honorable Adam Putnam Chairman Subcommittee on Technology Information Policy Intergovernmental Relations and the Census Committee on Government Reform House of Representatives Control systems—which include supervisory control and data acquisition SCADA systems and distributed control systems1—perform vital functions across many of our nation’s critical infrastructures including electric power generation transmission and distribution oil and gas refining and pipelines water treatment and distribution chemical production and processing railroads and mass transit and manufacturing In October 1997 the President’s Commission on Critical Infrastructure Protection highlighted the risk of cyber attacks as a specific point of vulnerability in our critical infrastructures stating that “the widespread and increasing use of SCADA systems for control of energy systems provides increasing ability to cause serious damage and disruption by cyber means ” On October 1 2003 we testified on the cybersecurity of control systems before the Subcommittee on Technology Information Policy Intergovernmental Relations and the Census 2 Further your committee and subcommittee asked us to identify 1 significant cybersecurity risks 1 Control systems are computer-based systems that are used by many infrastructures and industries to monitor and control sensitive processes and physical functions Typically control systems collect sensor measurements and operational data from the field process and display this information and relay control commands to local or remote equipment There are two primary types of control systems Distributed Control Systems DCS typically are used within a single processing or generating plant or over a small geographic area Supervisory Control and Data Acquisition SCADA systems typically are used for large geographically dispersed distribution operations 2 U S General Accounting Office Critical Infrastructure Protection Challenges in Securing Control Systems GAO-04-140T Washington D C Oct 1 2003 Page 1 GAO-04-354 Cybersecurity of Control Systems associated with control systems 2 potential and reported cyber attacks against these systems 3 key challenges to securing control systems and 4 efforts to strengthen the cybersecurity of control systems To address these objectives we analyzed research studies and reports as well as prior GAO reports and testimonies on critical infrastructure protection CIP information security and national preparedness among others We analyzed documents from and met with private-sector and federal officials who had expertise in control systems and their security Our work was performed from July to December 2003 in accordance with generally accepted government auditing standards Appendix I contains further details on our objectives scope and methodology Results in Brief For several years security risks have been reported in the control systems on which many of the nation’s critical infrastructures rely to monitor and control sensitive processes and physical functions In addition to a steady increase in general cyber threats several factors have contributed to the escalation of risks specific to control systems including the 1 adoption of standardized technologies with known vulnerabilities 2 connectivity of control systems with other networks 3 insecure remote connections and 4 widespread availability of technical information about control systems Control systems can be vulnerable to a variety of types of cyber attacks that could have devastating consequences—such as endangering public health and safety damaging the environment or causing a loss of production generation or distribution by public utilities Control systems have already been subject to a number of cyber attacks including attacks on a sewage treatment system in Australia in 2000 and more recently on a nuclear power plant in Ohio Securing control systems poses significant challenges These include the limitations of current security technologies in securing control systems the perception that securing control systems may not be economically justifiable and conflicting priorities within organizations regarding the security of control systems Government academia and private industry have initiated several efforts that are intended to improve the security of control systems These initiatives include efforts to promote the research and development of new technologies the development of requirements and standards an increased awareness and sharing of information and the implementation Page 2 GAO-04-354 Cybersecurity of Control Systems of effective security management programs The President’s National Strategy to Secure Cyberspace establishes a role for the Department of Homeland Security DHS to coordinate with the private sector and other governments to improve the cybersecurity of control systems While some coordination is occurring DHS’s coordination of these efforts could accelerate the development and implementation of more secure systems Without adequate coordination of these efforts there is a risk of delaying the development and implementation of more secure systems to manage our critical infrastructures We are recommending that the Secretary of DHS develop and implement a strategy for coordinating with the private sector and other government agencies to improve control system security including developing an approach for coordinating the various ongoing efforts to secure control systems This strategy should also be addressed in the comprehensive national infrastructure plan that the department is tasked to complete by December 2004 In providing written comments on this draft report DHS’s Undersecretary for the Information Analysis and Infrastructure Protection Directorate concurred with our recommendation see app III DHS agreed that improving the security of control systems against cyberattack is a high priority We also received technical comments from DHS that we have incorporated into the report as appropriate Background Cyberspace Introduces Risks for Control Systems Dramatic increases in computer interconnectivity especially in the use of the Internet continue to revolutionize the way our government our nation and much of the world communicate and conduct business The benefits have been enormous Vast amounts of information are now literally at our fingertips facilitating research on virtually every topic imaginable financial and other business transactions can be executed almost instantaneously often 24 hours a day and electronic mail Internet Web sites and computer bulletin boards allow us to communicate quickly and easily with an unlimited number of individuals and groups However this widespread interconnectivity poses significant risks to the government’s and our nation’s computer systems and more important to the critical operations and infrastructures they support For example telecommunications power distribution systems water supplies public Page 3 GAO-04-354 Cybersecurity of Control Systems health services national defense including the military’s warfighting capability law enforcement government services and emergency services all depend on the security of their computer operations If not properly controlled the speed and accessibility that create the enormous benefits of the computer age may allow individuals and organizations to eavesdrop on or interfere with these operations from remote locations for mischievous or malicious purposes including fraud or sabotage Table 1 summarizes the key threats to our nation’s infrastructures as observed by the Federal Bureau of Investigation FBI Table 1 Threats to Critical Infrastructures Observed by the FBI Threat Description Criminal groups There is an increased use of cyber intrusions by criminal groups who attack systems for monetary gain Foreign intelligence services Foreign intelligence services use cyber tools as part of their information gathering and espionage activities Hackers Hackers sometimes crack into networks for the thrill of the challenge or for bragging rights in the hacker community While remote cracking once required a fair amount of skill or computer knowledge hackers can now download attack scripts and protocols from the Internet and launch them against victim sites Thus while attack tools have become more sophisticated they have also become easier to use Hacktivists Hacktivism refers to politically motivated attacks on publicly accessible Web pages or e-mail servers These groups and individuals overload e-mail servers and hack into Web sites to send a political message Information warfare Several nations are aggressively working to develop information warfare doctrine programs and capabilities Such capabilities enable a single entity to have a significant and serious impact by disrupting the supply communications and economic infrastructures that support military power—impacts that according to the Director of Central Intelligence can affect the a daily lives of Americans across the country Insider threat The disgruntled organization insider is a principal source of computer crimes Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a victim system often allows them to gain unrestricted access to cause damage to the system or to steal system data The insider threat also includes outsourcing vendors Virus writers Virus writers are posing an increasingly serious threat Several destructive computer viruses and “worms” have harmed files and hard drives including the Melissa macro virus the Explore Zip worm the CIH Chernobyl virus Nimda and Code Red Source Federal Bureau of Investigation unless otherwise indicated a Prepared statement of George J Tenet Director of Central Intelligence before the Senate Select Committee on Intelligence February 2 2000 Government officials remain concerned about attacks from individuals and groups with malicious intent such as crime terrorism foreign intelligence gathering and acts of war According to the FBI terrorists transnational criminals and intelligence services are quickly becoming Page 4 GAO-04-354 Cybersecurity of Control Systems aware of and using information exploitation tools such as computer viruses Trojan horses worms logic bombs and eavesdropping sniffers that can destroy intercept degrade the integrity of or deny access to data 3 In addition the disgruntled organization insider is a significant threat because these individuals often have knowledge about the organization and its system that allows them to gain unrestricted access and inflict damage or steal assets without knowing a great deal about computer intrusions As larger amounts of money and more sensitive economic and commercial information are exchanged electronically and as the nation’s defense and intelligence communities increasingly rely on standardized information technology IT the likelihood increases that information attacks will threaten vital national interests As the number of individuals with computer skills has increased more intrusion or “hacking” tools have become readily available and relatively easy to use A hacker can download tools from the Internet and literally “point and click” to start an attack Experts agree that there has been a steady advance in the level of sophistication and effectiveness of attack technology Intruders quickly develop attacks to exploit vulnerabilities that have been discovered in products use these attacks to compromise computers and share them with other attackers In addition they can combine these attacks with other forms of technology to develop programs that automatically scan networks for vulnerable systems attack them compromise them and use them to spread the attack even further From 1995 through 2003 the CERT Coordination Center4 CERT CC reported 12 946 security vulnerabilities that resulted from software flaws 3 Virus a program that “infects” computer files usually executable programs by inserting a copy of itself into the file These copies are usually executed when the “infected” file is loaded into memory allowing the virus to infect other files Unlike the computer worm a virus requires human involvement usually unwitting to propagate Trojan horse a computer program that conceals harmful code A Trojan horse usually masquerades as a useful program that a user would wish to execute Worm an independent computer program that reproduces by copying itself from one system to another across a network Unlike computer viruses worms do not require human involvement to propagate Logic bomb in programming a form of sabotage in which a programmer inserts code that causes the program to perform a destructive action when some triggering event occurs such as termination of the programmer’s employment Sniffer synonymous with packet sniffer A program that intercepts routed data and examines each packet in search of specified information such as passwords transmitted in clear text 4 The CERT CC is a center of Internet security expertise at the Software Engineering Institute a federally funded research and development center operated by Carnegie Mellon University Page 5 GAO-04-354 Cybersecurity of Control Systems Figure 1 illustrates the dramatic growth in security vulnerabilities over these years The growing number of known vulnerabilities increases the potential for attacks by the hacker community Attacks can be launched against specific targets or widely distributed through viruses and worms Figure 1 Security Vulnerabilities 1995–2003 Along with these increasing vulnerabilities the number of computer security incidents reported to CERT CC has also risen dramatically—from 9 859 in 1999 to 82 094 in 2002 and to 137 529 in 2003 And these are only the reported attacks The Director of the CERT Centers has estimated that as much as 80 percent of actual security incidents goes unreported in most cases because 1 there were no indications of penetration or attack 2 the organization was unable to recognize that its systems had been penetrated or 3 the organization was reluctant to report Figure 2 shows the number of incidents that were reported to the CERT CC from 1995 through 2003 Page 6 GAO-04-354 Cybersecurity of Control Systems Figure 2 Computer Security Incidents 1995–2003 According to the National Security Agency NSA foreign governments already have or are developing computer attack capabilities and potential adversaries are developing a body of knowledge about U S systems and methods to attack these systems The National Infrastructure Protection Center NIPC reported in January 2002 that a computer belonging to an individual who had indirect links to Osama bin Laden contained computer programs that indicated that the individual was interested in the structural engineering of dams and other water-retaining structures The NIPC report also stated that U S law enforcement and intelligence agencies had received indications that Al Qaeda members had sought information about control systems from multiple Web sites specifically on water supply and wastewater management practices in the United States and abroad Since the terrorist attacks of September 11 2001 warnings of the potential for terrorist cyber attacks against our critical infrastructures have increased For example in his February 2002 statement for the Senate Page 7 GAO-04-354 Cybersecurity of Control Systems Select Committee on Intelligence the Director of Central Intelligence discussed the possibility of a cyber warfare attack by terrorists 5 He stated that the September 11 attacks demonstrated the nation’s dependence on critical infrastructure systems that rely on electronic and computer networks Further he noted that attacks of this nature would become an increasingly viable option for terrorists as they and other foreign adversaries become more familiar with these targets and the technologies required to attack them James Woolsey a former Director of Central Intelligence shares this concern and on October 29 2003 in a speech before several hundred security experts he warned that the nation should be prepared for continued terrorist attacks on our critical infrastructures Moreover a group of concerned scientists warned President Bush in a letter that “the critical infrastructure of the United States including electrical power finance telecommunications health care transportation water defense and the Internet is highly vulnerable to cyber attack Fast and resolute mitigating action is needed to avoid national disaster ” According to a study by a computer security organization during the second half of 2002 the highest rates of global computer attacks were for those aimed at companies that provide critical infrastructures such as power energy and financial services 6 Further a study that surveyed over 170 security professionals and other executives concluded that across industries respondents believe that a large-scale cyber attack in the United States will be launched against their industry by mid-2006 What Are Control Systems Control systems are computer-based systems that are used within many infrastructures and industries to monitor and control sensitive processes and physical functions Typically control systems collect sensor measurements and operational data from the field process and display this information and relay control commands to local or remote equipment In the electric power industry control systems can manage and control the generation transmission and distribution of electric power— for example by opening and closing circuit breakers and setting thresholds for preventive shutdowns Employing integrated control systems the oil and gas industry can control the refining operations at a plant site remotely monitor the pressure and flow of gas pipelines and 5 Testimony of George J Tenet Director of Central Intelligence before the Senate Select Committee on Intelligence February 6 2002 6 Symantec Symantec Internet Security Threat Report Attack Trends for Q3 and Q4 2002 February 2003 Page 8 GAO-04-354 Cybersecurity of Control Systems control the flow and pathways of gas transmission Water utilities can remotely monitor well levels and control the wells’ pumps monitor flows tank levels or pressure in storage tanks monitor water quality characteristics—such as pH turbidity and chlorine residual and control the addition of chemicals Control systems also are used in manufacturing and chemical processing Control systems perform functions that vary from simple to complex they can be used simply to monitor processes— for example the environmental conditions in a small office building—or to manage most activities in a municipal water system or even a nuclear power plant In certain industries such as chemical and power generation safety systems are typically implemented in order to mitigate a potentially disastrous event if control and other systems should fail In addition to guard against both physical attack and system failure organizations may establish backup control centers that include uninterruptible power supplies and backup generators There are two primary types of control systems Distributed Control Systems DCS typically are used within a single processing or generating plant or over a small geographic area Supervisory Control and Data Acquisition SCADA systems typically are used for large geographically dispersed distribution operations For example a utility company may use a DCS to generate power and a SCADA system to distribute it Figure 3 illustrates the typical components of a control system Page 9 GAO-04-354 Cybersecurity of Control Systems Figure 3 Typical Components of a Control System Enterprise network The enterprise network services all of the enterprise's business operations Users on the network typically can access the Internet or business partner networks Enterprises often integrate their control systems with their enterprise networks Firewall Workstations Internet business partners Application server Printer Hub switch Outside world may include vendors customers and other business partners Control System The supervisory control and monitoring station typically contains redundant application servers an engineering workstation and a humanmachine interface HMI that collects and logs information obtained from the remote local stations and sends commands to the remote local stations in response to events detected by the sensors The HMI displays status information including alarms needing operator attention A remote local station contains a remote terminal unit RTU programmable logic controller PLC or other controller that receives and interprets the signals from the sensors and generates corresponding control signals that it transmits to the control equipment Human-machine interface HMI Engineering workstation Supervisory control and monitoring station Redundant application servers Communications network can be the Internet a public switched telephone network a wireless network or a hardwired network Remote local station 1 RTU PLC or other controller Sensor Sensor Control equipment Control equipment Modem Remote local station N A control system may have multiple remote local stations See note RTU PLC or other controller Sensor Sensor Control equipment Control equipment Modem Handheld device Handheld device Source GAO analysis Art Explosion clipart Note Remote local stations can include one or more interfaces to allow field operators to perform diagnostic and maintenance operations Sensors can measure level pressure flow current voltages etc depending on the infrastructure Control equipment can be valves pumps relays circuit breakers etc also depending on the infrastructure A control system typically is made up of a “master” or central supervisory control and monitoring station consisting of one or more human-machine interfaces where an operator can view status information about the remote local sites and issue commands directly to the system Typically Page 10 GAO-04-354 Cybersecurity of Control Systems this station is located at a main site along with application servers and an engineering workstation that is used to configure and troubleshoot the other components of the control system The supervisory control and monitoring station typically is connected to local controller stations through a hard-wired network or to a remote controller station through a communications network—which could be the Internet a public switched telephone network or a cable or wireless e g radio microwave or Wi-Fi7 network Each controller station has a remote terminal unit RTU a programmable logic controller PLC or some other controller that communicates with the supervisory control and monitoring station The control system also includes sensors and control equipment that connect directly with the working components of the infrastructure—for example pipelines water towers or power lines The sensor takes readings from the infrastructure equipment—such as water or pressure levels electrical voltage or current—and sends a message to the controller The controller may be programmed to determine a course of action and send a message to the control equipment instructing it what to do—for example to turn off a valve or dispense a chemical If the controller is not programmed to determine a course of action the controller communicates with the supervisory control and monitoring station and relays instructions back to the control equipment The control system also can be programmed to issue alarms to the operator when certain conditions are detected Handheld devices such as personal digital assistants can be used to locally monitor controller stations Experts report that technologies in controller stations are becoming more intelligent and automated and are able to communicate with the supervisory central monitoring and control station less frequently thus requiring less human intervention Control Systems Are at Increasing Risk Historically security concerns about control systems were related primarily to protecting them against physical attack and preventing the misuse of refining and processing sites or distribution and holding facilities However more recently there has been a growing recognition that control systems are now vulnerable to cyber attacks from numerous sources including hostile governments terrorist groups disgruntled employees and other malicious intruders 7 Wi-Fi short for wireless fidelity is the popular term for a high-frequency wireless local area network Page 11 GAO-04-354 Cybersecurity of Control Systems In October 1997 the President’s Commission on Critical Infrastructure Protection discussed the potential damaging effects on the electric power and oil and gas industries of successful attacks on control systems 8 Moreover in 2002 the National Research Council identified “the potential for attack on control systems” as requiring “urgent attention ”9 In the first half of that year security experts reported that 70 percent of energy and power companies experienced at least one severe cyber attack In February 2003 the President clearly demonstrated concern about “the threat of organized cyber attacks capable of causing debilitating disruption to our Nation’s critical infrastructures economy or national security ” noting that “disruption of these systems can have significant consequences for public health and safety” and emphasizing that the protection of control systems has become “a national priority ”10 Several factors have contributed to the escalation of risk to control systems including 1 the adoption of standardized technologies with known vulnerabilities 2 the connectivity of control systems to other networks 3 insecure remote connections and 4 the widespread availability of technical information about control systems Control Systems Are Adopting Standardized Technologies with Known Vulnerabilities In the past proprietary hardware software and network protocols made it difficult to understand how control systems operated—and therefore how to hack into them Today however to reduce costs and improve performance organizations have been transitioning from proprietary systems to less expensive standardized technologies such as Microsoft’s Windows Unix-like operating systems and the common networking protocols used by the Internet These widely-used standardized technologies have commonly known vulnerabilities and sophisticated and effective exploitation tools are widely available and relatively easy to use As a consequence both the number of people with the knowledge to wage attacks and the number of systems subject to attack have increased Also common communication protocols and the emerging use of extensible markup language commonly referred to as XML can make it easier for a 8 President’s Commission on Critical Infrastructure Protection Critical Foundations Protecting America’s Infrastructures Washington D C October 1997 9 The National Research Council Making the Nation Safer the Role of Science and Technology in Countering Terrorism Washington D C December 2002 10 The White House The National Strategy to Secure Cyberspace Washington D C February 2003 Page 12 GAO-04-354 Cybersecurity of Control Systems hacker to interpret the content of communications among the components of a control system Control Systems Are Connected to Other Networks Enterprises often integrate their control systems with their enterprise networks This increased connectivity has significant advantages including providing decision makers with access to real-time information and allowing engineers to monitor and control the process control system from different points on the enterprise network In addition the enterprise networks are often connected to the networks of strategic partners and to the Internet Furthermore control systems are increasingly using wide area networks and the Internet to transmit data to their remote or local stations and individual devices This convergence of control networks with public and enterprise networks potentially creates further security vulnerabilities in control systems Unless appropriate security controls are deployed in both the enterprise network and the control system network breaches in enterprise security can affect the operation of control systems Insecure Connections Exacerbate Vulnerabilities Vulnerabilities in control systems are exacerbated by insecure connections Organizations often leave access links—such as dial-up modems to equipment and control information—open for remote diagnostics maintenance and examination of system status If such links are not protected with authentication or encryption the risk increases that hackers could use these insecure connections to break into remotely controlled systems Also control systems often use wireless communications systems which are especially vulnerable to attack or leased lines that pass through commercial telecommunications facilities Without encryption to protect data as it flows through these insecure connections or authentication mechanisms to limit access there is little to protect the integrity of the information being transmitted Information about Infrastructures and Control Systems Is Publicly Available Public information about infrastructures and control systems is readily available to potential hackers and intruders The availability of this infrastructure and vulnerability data was demonstrated last year by a George Mason University graduate student who in his dissertation reportedly mapped every business and industrial sector in the American economy to the fiber-optic network that connects them using material that was available publicly on the Internet—and not classified In the electric power industry open sources of information—such as product data and educational videotapes from engineering associations— Page 13 GAO-04-354 Cybersecurity of Control Systems can be used to understand the basics of the electrical grid Other publicly available information—including filings of the Federal Energy Regulatory Commission FERC industry publications maps and material available on the Internet—is sufficient to allow someone to identify the most heavily loaded transmission lines and the most critical substations in the power grid Many of the electric utility officials who were interviewed for the National Security Telecommunications Advisory Committee’s Information Assurance Task Force’s Electric Power Risk Assessment expressed concern over the amount of information about their infrastructure that is readily available to the public In addition significant information on control systems is publicly available—including design and maintenance documents technical standards for the interconnection of control systems and RTUs and standards for communication among control devices—all of which could assist hackers in understanding the systems and how to attack them Moreover there are numerous former employees vendors support contractors and other end users of the same equipment worldwide who have inside knowledge about the operation of control systems Security experts have stated that an individual with very little knowledge of control systems could gain unauthorized access to a control system with the use of a port scanning tool and a factory manual that can be easily found on the Internet and that contains the system’s default password As noted in the following discussion many times these default passwords are never changed Cyber Threats to Control Systems There is a general consensus—and increasing concern—among government officials and experts on control systems about potential cyber threats to the control systems that govern our critical infrastructures As components of control systems increasingly make vital decisions that were once made by humans the potential effect of a cyber attack becomes more devastating Cyber threats could come from numerous sources ranging from hostile governments and terrorist groups to disgruntled employees and other malicious intruders Based on interviews and discussions with representatives from throughout the electric power industry the Information Assurance Task Force of the National Security Telecommunications Advisory Committee concluded that an organization with sufficient resources such as a foreign intelligence service or a wellsupported terrorist group could conduct a structured attack on the electric power grid electronically with a high degree of anonymity and without having to set foot in the target nation Page 14 GAO-04-354 Cybersecurity of Control Systems In July 2002 NIPC reported that the potential for compound cyber and physical attacks referred to as “swarming attacks ” is an emerging threat to the critical infrastructure of the United States As NIPC reports the effects of a swarming attack include slowing or complicating the response to a physical attack For instance a cyber attack that disabled the water supply or the electrical system in conjunction with a physical attack could deny emergency services the necessary resources to manage the consequences of the physical attack—such as controlling fires coordinating response and generating light According to the National Institute of Standards and Technology NIST cyber attacks on energy production and distribution systems—including electric oil gas and water treatment as well as on chemical plants containing potentially hazardous substances—could endanger public health and safety damage the environment and have serious financial implications such as loss of production generation or distribution by public utilities compromise of proprietary information or liability issues When backups for damaged components are not readily available e g extra-high-voltage transformers for the electric power grid such damage could have a long-lasting effect Control Systems Can Be Vulnerable to Cyber Attacks Entities or individuals with malicious intent might take one or more of the following actions to successfully attack control systems • disrupt the operation of control systems by delaying or blocking the flow of information through control networks thereby denying availability of the networks to control system operators • make unauthorized changes to programmed instructions in PLCs RTUs or DCS controllers change alarm thresholds or issue unauthorized commands to control equipment which could potentially result in damage to equipment if tolerances are exceeded premature shutdown of processes such as prematurely shutting down transmission lines or even disabling control equipment • send false information to control system operators either to disguise unauthorized changes or to initiate inappropriate actions by system operators • modify the control system software producing unpredictable results and • interfere with the operation of safety systems Page 15 GAO-04-354 Cybersecurity of Control Systems In addition in control systems that cover a wide geographic area the remote sites often are not staffed and may not be physically monitored If such remote systems are physically breached attackers could establish a cyber connection to the control network Department of Energy DOE and industry researchers have speculated on how the following potential attack scenario could affect control systems in the electricity sector Using war dialers11 to find modems connected to the programmable circuit breakers of the electric power control system hackers could crack passwords that control access to the circuit breakers and could change the control settings to cause local power outages and even damage equipment A hacker could lower settings from for example 500 amperes12 to 200 on some circuit breakers normal power usage would then activate or “trip ” the circuit breakers taking those lines out of service and diverting power to neighboring lines If at the same time the hacker raised the settings on these neighboring lines to 900 amperes circuit breakers would fail to trip at these high settings and the diverted power would overload the lines and cause significant damage to transformers and other critical equipment The damaged equipment would require major repairs that could result in lengthy outages Control system researchers at DOE’s national laboratories have developed systems that demonstrate the feasibility of a cyber attack on a control system at an electric power substation where high-voltage electricity is transformed for local use Using tools that are readily available on the Internet they are able to modify output data from field sensors and take control of the PLC directly in order to change settings and create new output These techniques could enable a hacker to cause an outage thus incapacitating the substation Experts in the water industry consider control systems to be among the primary vulnerabilities of drinking water systems A technologist from the water distribution sector has demonstrated how an intruder could hack into the communications channel between the control center of a water distribution pump station and its remote units located at water storage and pumping facilities to either block messages or send false commands to the remote units Moreover experts are concerned that terrorists could 11 War dialers are simple personal computer programs that dial consecutive phone numbers looking for modems 12 An ampere is a unit of measurement for electric current Page 16 GAO-04-354 Cybersecurity of Control Systems for example trigger a cyber attack to release harmful amounts of water treatment chemicals such as chlorine into the public’s drinking water Cyber Attacks on Control Systems Have Been Reported Experts in control systems have verified numerous incidents that have affected control systems Reported attacks include the following • In 1994 the computer system of the Salt River Project a major water and electricity provider in Phoenix Arizona was breached • In March 1997 a teenager in Worcester Massachusetts remotely disabled part of the public switching network disrupting telephone service for 600 residents and the fire department and causing a malfunction at the local airport • In the spring of 2000 a former employee of an Australian company that develops manufacturing software applied for a job with the local government but was rejected Over a 2-month period the disgruntled rejected employee reportedly used a radio transmitter on as many as 46 occasions to remotely hack into the controls of a sewage treatment system and ultimately release about 264 000 gallons of raw sewage into nearby rivers and parks • In the spring of 2001 hackers mounted an attack on systems that were part of a development network at the California Independent System Operator a facility that is integral to the movement of electricity throughout the state • In August 2003 the Nuclear Regulatory Commission confirmed that in January 2003 the Microsoft SQL Server worm—otherwise known as Slammer—infected a private computer network at the Davis-Besse nuclear power plant in Oak Harbor Ohio disabling a safety monitoring system for nearly 5 hours In addition the plant’s process computer failed and it took about 6 hours for it to become available again Slammer reportedly also affected communications on the control networks of at least five other utilities by propagating so quickly that control system traffic was blocked In addition in 1997 the Department of Defense DOD undertook the first systematic exercise to determine the nation’s and DOD’s vulnerability to cyberwar During a 2-week military exercise known as Eligible Receiver staff from NSA used widely available tools to show how to penetrate the control systems that are associated with providers of electric power to DOD installations Other assessments of control systems at DOD Page 17 GAO-04-354 Cybersecurity of Control Systems installations have demonstrated vulnerabilities and identified risks in the installations’ network and operations Securing Control Systems Poses Significant Challenges The control systems community faces several challenges to securing control systems against cyber threats These challenges include 1 the limitations of current security technologies in securing control systems 2 the perception that securing control systems may not be economically justifiable and 3 the conflicting priorities within organizations regarding the security of control systems Lack of Specialized Security Technologies for Control Systems According to industry experts existing security technologies as well as strong user authentication and patch management practices are generally not implemented in control systems because control systems usually have limited processing capabilities operate in real time and are typically not designed with cybersecurity in mind Existing security technologies such as authorization authentication encryption intrusion detection and filtering of network traffic and communications require more bandwidth processing power and memory than control system components typically have Controller stations are generally designed to do specific tasks and they often use low-cost resource-constrained microprocessors In fact some control system devices still use the Intel 8088 processor which was introduced in 1978 Consequently it is difficult to install current security technologies without seriously degrading the performance of the control system For example complex passwords and other strong password practices are not always used to prevent unauthorized access to control systems in part because this could hinder a rapid response to safety procedures during an emergency As a result according to experts weak passwords that are easy to guess shared and infrequently changed are reportedly common in control systems including the use of default passwords or even no password at all In addition although modern control systems are based on standard operating systems they are typically customized to support control system applications Consequently vendor-provided software patches may be either incompatible with the customized version of the operating system or difficult to implement without compromising service by shutting down “always-on” systems or affecting interdependent operations Another constraint on deploying patches is that support agreements with control Page 18 GAO-04-354 Cybersecurity of Control Systems system vendors often require the vendor’s approval before the user can install patches If a patch is installed in violation of the support agreement the vendor will not take responsibility for potential impacts on the operations of the system Moreover because a control system vendor often requires that it be the sole provider of patches if the vendor delays in providing patches systems remain vulnerable without recourse Information security organizations have noted that a gap exists between currently available security technologies and the need for additional research and development to secure control systems Research and development in a wide range of areas could lead to more effective technologies For example although technologies such as robust firewalls and strong authentication can be employed to better segment control systems from external networks research and development could help to address the application of security technologies to the control systems themselves Other areas that have been noted for possible research and development include identifying the types of security technologies needed for different control system applications determining acceptable performance trade-offs and recognizing attack patterns for use in intrusion detection systems Industry experts have identified challenges in migrating system components to newer technologies while maintaining uninterrupted operations Upgrading all the components of a control system can be a lengthy process and the enhanced security features of newly installed technologies—such as their ability to interpret encrypted messages—may not be able to be fully utilized until all devices in the system have been replaced and the upgrade is complete Securing Control Systems May Not Be Perceived as Economically Justifiable Experts and industry representatives have indicated that organizations may be reluctant to spend more money to secure control systems Hardening the security of control systems would require industries to expend more resources including acquiring more personnel providing training for personnel and potentially prematurely replacing current systems which typically have a lifespan of about 20 years Several vendors suggested that since there have been no reports of significant disruptions caused by cyber attacks on U S control systems industry representatives believe the threat of such an attack is low While incidents have occurred to date there is no formalized process for collecting and analyzing information about control systems incidents thus further contributing to the skepticism of control systems vendors We have Page 19 GAO-04-354 Cybersecurity of Control Systems previously recommended that the government work with the private sector to improve the quality and quantity of information being shared among industries and government about attacks on the nation’s critical infrastructures 13 As we discuss in appendix II establishing such a process is currently under study Until industry users of control systems have a business case to justify why additional security is needed there may be little market incentive for the private sector to develop and implement more secure control systems We have previously reported that consideration of further federal government efforts is needed to provide appropriate incentives for nonfederal entities to enhance their efforts to implement CIP—including protection of control systems Without appropriate consideration of public policy tools such as regulation grants and tax incentives private-sector participation in sector-related CIP efforts may not reach its full potential 14 Organizational Priorities Conflict Finally several experts and industry representatives indicated that the responsibility for securing control systems typically includes two separate groups 1 IT security personnel and 2 control system engineers and operators IT security personnel tend to focus on securing enterprise systems while control system engineers and operators tend to be more concerned with the reliable performance of their control systems These experts indicate that as a result those two groups do not always fully understand each other’s requirements and so may not collaborate to implement secure control systems These conflicting priorities may perpetuate a lack of awareness of IT security strategies that could be deployed to mitigate the vulnerabilities of control systems without affecting their performance Although research and development will be necessary to develop technologies to secure individual control system devices existing IT security technologies and approaches could be implemented as part of a secure enterprise architecture to protect the perimeters of and access to control system networks Existing IT security technologies include firewalls intrusion- 13 U S General Accounting Office Critical Infrastructure Protection Challenges for Selected Agencies and Industry Sectors GAO-03-233 Washington D C Feb 28 2003 14 U S General Accounting Office Homeland Security Information Sharing Responsibilities Challenges and Key Management Issues GAO-03-1165T Washington D C Sept 17 2003 Page 20 GAO-04-354 Cybersecurity of Control Systems detection systems encryption authentication and authorization IT security approaches include segmenting control system networks and testing continuity plans to ensure safe and continued operation To reduce the vulnerabilities of its control system officials from one company formed a team composed of IT staff process control engineers and manufacturing employees This team worked collaboratively to research vulnerabilities and to test fixes and workarounds Efforts to Strengthen the Cybersecurity of Control Systems Under Way but Lack Adequate Coordination Government academia and private industry have independently initiated multiple efforts and programs focused on some of the key areas that should be addressed to strengthen the cybersecurity of control systems Appendix II describes initiatives to secure control systems in greater detail These key areas—and illustrative examples of ongoing efforts in these areas—include the following • Research and development of new security technologies to protect control systems Both federal and nonfederal entities have initiated efforts to develop encryption methods for securing communications on control system networks and field devices Moreover DOE is planning to establish a National SCADA Test Bed to test control system vulnerabilities • Development of requirements and standards for control system security Several entities are working to develop standards that increase the security of control systems The Process Controls Security Requirements Forum PCSRF established by NIST and NSA is working to define a common set of information security requirements for control systems In addition the North American Electric Reliability Council NERC is preparing to draft a standard that will include security requirements for control systems • Increased awareness of security and sharing of information about the implementation of more secure architectures and existing security technologies To promote awareness of control system vulnerabilities DOE has created security programs trained teams to conduct security reviews and developed cybersecurity courses The Instrumentation Systems and Automation Society ISA has reported on the known state of the art of cybersecurity technologies as they are applied to the control systems environment to clearly define what technologies can currently be deployed Page 21 GAO-04-354 Cybersecurity of Control Systems • Implementation of effective security management programs including policies and guidance that consider control system security Both federal and nonfederal entities have developed guidance to mitigate the security vulnerabilities of control systems DOE’s 21 Steps to Improve Cyber Security of SCADA Networks provides guidance for improving the security of control systems and establishing underlying management processes and policies to help organizations improve the security of control system networks In previous reports we have recommended the development of a comprehensive and coordinated national plan to facilitate the federal government’s CIP efforts This plan should clearly delineate the roles and responsibilities of federal and nonfederal CIP entities define interim objectives and milestones set time frames for achieving objectives and establish performance measures The President in his homeland security strategies and Congress in enacting the Homeland Security Act designated DHS as responsible for developing a comprehensive national infrastructure plan The plan is expected to inform DHS on budgeting and planning for CIP activities and on how to use policy instruments to coordinate among government and private entities to raise the security of our national infrastructures to appropriate levels According to Homeland Security Presidential Directive 7 HSPD 7 issued December 17 2003 DHS is to develop this formalized plan by December 2004 In February 2003 the President’s National Strategy to Secure Cyberspace established a role for DHS to coordinate with other government agencies and the private sector to improve the cybersecurity of control systems DHS’s recommended role includes • ensuring that there is broad awareness of the vulnerabilities in control systems and the consequences of exploiting these vulnerabilities • developing best practices and new technologies to strengthen the security of control systems and • identifying the nation’s most critical control system sites and developing a prioritized plan for ensuring cyber security at those sites In addition the President’s strategy recommends that DHS work with the private sector to promote voluntary standards efforts and the creation of security policy for control systems Page 22 GAO-04-354 Cybersecurity of Control Systems DHS recently began to focus on the range of activities that are under way among the numerous entities that are working to address these areas In October 2003 DHS’s Science and Technology Directorate initiated a study to determine the current state of security of control systems In December 2003 DHS established the Control Systems Section within the Protective Security Division of its Information Analysis and Infrastructure Protection IAIP Directorate The objectives of this section are to identify computercontrolled systems that are vital to infrastructure functions evaluate the potential threats to these systems and develop strategies that mitigate the consequences of attacks In addition IAIP’s National Cyber Security Division NCSD is currently planning to develop a methodology for conducting cyber assessments across all critical infrastructures including control systems The objectives of this effort include defining specific goals for the assessments and based on their results developing sectorspecific recommendations to mitigate vulnerabilities They also plan to examine processes technology and available policy procedures and guidance Because these efforts have only recently been initiated DHS has not yet developed a strategy for implementing the functions mentioned above As previously discussed many government and nongovernment entities are spearheading various initiatives to address the challenge of implementing cybersecurity for the vital systems that operate our nation’s critical infrastructures While some coordination is occurring both federal and nonfederal control systems experts have expressed their concern that these efforts are not being adequately coordinated among government agencies the private sector and standards-setting bodies DHS’s coordination of these efforts could accelerate the development and implementation of more secure systems to manage our critical infrastructures In contrast insufficient coordination could contribute to • delays in the general acceptance of security requirements and the adoption of successful practices for control systems • failure to address gaps in the research and development of technologies to better secure control systems • impediments to standards-creating efforts across industries that could lead to less expensive technological solutions and • reduced opportunities for efficiency that could be gained by leveraging ongoing work Page 23 GAO-04-354 Cybersecurity of Control Systems Conclusions The systems that monitor and control the sensitive processes and physical functions of the nation’s critical infrastructures are at increasing risk from threats of cyber attacks Securing these systems poses significant challenges Numerous federal agencies critical infrastructure sectors and standards-creating bodies are leading various initiatives to address these challenges While some coordination is occurring the cybersecurity of our critical infrastructures’ control systems could benefit from greater collaboration among all entities DHS’s implementation of its responsibilities outlined in the National Strategy to Secure Cyberspace as well as the coordination of ongoing efforts among the government industries and standards-creating bodies could accelerate progress in securing these critical systems Recommendation for Executive Action We recommend that the Secretary of the Department of Homeland Security develop and implement a strategy for coordinating with the private sector and other government agencies to improve control system security including an approach for coordinating the various ongoing efforts to secure control systems This strategy should also be addressed in the comprehensive national infrastructure plan that the department is tasked to complete by December 2004 Agency Comments DHS’s Under Secretary for IAIP transmitted the department’s written comments on a draft of this report see app III In his written comments the Under Secretary concurred with our recommendation and stated that DHS agrees that improving the security of control systems against cyberattack is a high priority He stated that DHS has engaged with the private sector academia and other government entities on this matter as required by HSPD 7 The Under Secretary further noted that DHS is utilizing IAIP’s Protective Services Division and NCSD collectively to address both the physical and cyber aspects of control systems security We also received technical comments from DHS that we have incorporated into the report as appropriate As agreed with your staff unless you publicly announce the contents of this report earlier we plan no further distribution of it until 30 days from the date of this report At that time we will send copies of this report to other interested congressional committees and the heads of the agencies discussed in this report as well as to the private-sector participants and other relevant agencies We will also make copies available to others upon Page 24 GAO-04-354 Cybersecurity of Control Systems request In addition the report will be available at no charge on the GAO Web site at http www gao gov Should you or your offices have questions on matters discussed in this report please contact me at 202 512-3317 or Elizabeth Johnston Assistant Director at 202 512-6345 We can also be reached by e-mail at daceyr@gao gov or johnstone@gao gov respectively Key contributors to this report were Shannin Addison Joanne Fiorino Alison Jacobs and Tracy Pierson Robert F Dacey Director Information Security Issues Page 25 GAO-04-354 Cybersecurity of Control Systems Appendix I Objectives Scope and Methodology Appendix I Objectives Scope and Methodology Our objectives were to assess 1 the significant cybersecurity risks associated with control systems 2 potential and reported cyber attacks against these systems 3 key challenges to securing control systems and 4 efforts to strengthen the cybersecurity of control systems We analyzed research studies and reports as well as prior GAO reports and testimonies on critical infrastructure protection CIP information security and national preparedness among others to obtain information regarding the risks and vulnerabilities of control systems We analyzed documents from and met with manufacturers users and federal officials with expertise in control systems and their security to identify the challenges to securing control systems Finally we analyzed documents from and met with representatives from control systems manufacturing companies industry users and federal officials from the Departments of Homeland Security Defense and Energy to identify ongoing initiatives to strengthen the security of control systems We also reviewed and analyzed technical reports by standards groups to assess the status of efforts to develop guidance and standards for securing control systems Our work was conducted from July 2003 to December 2003 in accordance with generally accepted government auditing standards Page 26 GAO-04-354 Cybersecurity of Control Systems Appendix II Initiatives to Address Cybersecurity Challenges of Control Systems Appendix II Initiatives to Address Cybersecurity Challenges of Control Systems Following are key initiatives that are aimed at strengthening the security of control systems They are led by government academia and private industry Department of Homeland Security The Department of Homeland Security DHS has created a National Cyber Security Division NCSD within its Information Analysis and Infrastructure Protection IAIP Directorate to identify analyze and reduce cyber threats and vulnerabilities disseminate threat warning information coordinate incident response and provide technical assistance in continuity of operations and recovery planning IAIP coordinates the federal government’s initiatives on critical infrastructure assurance and promotes national outreach and awareness campaigns about CIP On the basis of work conducted by the U S -Canada Power Outage Task Force NCSD is currently in the process of creating a series of recommended preventive measures to better secure the control systems that manage North America’s electric power grid In October 2003 DHS’s Science and Technology Directorate S T initiated a study of the nation’s critical infrastructures to determine which sectors use control systems what cybersecurity risks they face and which industry players are focusing on mitigating these risks The study which focuses on control system security will reach out to two or three representatives from each sector in an attempt to determine what items to include in DHS S T’s research agenda In addition S T recently issued a solicitation to small businesses seeking research proposals for projects focusing on securing control systems The objectives of this program will be to 1 develop a concept and formal design to better protect SCADA systems by reducing their vulnerabilities to cyber and physical attacks across industry sectors 2 test the design and 3 refine the design and perform qualification tests to validate the design and its performance In December 2003 DHS established the Control Systems Section within the Protective Security Division of its IAIP Directorate The objectives of this section are to identify computer-controlled systems that are vital to critical infrastructure functions evaluate the potential threats to these systems and develop strategies that can mitigate the consequences of attacks IAIP’s NCSD is currently planning to develop a methodology for conducting cyber assessments across all critical infrastructures including control systems The objectives of this effort include defining specific goals for the assessments and based on results developing sector-specific Page 27 GAO-04-354 Cybersecurity of Control Systems Appendix II Initiatives to Address Cybersecurity Challenges of Control Systems recommendations to mitigate vulnerabilities NCSD also plans to examine processes technology and available policy procedures and guidance NCSD has identified a number of its additional efforts including recently hiring personnel with expertise in control systems Department of Defense The Department of Defense’s DOD Joint Program Office for Special Technology Countermeasures JPO-STC has performed vulnerability assessments on control systems including the areas of awareness integration physical testing analytic testing and analysis JPO-STC coordinates its assessments with those performed by the U S Army’s First Information Operations Command The Army’s assessments are conducted as part of installation assessments to 1 analyze potential risks to the installation network from SCADA infrastructures and 2 assess the vulnerabilities of SCADA systems that could negatively affect installation operations Department of Energy Under the sponsorship of the Department of Energy’s DOE Office of Energy Assurance OEA the National Laboratories have conducted studies of the vulnerabilities of the control systems that are used in the nation’s critical infrastructures and they have developed guidance to help mitigate some of these vulnerabilities In September 2002 DOE and the President’s Critical Infrastructure Protection Board released 21 Steps to Improve Cyber Security of SCADA Networks These steps provide guidance for improving the security of control systems and establishing underlying management processes and policies to help organizations improve the security of their control networks Moreover OEA is creating the DOE Critical Infrastructure Security Standards Working Group to accelerate the implementation and quality of security standards for those systems that control the energy infrastructure This working group is also charged with the responsibility of facilitating coordinating leveraging influencing and leading industrial and government standards-setting activities We describe in the next section the specific activities related to securing control systems that DOE sponsors at the National Laboratories Page 28 GAO-04-354 Cybersecurity of Control Systems Appendix II Initiatives to Address Cybersecurity Challenges of Control Systems Idaho National Engineering and Environmental Laboratory Sandia National Laboratories and National Energy Technology Laboratory Plans are under way to establish the National SCADA Test Bed which will be used to facilitate research by testing control system vulnerabilities and proposed hardware and software security features By teaming with industry the test bed is expected to become a full-scale infrastructure testing facility for control systems that will allow for testing and validating industry products including computer controls communications and field systems developing new tools to determine the vulnerabilities of control systems and testing new standards and protocols Initially focused on the electricity sector the test bed will now also include the oil and natural gas pipelines sectors There are plans to include other federal agencies in test bed activities in the future Funding constraints have delayed the implementation of the initial phases of the plans Pacific Northwest National Laboratory According to DOE the Pacific Northwest National Laboratory PNNL has been integrally involved since 1994 in DOE activities that are associated with CIP―including leading an Electric Power Research Institute research project to characterize the cybersecurity of electric utility systems providing technical input to the President’s Commission on Critical Infrastructure Protection in 1996 starting a multilaboratory vulnerability assessment program in 1997 and participating on the DOE Critical Infrastructure Protection Task Force in 1998 These efforts draw from expertise working with the electric utility industry which was later embodied in the formation of the North American Electric Reliability Council NERC Critical Infrastructure Protection Forum in 2000 PNNL supports a variety of clients that are involved in the security of control systems Sandia National Laboratories For the last six years Sandia has been involved in various activities to address the security of control systems in our critical infrastructures Laboratory employees are creating methodologies for assessing risks and have performed vulnerability assessments of control systems within the electric power oil and gas transportation water wastewater nuclear power and manufacturing industries To promote awareness of control system vulnerabilities Sandia’s staff has created security programs trained teams to conduct security reviews developed a threat scenario demonstration system and developed cybersecurity courses to train those involved in the operation and protection of critical infrastructures Sandia is also working with standards bodies to include information security in communications protocols Page 29 GAO-04-354 Cybersecurity of Control Systems Appendix II Initiatives to Address Cybersecurity Challenges of Control Systems At Sandia’s SCADA Security Development Laboratory industry can test and improve the security of its SCADA architectures systems and components Sandia also has initiatives under way to advance technologies that strengthen control systems through the use of intrusion detection encryption authentication secure protocols system and component vulnerability analysis secure architecture design and analysis and intelligent self-healing infrastructure technology Argonne National Laboratory According to DOE staff at Argonne National Laboratory ANL are conducting vulnerability assessments of control systems in the oil and gas industry ANL is also developing a database that includes information from the vendor and user communities in the various energy sectors regarding the different control system operating systems and it is evaluating these operating systems to determine their vulnerabilities The lab is cataloguing various control system failures and their impacts and evaluating them for correlations in order to gather requirements that can be turned into solutions Los Alamos National Laboratory In collaboration with Sandia Los Alamos has established the National Infrastructure Simulation and Analysis Center which provides modeling and simulation capabilities for the analysis of critical infrastructures including the electricity oil and gas sectors Under the Homeland Security Act the functions of the center were transferred to DHS Environmental Protection Agency Sandia National Laboratories has also collaborated with the Environmental Protection Agency EPA and industry groups to develop a risk assessment methodology for assessing the vulnerability of water systems in major U S cities In June 2000 the American Water Works Association Research Foundation in collaboration with Sandia began a project to develop a vulnerability assessment methodology for utilities to use to assess the physical and cyber vulnerabilities of their infrastructures and develop plans to minimize the risks they identify The first version of the Risk Assessment Methodology–Water RAM-W was released in November 2001 In addition EPA has provided vulnerability assessment training to many water utilities In accordance with EPA’s water security strategy security Page 30 GAO-04-354 Cybersecurity of Control Systems Appendix II Initiatives to Address Cybersecurity Challenges of Control Systems vulnerability self-assessment guides for systems serving fewer than 100 000 people have been issued All water systems serving more than 3 300 users are required by law1 to conduct assessments of their water facilities against the threat of sabotage or other malicious acts These water systems are also required to prepare or revise an emergency response plan incorporating the results of the assessment within 6 months of its completion EPA is responsible for ensuring that the water systems have met these requirements Food and Drug Administration In August of 1997 part 11 of Title 21 of the Code of Federal Regulations 21 CFR part 11 became effective It provides criteria for the use of electronic records and electronic signatures in complying with the Food and Drug Administration’s FDA reporting requirements for all agencies covered by FDA In addition the regulations require companies to limit system access to authorized individuals use authority checks and enforce appropriate controls over systems documentation The food and pharmaceutical industries use control systems in their manufacturing processes—for example to track information about products including histories of operator actions process measurement raw materials used and equipment status and to generate reports based on this information Therefore to ensure the security of this vital information 21 CFR part 11 requires the authentication of electronic signatures and electronic records in systems used in these industries including control systems 1 The Public Health Security and Bioterrorism Preparedness and Response Act of 2002 P L 107-188 June 12 2002 amended the Safe Drinking Water Act to require each community water system serving more than 3 300 individuals to conduct an assessment of the system’s vulnerability to terrorist attacks or other deliberate acts to compromise a safe and dependable drinking water supply Under the law EPA is to develop protocols to protect the assessments from unauthorized disclosure The law also establishes deadlines based on system size for these systems to certify to EPA that they have conducted a vulnerability assessment and to submit to EPA a copy of the assessment Page 31 GAO-04-354 Cybersecurity of Control Systems Appendix II Initiatives to Address Cybersecurity Challenges of Control Systems National Institute of Standards and Technology and National Security Agency The National Institute of Standards and Technology NIST and the National Security Agency NSA have organized the Process Controls Security Requirements Forum PCSRF to establish security specifications that can be used in the procurement development and retrofit of industrial control systems PCSRF’s membership includes representatives from the water electric chemical and petrochemical industries U S government laboratories and organizations and vendors of control systems PCSRF’s immediate goal is to increase the security of control systems through the definition and application of a common set of information security requirements for these systems This work will be based on NIST’s and NSA’s work to develop the Common Criteria standard ISO 15408 for IT security evaluation In addition the forum has created and is currently using a process control cybersecurity test bed to validate standards for control system security The forum also plans to develop protection profiles from the security requirements that new industrial control systems and equipment will be built to PCSRF is working to collaborate with other existing activities such as the Instrumentation Systems and Automation Society’s efforts to establish standards and recommended practices for implementing secure control systems Technical Support Working Group The multiagency Technical Support Working Group TSWG is supporting several projects that are aimed at enhancing the securing of control systems One project the SCADA Security Kit would develop a self-help security kit e g checklist and operator guide and a CD video training program This project has been approved but it is not yet funded In addition TSWG continues to sponsor the work being conducted by the gas industry to develop an encryption standard which we discuss in more detail later TSWG is also working with DHS DOE and NIST to further develop aspects of the National Test Bed National Science Foundation The National Science Foundation NSF is studying research and development areas related to the security of control systems in order to decide which ones to pursue In September 2002 NSF in collaboration with the White House Office of Science and Technology Policy organized a workshop to gather industry input about long-term research needs for CIP A particular focus of the workshop was on securing control systems Participants from academia industry and government conducted a research needs assessment of Page 32 GAO-04-354 Cybersecurity of Control Systems Appendix II Initiatives to Address Cybersecurity Challenges of Control Systems security technologies The recommendations resulting from this workshop are expected to lead to a research and development road map for secure control systems Examples of topics in this road map are 1 architectures and systems concepts for authority management and 2 adaptation of security technologies such as encryption authentication and intrusion detection for real-time control In October 2003 NSF sponsored a workshop to explore the information infrastructure vulnerabilities of control systems The workshop brought together a multidisciplinary team of experts on SCADA and IT from industry academia and government to identify both the near-term technology solutions and the longer-term research needed to secure the nation’s infrastructure The output of the workshop is a set of four prioritized cross-cutting research and development topics 1 standards and methodology 2 modeling and analysis 3 next generation platforms and 4 automated sensing of infrastructure anomalies In addition follow-on activities were recommended to drive the development solutions and their transfer to our critical infrastructures Finally on December 3 2003 NSF announced a new program that will fund up to three research center-level collaborations between industry and academia as well as individual and team awards to foster ideas and train people in cybersecurity to protect the nation’s critical infrastructures National Academies The National Academies established a committee of the nation’s top engineering medical scientific and policy experts to help the federal government use science and technology strategically to develop a counterterrorism program plan Shortly after the September 11 attacks the committee began identifying current threats to the United States researching the most common vulnerabilities to these threats and determining strategic opportunities for science and technology to contribute to combating terrorism in both the short and long terms The committee’s study evolved into the report Making the Nation Safer the Role of Science and Technology in Countering Terrorism published in September 2002 Page 33 GAO-04-354 Cybersecurity of Control Systems Appendix II Initiatives to Address Cybersecurity Challenges of Control Systems Interagency Working Group on Information Technology Research and Development In November 2002 the Interagency Working Group on Information Technology Research and Development IT R D of the National Science and Technology Council Executive Office of the President charged the Networking and IT R D Grand Challenges Task Force with identifying a set of science engineering and societal challenges that will require innovations in IT R D High Confidence Infrastructure Control Systems is one of the 16 grand challenges that the task force identified North American Electric Reliability Council Designated by DOE as the electricity sector’s information sharing and analysis center ISAC coordinator for CIP the North American Electric Reliability Council NERC receives security data from the electricity sector analyzes the data with input from DHS other federal agencies and other critical infrastructure sector ISACs and disseminates threat indications analyses and warnings NERC has also formed the Critical Infrastructure Protection Advisory Group CIPAG which guides security activities and conducts security workshops to raise the awareness of cyber and physical security in the electricity sector A Process Control Systems Security Task Force within CIPAG specifically addresses the security of electricity control systems In response to the Federal Energy Regulatory Commission’s June 2002 Standard Market Design notice of public rulemaking which included cybersecurity standards for the electricity sector the NERC board of trustees adopted a 1-year urgent action Cyber Security Standard on August 13 2003 The intent of this cybersecurity standard is to provide a minimal level of assurance that key entities responsible for the reliability of the bulk electric systems of North America—specifically reliability coordinators and control area operators—identify and protect critical cyber assets that control or could impact the reliability of their systems The standard includes such requirements as policies controls physical security training and recovery plans However it does not apply to control systems or electronic relays i e RTUs or PLCs that are installed in generation plants transmission substations or distribution substations NERC is currently preparing a standards authorization request i e a scope document that will be used to solicit NERC board approval to begin drafting of the permanent standard A number of industry organizations expect that this will require the compliance of control systems and electronic relays Members of the NERC Balloting Body made up of representatives of electricity organizations from each of the 10 NERC regions will be able to vote on the draft standard and if they approve it the board of trustees will vote to adopt it A NERC representative estimates that the permanent standard would not be Page 34 GAO-04-354 Cybersecurity of Control Systems Appendix II Initiatives to Address Cybersecurity Challenges of Control Systems formally adopted until 2005 For compliance purposes the standard is not expected to apply to electricity distribution assets or organizations Electric Power Research Institute International Council on Large Electric Systems The Electric Power Research Institute EPRI has released Scoping Study on Security Processes and Impacts a guide to help utilities identify vulnerabilities in their communications systems and link their associated risks to appropriate levels of security countermeasures In addition EPRI has launched mock attacks on the control systems of electric utilities to probe for weaknesses and has subsequently provided utilities with reports on their own potential vulnerabilities EPRI has also provided other members with reports on their potential vulnerabilities and insights on security best practices The institute is also working on a method to protect the SCADA network directly by identifying anomalous commands that are caused by malicious activities or human error in time to allow operators to take corrective action EPRI next plans to partner with a major computer vendor to develop ways to secure grid communications such as by encrypting data at both the control-system network and fielddevice levels The International Council on Large Electric Systems CIGRE is a nonprofit international association based in France It has established several study committees to promote and facilitate the international exchange of knowledge in the electrical industry by identifying best practices and developing recommendations Three of its study committees focus on control systems The objectives of the Substations Committee include the adoption of technological advances in equipment and systems to achieve increased reliability and availability The System Operation and Control Committee focuses on the technical capabilities needed for the secure and economical operation of existing power systems and it includes within its scope functionalities to assess security which support control centers and operators The Information Systems and Telecommunication for Power Systems Committee monitors emerging technologies in the industry and evaluates their possible impact In addition it focuses on the security requirements of the information systems and services of control systems The technical activities of these committees are carried out by working groups that produce reports and technical brochures for publication Page 35 GAO-04-354 Cybersecurity of Control Systems Appendix II Initiatives to Address Cybersecurity Challenges of Control Systems The Oil Pipeline Industry The oil pipeline industry is currently developing an industry standard for the protection of control functions and control systems This standard will focus on communications including the confidentiality of protocols encryption of data and access controls such as firewall services and intrusion detection systems According to a representative from the oil pipeline industry the standard will provide guidance on managing the sharing of SCADA information while maintaining security including defining information classification levels and control of access It will address how to provide for the interchange of data In addition the industry is working on issues related to standards for control systems with other organizations such as the American Gas Association the Instrument Society of America and the Institute of Electrical and Electronics Engineers Gas Technology Institute and American Gas Association Sponsored by the federal government’s Technical Support Working Group the Gas Technology Institute and the American Gas Association AGA have researched a number of potential encryption methods to prevent hackers from accessing natural gas companies’ control systems This research has led to the development of a proposed industry standard for encryption The proposed standard provides energy utilities with a set of standards for protocols equipment and procedures to protect the transmission of control systems communications through the data transfer process Efforts to develop this standard have been under way since October 2001 According to the department head of gas supply operations at AGA the testing and final release of the proposed standard is targeted for the second quarter of 2004 Chemical Sector Cybersecurity Program The Chemical Sector Cybersecurity Program is a forum of 13 trade associations and serves as the ISAC for the chemical sector Part of this program the Chemical Industry Data Exchange CIDX has established the Cyber-Security Practices Standards and Technology Initiative to identify immediate opportunities to improve the base level of cybersecurity within the chemical industry The objective of this initiative is to address the practices and standards for both business systems and manufacturing control systems In May of 2003 CIDX completed and issued the first version of its Guidance for Directing Cybersecurity in the Chemical Sector In coordinating with prior work that had been issued by the American Chemistry Council this guidance provides information on cybersecurity Page 36 GAO-04-354 Cybersecurity of Control Systems Appendix II Initiatives to Address Cybersecurity Challenges of Control Systems applicability sample strategies and available resources Currently this document focuses on the security of business systems rather than control systems however in the near future CIDX plans to incorporate issues specific to control systems in this document In addition CIDX has plans to start developing prescriptive guidance regarding the risk level for control systems In September of 2003 CIDX issued an additional guidance document Cybersecurity Vulnerability Assessment Methodology Guidance This document compares several methodologies for assessing cybersecurity vulnerabilities The objective was to find one methodology that performed well in addressing cybersecurity for both business systems and control systems however it was discovered that while a given methodology may work well for either the business environment or control systems it may not work well for both In addition CIDX is working to align the chemical industry’s initiatives to enhance the security of control systems with the ongoing initiatives at the Instrumentation Systems and Automation Society NIST and the American Chemistry Council Instrumentation Systems and Automation Society The Instrumentation Systems and Automation Society’s ISA Manufacturing and Control Systems Security Standards Committee also referred to as the SP99 committee is composed of representatives from many industries including water wastewater fossil fuels nuclear energy food and beverages pharmaceuticals chemicals petrochemicals U S government labs and organizations and automotive and educational institutions The committee is working to establish standards and recommended practices write technical reports and develop other information that will define procedures and methodologies for developing assessing and implementing effective security practices for manufacturing and control systems and for assessing cybersecurity performance The committee’s guidance is directed toward those responsible for designing implementing or managing control systems as well as toward users system integrators security practitioners and control systems manufacturers and suppliers Its focus is on improving the confidentiality integrity and availability of control systems and their components and providing criteria for procuring and implementing secure control systems Two technical reports are expected to be released in March of this year The first report Security Technologies for Manufacturing and Control Systems ISA-TR99 00 01 is intended to document the known state of the Page 37 GAO-04-354 Cybersecurity of Control Systems Appendix II Initiatives to Address Cybersecurity Challenges of Control Systems art of cybersecurity technologies as they are applied to the control systems environment to clearly define what can reasonably be deployed today and to define areas where more research is needed The purpose of the second report Integrating Electronic Security into the Manufacturing and Control Systems Environment ISA-TR99 00 02 is to present a consistent approach for developing implementing and operating a program that addresses security for control systems Plans have been made to create a joint project team with ISA and the International Electrotechnical Commission IEC to disseminate ISA’s technical reports through the IEC Future activities of the committee include updating its technical reports continuing to develop a complete standard for manufacturing and control systems security developing control systems security requirements developing common language and reference models and formalizing liaisons and interfaces to government standards-creating organizations technical organizations and other groups working in the area of control systems cybersecurity International Electrotechnical Commission The International Electrotechnical Commission IEC is a standards organization that prepares and publishes international standards for all electrical electronic and related technologies These standards serve as a basis for creating national standards and as references for drafting international tenders and contracts IEC’s members include manufacturers providers distributors vendors consumers users all levels of governmental agencies professional societies trade associations and standards developers from over 60 countries IEC’s Technical Committee 65 has been chartered to produce standards for process control In September 2003 the committee announced its decision to address the cybersecurity of communications for the measurement and control of industrial processes This new work encompasses technologies such as firewalls routers cryptographic security of communications and authentication technologies As mentioned previously plans have been made for IEC and ISA to create a joint project team to advance their efforts to secure control systems IEC’s Technical Committee 57 is working to develop standards for control systems and control system components including communications and end devices such as RTUs It is also establishing data and communication security and communications standards for substations Page 38 GAO-04-354 Cybersecurity of Control Systems Appendix II Initiatives to Address Cybersecurity Challenges of Control Systems Institute of Electrical and Electronics Engineers The Institute of Electrical and Electronics Engineers IEEE is developing standards for defining specifying and analyzing control systems in the electric power industry In addition IEEE has developed recommended practices for communication between remote terminal units and intelligent electronic devices in a substation IEEE is also working on a project to develop a standard for substation integrated protection control and data acquisition communications The project will define standards for communications requirements and will specify message delivery time between intelligent electronic devices Partnership for Critical Infrastructure Security The Partnership for Critical Infrastructure Security PCIS is comprised of government agencies and private-sector associations that represent each of the critical infrastructure sectors The partnership coordinates crosssector initiatives to support CIP by identifying legislative issues that affect such initiatives and by raising awareness of issues in CIP PCIS has had a control systems working group whose goal has been to raise awareness of control system security and to discuss the existing initiatives to improve the security of control systems CERT CC and KEMA Consulting CERT CC at Carnegie Mellon and KEMA Consulting are leading an initiative to establish E-CERT a team to collect and analyze information about cybersecurity incidents in control systems within the nation’s critical infrastructures assess their effects and share the results with industry Already initiated the first step consists of conducting a scoping study and developing a white paper to determine how to manage vulnerabilities and incidents KEMA and CERT CC plan to enlist expertise from the control system community and establish an ongoing rapport with control system vendors Plans are for DOE DHS and private industry groups to fund the team While this effort thus far has been focusing on the energy sector the issues are applicable to other sectors Process Control Systems Cyber Security Forum The Process Control Systems Cyber Security Forum PCSCS is a joint effort of KEMA Consulting and LogOn Consulting Inc Formed in 2003 PCSCS is an annual program to study the cybersecurity issues surrounding the effective operation of control systems It focuses on issues challenges threats vulnerabilities best practices lessons learned and solutions It currently holds workshops and seminars on control system cybersecurity via the Internet offers consulting services and publishes bulletins and white papers aimed at helping those in the process control environment to Page 39 GAO-04-354 Cybersecurity of Control Systems Appendix II Initiatives to Address Cybersecurity Challenges of Control Systems share information and address the issues they are facing in securing their control systems Page 40 GAO-04-354 Cybersecurity of Control Systems Appendix III Comments from the Department of Homeland Security Appendix III Comments from the Department of Homeland Security 310508 Page 41 GAO-04-354 Cybersecurity of Control Systems GAO’s Mission The General Accounting Office the audit evaluation and investigative arm of Congress exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people GAO examines the use of public funds evaluates federal programs and policies and provides analyses recommendations and other assistance to help Congress make informed oversight policy and funding decisions GAO’s commitment to good government is reflected in its core values of accountability integrity and reliability Obtaining Copies of GAO Reports and Testimony The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet GAO’s Web site www gao gov contains abstracts and fulltext files of current reports and testimony and an expanding archive of older products The Web site features a search engine to help you locate documents using key words and phrases You can print these documents in their entirety including charts and other graphics Each day GAO issues a list of newly released reports testimony and correspondence GAO posts this list known as “Today’s Reports ” on its Web site daily The list contains links to the full-text document files To have GAO e-mail this list to you every afternoon go to www gao gov and select “Subscribe to e-mail alerts” under the “Order GAO Products” heading Order by Mail or Phone The first copy of each printed report is free Additional copies are $2 each A check or money order should be made out to the Superintendent of Documents GAO also accepts VISA and Mastercard Orders for 100 or more copies mailed to a single address are discounted 25 percent Orders should be sent to U S General Accounting Office 441 G Street NW Room LM Washington D C 20548 To order by Phone Voice TDD Fax 202 512-6000 202 512-2537 202 512-6061 To Report Fraud Waste and Abuse in Federal Programs Contact Public Affairs Jeff Nelligan Managing Director NelliganJ@gao gov 202 512-4800 U S General Accounting Office 441 G Street NW Room 7149 Washington D C 20548 Web site www gao gov fraudnet fraudnet htm E-mail fraudnet@gao gov Automated answering system 800 424-5454 or 202 512-7470