Order Code RL31534
CRS Report for Congress
Received through the CRS Web
Critical Infrastructure:
Control Systems and
the Terrorist Threat
Updated July 14, 2003
Dana A. Shea
Analyst in Science and Technology Policy
Resources, Science, and Industry Division
Congressional Research Service ˜ The Library of Congress
Critical Infrastructure: Control Systems and the Terrorist
Threat
Summary
Much of the U.S. critical infrastructure is potentially vulnerable to cyber-attack.
Industrial control computer systems involved in this infrastructure are specific points
of vulnerability, as cyber-security for these systems has not been previously perceived
as a high priority. Industry sectors potentially affected by a cyber-attack on process
control systems include the electrical, telephone, water, chemical, and energy sectors.
The federal government has issued warnings regarding increases in terrorist
interest in the cyber-security of industrial control systems, citing international
terrorist organization interest in critical infrastructure and increases in cyber-attacks
on critical infrastructure computer systems. The potential consequences of a
successful cyber-attack on critical infrastructure industrial control systems could be
high and range from a temporary loss of service to catastrophic infrastructure failure
affecting multiple states for an extended duration.
The National Strategy for Securing Cyberspace, released in February 2003,
contains a number of suggestions regarding security measures for control systems.
A focus on the further integration of public/private partnerships and information
sharing is described, along with suggestions that standards for securing control
systems be developed and implemented.
The Homeland Security Act of 2002 (P.L. 107-296) conglomerated several
federal entities that play a role in cyber-security of control systems into the
Department of Homeland Security. These entities include the Critical Infrastructure
Assurance Office, the National Infrastructure Protection Center, the National
Infrastructure Simulation and Analysis Center, and parts of the Department of
Energy’s Office of Energy Assurance. Additionally, the Homeland Security Act of
2002 created a new class of information, critical infrastructure information, which
can be withheld from the public by the federal government.
Research and other efforts into increasing the cyber-security of control systems
occurs both at federal government facilities and through industry groups in critical
infrastructure sectors. The Department of Energy National Laboratories, the
Department of Defense, and the National Institute of Standards and Technology all
have programs to assess and ameliorate the cyber-vulnerabilities of control systems.
Industry-based research into standards, best practices, and control system encryption
is ongoing in the natural gas and electricity sector.
Possible policy options for congressional consideration include further
development of uniform standards for infrastructure cyber-protection; growth in
research into security methods for industrial control systems; assessing the
effectiveness of the new exemptions to the Freedom of Information Act; and the
integration of previous offices in the new Department of Homeland Security.
This report will be updated as events warrant.
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Current Industrial Control System Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . 2
The Magnitude of the Terrorist Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Potential Consequences of a Terrorist Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Current Initiatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Department of Homeland Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Department of Energy Laboratories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
National Institute of Standards and Technology . . . . . . . . . . . . . . . . . . . . . 12
Department of Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Information Sharing and Analysis Centers . . . . . . . . . . . . . . . . . . . . . . . . . 12
Federal Energy Regulatory Commission . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Industry Initiatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Policy Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Critical Infrastructure: Control Systems and
the Terrorist Threat
Introduction
This report addresses the cyber-vulnerability of critical infrastructure industries
which regularly use industrial control systems. Industrial control systems may be
vulnerable to infiltration by different routes, including wireless transmission, direct
access to control system computers, exploitation of dial-up modems used for
maintenance, or through the Internet. This report will specifically discuss the
potential for access to industrial control systems through the Internet.
The vulnerability of U.S. critical infrastructure to cyber-attack and catastrophic
failure was brought to light in 1997 in the report of the President’s Commission on
Critical Infrastructure Protection.1 Among other concerns, the computer systems
used to remotely control process equipment were highlighted as specific points of
vulnerability. These systems were updated during the Y2K crisis, but their cyber-
security has not generally been a high priority. The events of September 11, 2001
have heightened the public awareness of the nation’s vulnerability to terrorist attack,
and a National Research Council report has identified “the potential for attack on
control systems” as requiring “urgent attention.”2
Critical infrastructure is defined in the USA PATRIOT Act as those “systems
and assets, whether physical or virtual, so vital to the United States that the
incapacity or destruction of such systems and assets would have a debilitating impact
on security, national economic security, national public health or safety, or any
combination of those matters.”3 Several industry sectors considered to be critical
infrastructures use industrial control systems in their daily activities. These
industries could be significantly affected by a cyber-attack targeting industrial control
systems such as supervisory control and data acquisition (SCADA) systems,
distributed control systems, and others. The President’s Commission on Critical
Infrastructure Protection report stated,
From the cyber perspective, SCADA systems offer some of the most attractive
targets to disgruntled insiders and saboteurs intent on triggering a catastrophic
event. With the exponential growth of information system networks that
interconnect the business, administrative, and operational systems, significant
1 Presidential Commission on Critical Infrastructure Protection, Critical Foundations:
Protecting America’s Infrastructures, October, 1997.
2 National Research Council, Making the Nation Safer: The Role of Science and Technology
in Countering Terrorism, June, 2002.
3 Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept
and Obstruct Terrorism (USA PATRIOT) Act, P.L. 107-56, Title X, Section 1016.
CRS-2
disruption would result if an intruder were able to access a SCADA system and
modify the data used for operational decisions, or modify programs that control
critical industry equipment or the data reported to control centers.4
Current Industrial Control System Vulnerability
The most commonly discussed industrial control systems include supervisory
control and data acquisition (SCADA) systems and distributed control systems
(DCS).5 SCADA systems are often used for remote monitoring over a large
geographic area and transmitting commands to remote assets, such as valves and
switches. For example, they can be found in water utilities and oil pipelines, where
they monitor flow rates and pressures. Based on the data that these systems provide,
computer programs or operators at a central control center balance the flow of
material. Generally, SCADA systems process little data internally, instead
performing analysis in a more central location, but are the primary conduits for raw
data to and commands from a control center. They may be vulnerable to
implantation of faulty data and to remote access through dial-up modems used for
maintenance.
Distributed control systems are process control systems, commonly deployed
in a single manufacturing or production complex, characterized by a network of
computers. DCS generally provide processed information to or a series of
commands. For example, at a chemical plant, a DCS might simultaneously monitor
the temperature of a series of reactors and control the rate at which reactants are
mixed together, while performing real time process optimization and reporting the
progress of the reaction. An attack targeting DCS might cause extensive damage at
a single facility, but might not affect more than the single site.
These process control systems can be interconnected within a single industry as
well. This might be the case in an infrastructure which both transports and processes
material. As an example, the oil and gas infrastructures contain both processing and
refining sites, as well as holding facilities and distribution systems. Refining and
processing sites may utilize DCS in discrete locations. The distribution and holding
facilities might be managed by a SCADA system which collected data from and
issued commands to different geographic sites from a single location.6
4 Presidential Commission on Critical Infrastructure Protection, Critical Foundations:
Protecting America’s Infrastructures, October, 1997.
5 For a simple overview of control system types, see Micrologic Systems, “SCADA Primer,”
found online at [http://www.micrologic-systems.com/primers/scada.htm], or Dan Capano,
“Distributed Control Systems Primer,” Waterandwastewater.com, (2002), found online at
[http://www.waterandwastewater.com/www_services/ask_dan_archive/toc.htm]. Other
types of control systems, such as programmable logic controllers, exist, but are not explicitly
discussed here.
6 This example was taken from “IT Security for Industrial Control Systems” by Joe Falco,
Keith Stouffer, Albert Wavering, and Frederick Proctor, Intelligent Systems Division,
National Institute of Standards and Technology, available online at
[http://www.isd.mel.nist.gov/documents/falco/ITSecurityProcess.pdf].
CRS-3
Industrial control system technologies are often employed in critical
infrastructure industries to allow a single control center to manage multiple sites.
Industrial control systems were originally implemented as isolated, separate
networks. They were viewed as secure systems which protected remote locations
from being physically broken into and mistreated. For example, the establishment
of remote control systems in dams were believed to protect against unlawful release
of the dammed water, as no hand-operable valves and switches were accessible.7
The networking of industrial control systems on a greater scale has led to
increased synergy and efficiency, and, due to market needs, real time information
from these systems is increasingly important for marketing purposes. Consequently,
industrial control systems are becoming linked to corporate computer systems,
potentially making them vulnerable to cyber-attack through the Internet. Original
control systems were designed to be free standing networks without Internet access.
Therefore, it has been necessary to add network access capabilities to these legacy
systems to integrate them into the corporate structure. This has created, in the worst
cases, a labyrinth of connections which is perhaps not rigorously constructed for
cyber-security or well documented.
Some industrial control systems, including legacy systems, are proprietary, and
contain non-standard architectures and command syntax. This can be considered
both an advantage and a disadvantage. Proprietary systems with esoteric command
structures are often non-intuitive, and could be difficult to operate by an untrained
individual. Incorrect commands could cause no results, and may increase the
probability that the intruder would be noticed and removed from the system.
Additionally, different companies may have different command sets, even if they are
both members of the same industry, as their proprietary systems may have
significantly different structures. Thus, if a hacker or terrorist successfully attacks
one company, that experience may not be valuable for use at the next company.
Others assert that many new control systems, as well as upgrades to legacy systems,
are being assembled from commercial, off-the-shelf equipment and software,
providing commonalities across different industry sectors. By adopting such
equipment and software, vulnerabilities that are identified impact all sectors.
The degree of integration between control system networks and publicly
accessible networks is difficult to judge from the open literature. This makes
assessment of the vulnerability of critical infrastructure industries from Internet based
attack difficult to know with certainty.8 Faced with an unclear risk, it may be
difficult, from an industry perspective, to justify the additional costs of upgrading
7 Scott Berinato, “The Truth about Cyberterrorism,”CIO Magazine, Vol. 15, No. 11, March
15, 2002.
8 The Department of Energy and the Department of Defense have performed vulnerability
assessments, through “red team” exercises, of some individual stakeholders in critical
infrastructure industries. (Barton Gellman, “Cyber-Attacks by Al Qaeda Feared: Terrorists
at Threshold of Using Internet as Tool of Bloodshed, Experts Say,” Washington Post, June
27, 2002) These detailed results, while provided to the individual stakeholders, are not
widely available. (Joe Weiss, KEMA Consulting, private e-mail communication, September
8, 2002)
CRS-4
privately-held industrial control systems to higher security standards.9 Current off-
the-shelf industrial control systems have been designed for operational speed and
functionality, rather than for secure operation, and therefore do not have a high
degree of operational security.10 Addition of security requirements can degrade the
performance of these components below operating standards.
Given the uncertain vulnerability level and the systemic weaknesses involved
in current off-the-shelf technology, there is little market incentive to directly increase
industrial control systems security. Therefore the security systems for the corporate
network, which block initial intrusion through the Internet, may be the sole planned
protection for the industrial control systems.
Security analysts also contend that industrial control systems are less obscure
now than. Foreign utility companies increasingly use current off-the-shelf industrial
control systems, increasing the international availability of systems and their
documentation. Due to the similarity between these systems and systems installed
domestically, potential terrorists need not break into an American utility to test their
plans.11
Some security analysts believe that the industrial control system vulnerability
should be addressed before potentially catastrophic events occur, and that techniques
for reducing the vulnerability are already known. They contend that the majority of
attacks on industrial control systems will come through corporate networks, via the
Internet. While standardized information technology protection methods have not
yet been developed specifically for industrial control systems, these analysts contend
that if general network benchmark standards were uniformly applied across corporate
networks, corporate networks vulnerability to intrusion could be reduced by 80-
88%.12 This would indirectly reduce the industrial control systems vulnerability to
intrusion, as routes through the corporate network would no longer be available.
These benchmark standards include disabling unneeded server functionality, patching
known security flaws, and updating programs to the most recent version.
Other security analysts claim that in addition to general network security,
specific protection for industrial control systems must also be established. Such
protection might be addressed by successfully isolating the control system network
from the corporate computer network or by implementing stronger security measures
9 Eric Pianin and Bill Miller, “Businesses Draw Line On Security, Firms Resist New Rules
For Warding Off Terror,” Washington Post, September 5, 2002.
10 Jennifer Alvey, “Digital Terrorism: Holes in the Firewall? Plugging Cyber Security Holes
Isn’t as Easy as Everyone Wants to Think,” Public Utilities Fortnightly, March 15, 2002.
11 Testimony by Timothy G. Belcher, Chief Technology Officer, Riptech, Inc., before the
House Committee on Government Reform, Subcommittee on Government Efficiency,
Financial Management and Intergovernmental Relations, July 24, 2002.
12 Testimony by Alan Paller, Director of Research, The SANS Institute, before the House
Committee on Government Reform, Subcommittee on Government Efficiency, Financial
Management and Intergovernmental Relations, July 24, 2002.
CRS-5
at known junctions of the two networks. Such an effort might significantly increase
the difficulty of infiltrating the control system network from the Internet.13
In contrast, control systems may have vulnerabilities unrelated to those
associated with corporate networks, and may require more specific protection,
including against attacks not transiting the corporate network.14 Protecting corporate
networks from intrusion may not address enough of the vulnerable access routes into
industrial control systems. Joe Weiss, Executive Consultant with KEMA Consulting,
asserts that firewalls, intrusion detection, encryption, and other technology need to
be developed specifically for control systems.15
Some companies have taken aggressive steps to protect their industrial control
systems, and are examples for how secure industrial control systems can be
established.16 While most security experts agree that critical infrastructure industries
which view secure industrial control systems as a priority can reduce vulnerabilities,
they assert that most critical infrastructure industries are not willing to voluntarily
commit resources, time and effort into reducing their vulnerabilities. Stuart McClure,
President and Chief Technical Officer of the security company Foundstone, claims,
“[Industries] have fallen into the regulation trap. Unless the government regulates
it, they’re not yet taking [security] seriously.”17
The Magnitude of the Terrorist Threat
Some critical infrastructure industry representatives are skeptical that a cyber-
terror attack would target industrial control systems.18 Since there has never been an
attack on domestic critical infrastructure industrial control systems which caused
intentional damage, even in cases where hackers have successfully broken into these
systems, industry representatives believe the cyber-threat to be low. Diane Van de
Hei, executive director of the Association of Metropolitan Water Agencies and
contact person for the water utility Information Sharing and Analysis Center (ISAC),
was quoted as saying, “If we had so many dollars to spend on a water system, most
of it would go to physical security.”19
13 Such methods have been reportedly employed by DuPont Chemical Company. Mathew
Schwartz, “Wanted: Security Tag Team,” Computerworld, June 30, 2003.
14 Joe Weiss, KEMA Consulting, private e-mail communication, September 8, 2002.
15 Testimony by Joe Weiss, Consultant, KEMA Consulting, before the House Committee
on Government Reform, Subcommittee on Government Efficiency, Financial Management
and Intergovernmental Relations, July 24, 2002.
16 For example, see Scott Berinato, “The Truth about Cyberterrorism,”CIO Magazine, Vol.
15, No. 11, March 15, 2002.
17 Robert Vamosi, “Cyberterrorists Don’t Care About Your PC,” ZDNet Reviews, July 10,
2002.
18 Bill Wallace, “Security Analysts Dismiss Fears of Terrorist Hackers,” San Francisco
Chronicle, June 30, 2002.
19 Robert Lemos, “What Are the Real Risks of Cyberterrorism?” ZDNet, August 26, 2002.
CRS-6
Some critical infrastructure companies believe that the potential damage likely
to be caused by a cyber-attack on control systems would be small and manageable
through already existing procedures. Since fluctuations and equipment failure are
part of expected, normal business, plans and procedures for these naturally occurring
events are in place. They assert that the damage caused by cyber-attack would be
similar to that already routinely seen.20
Some industry representatives also emphasize that the unfamiliar and
uncommon commands used in legacy industrial control systems will continue to
provide as high a barrier to future destructive attempts as it has in the past.21 While
utility industry leaders agree that they have been the target of millions of cyber-
security incidents, some do not analyze the origin or method of attack. Will Evans,
vice president of IT services at People’s Energy Corp., reportedly claimed, “[A large
utility] could have a million [intrusion] events that need to be analyzed. I don’t think
anybody has the capability to do that in-house.”
Utility industry representatives contend that the vast majority of such intrusions
are searches for vulnerable computers in the corporate network by inexperienced
hackers, and, of the dangerous minority actually performed by experienced crackers,
many are focused on economic aspects of the corporate network rather than the
industrial control systems network.22 From the perspective of critical infrastructure
industries, discontented employees who possess inside information about industrial
control systems are a greater security risk than external attempts to breach security.
There is evidence that al Qaeda is interested in the vulnerabilities of the U.S.
public and private utilities. The discovery in Afghanistan of a computer containing
structural analysis programs for dams, combined with an increase in Web traffic
relating to SCADA systems,23 prompted the National Infrastructure Protection Center
(NIPC) to issue a warning information bulletin.24 An analysis of cyber-attack data
collected during the second half of 2001 showed that energy industry companies are
attacked twice as often as other industries, and that a large number of these attacks
originate from the Middle East.25 Additionally, according to one expert, these
statistics do not reflect intrusions directed at control systems which lack firewalls or
20 Kevin Poulsen, “Sparks Over Power Grid Cybersecurity,” Business Week Online, April
16, 2003.
21 Scott Berinato, “Debunking the Threat to Water Utilities,” CIO Magazine, Vol. 15, No.
11, March 15, 2002.
22 Bill Wallace, “Security Analysts Dismiss Fears of Terrorist Hackers,” San Francisco
Chronicle, June 30, 2002.
23 Sean Webby, “4 Cities Take Data Off Web; Authorities Remove Info After Hits From
Mideast,” San Jose Mercury News, June 28, 2002.
24 “Terrorist Interest in Water Supply and SCADA Systems,” National Infrastructure
Protection Center, Information Bulletin 02-001, January 30, 2002.
25 Dan Verton, “Vulnerability Assessment Triggers Alarms,” Computerworld, January 21,
2002.
CRS-7
intrusion detection systems, resulting in an under-reporting of the actual number of
attacks.26
There have been examples of individuals specifically breaking into utility
companies’ control systems. The most notable event occurred in Maroochy Shire,
Australia, where, in Spring, 2000, a discontented former employee was able to
remotely access the controls of a sewage plant and discharge approximately 264,000
gallons of untreated sewage into the local environment.27 In 1994, a hacker
successfully broke into the computer system of the Salt River Project in Arizona.28
Another example, from March, 1997, occurred when a teenager in Worcester, MA
was able to remotely disable part of the public telephone switching network,
disrupting telephone service for 600 residents, including the fire department, and
causing a malfunction at the local regional airport.29 Reportedly, an intrusion into the
SCADA systems of a global chemical company occurred where a former employee
attempted to disable chemical operating systems at a production plant.30
Often, it is difficult to assess from public reports to what degree a critical
infrastructure industry has been breached.31 For example, a cyber-break-in at the
California Independent System Operator (Cal-ISO), California’s primary electric
power grid operator, went undetected for 17 days in April, 2001. Greg Fishman, a
representative of Cal-ISO, reported the intruders “never really got close at all to our
operational systems that run the grid.”32 It is not clear what information was
compromised during the intrusion, who the perpetrators were, or what their goal in
gaining access was. To date, there has been no indication that the perpetrators of this
attack were able to access any sensitive information or systems.
Potential Consequences of a Terrorist Attack
The consequences of an attack on the industrial control systems of critical
infrastructure could vary widely. It is commonly assumed that a successful cyber-
attack would cause few, if any, casualties, but might result in loss of infrastructure
service while control was wrested from the attacker and damage repaired. For
example, a successful cyber-attack on the public telephone switching network might
deprive customers of telephone service while technicians reset and repaired the
26 Joe Weiss, KEMA Consulting, private e-mail communication, September 8, 2002.
27 A summary of this event can be found in National Infrastructure Protection Center,
Highlights, 2-03, June 15, 2002.
28 Robert Lemos, “What are the Real Risks of Cyberterrorism?” ZDNet, August 26, 2002
found online at [http://www.msnbc.com/news/799234.asp].
29 “Juvenile Hacker Charged with Disabling Airport Control Tower Telephones,” Agence
France Press, March 18, 1998.
30 Esther D’Amico, “Cybersecurity Gains Momentum,” Chemical Week, August 21, 2002.
31 Ibid.
32 Dan Verton, “California Hack Points to Possible Surveillance Threat; Power Grid
Unaffected; Perps Unidentified,” Computerworld, June 18, 2001.
CRS-8
switching network. An attack on a chemical or liquid natural gas facility’s control
systems might lead to more widespread physical damage.
Lower probability events include catastrophic infrastructure failure, where the
failure of one part of the infrastructure leads to the failure of other parts, causing
widespread effect. Such failure might occur due to the synergistic effect of
infrastructure industries on each other. A simple example might be an attack on
electrical utilities where electricity distribution was disrupted; sewage treatment
plants and waterworks could also fail, as perhaps the turbines and other electrical
apparatuses in these facilities shut down. On August 5, 2002, the faulty closure of
an emergency valve at one of Singapore’s two natural gas suppliers blocked the flow
of natural gas to seven electrical power plants. The resultant power level dropped
30%, and even after reserve power was employed, there was still a 8% shortfall. The
power outage lasted up to 90 minutes.33 Several chemical production plants were
forced to shutdown their facilities during the power outage, and required several days
to restore full production.34
Some experts warn of a cascade event, where a terrorist is able to manipulate
control systems and cause catastrophic failure within an infrastructure. Cascade
events can be very damaging, causing widespread utility outages. Twice in 1996,
arcing between high voltage transmission lines and trees resulted in widespread
power outages. On July 2, 1996, a cascade event left 2 million customers in 11 states
and 2 Canadian provinces without power.35 Most service was restored within 30
minutes.36 On August 10, 1996, a similar event caused 7.5 million customers in
seven western states and part of Canada to be without power for up to nine hours.37
The scenario which causes the highest degree of concern among experts is the
combined use of a cyber-attack on critical infrastructure in conjunction with a
physical attack.38 This use of cyber-terrorism could result in an amplification of the
33 Krist Boo and Tan May Ping, “90-Minute Blackout in Several Areas,” The Straits Times
(Singapore), August 6, 2002, and Krist Boo, “Computer Glitch Behind Worst Blackout in
Decade,” The Straits Times (Singapore), August 15, 2002.
34 Sam Cage, “Power Failure Downs Three Singapore Crackers,” Chemical Week, August
14, 2002.
35 Susan Reed, “Massive Power Outage in West Still Unexplained,” CNN, July 3, 1996 and
Bonneville Power Administration, “Tree Triggers Power Outage,” Journal, August, 1996,
found online at [http://www.bpa.gov/corporate/kc/home/journal/96jl/jl0896x.shtml].
36 “Parts of Idaho Darkened by Power Outage, Earlier Western Blackout Traced to Short
Circuit,” CNN, July 3, 1996.
37 John F. Hauer and Jeff E. Dagle, “Consortium for Electric Reliability Technology
Solutions Grid of the Future, White Paper on Review of Recent Reliability Issues and
System Events,” prepared for Transmission Reliability Program, Office of Power
Technologies, Assistant Secretary for Energy Efficiency and Renewable Energy, U.S.
Department of Energy, August 30, 1999.
38 For an overview of this type of scenario, see National Research Council, Making the
Nation Safer: The Role of Science and Technology in Countering Terrorism, National
(continued...)
CRS-9
physical attack’s effects. An example of this might be a conventional bombing attack
on a building combined with a temporary denial of electrical or telephone service.
The resulting degradation of emergency response, until back-up electrical or
communication systems can be brought into place and used, could increase the
number of casualties and public panic.
Others believe that the consequences of a cyber-attack on critical infrastructure
would be very limited, and that excessive focus has been given to an unsubstantiated
threat.39 Cyber-security experts who doubt the effectiveness of such an attack range
in opinion regarding an attack’s impact. Some believe that a cyber-attack on critical
infrastructure control systems, while having some effect, would not be devastating,
but rather only a minor threat.40 Other believe that there could be significant impacts
from a successful attack on control systems, but that such success would be very
unlikely.41 Finally, some believe that while it is possible to use computers to generate
high consequence attacks, it would be much more likely that a terrorist group would
resort to a simpler conventional attack which would yield results of a similar
magnitude.42
Current Initiatives
Department of Homeland Security
The creation of the Department of Homeland Security has centralized within the
Directorate of Information Analysis & Infrastructure Protection a number of offices
related to critical infrastructure control system security: the Critical Infrastructure
Assurance Office (CIAO), the National Infrastructure Protection Center, the National
Infrastructure Simulation and Analysis Center (NISAC), and part of the Department
of Energy’s Office of Energy Assurance.43
CIAO and NIPC were created in response to Presidential Decision Directive No.
63, issued in 1998.44 CIAO coordinates the federal government’s initiatives on
38 (...continued)
Academy Press, Washington, DC, 2002.
39 Joshua Green, “The Myth of Cyberterrorism,” The Washington Monthly, November, 2002.
40 Steve Alexander, “Some Experts Say Cyberterrorism Is Very Unlikely,” Star Tribune,
February 13, 2003.
41 Mark Harrington, “In Cyber-Attack, The System Bends, Doesn’t Break,” Newsday,
February 11, 2003
42 Bill Wallace, “Security Analysts Dismiss Fears of Terrorist Hackers,” San Francisco
Chronicle, June 30, 2002. See also Bruce Schneier, “Embedded Control Systems and
Security,” Crypto-Gram Newsletter, July 15, 2002.
43 Homeland Security Act of 2002, P.L. 107-296.
44 Presidential Decision Directive No. 63 set as a national goal the ability to protect the
nation’s critical infrastructure from intentional attacks. For more information regarding this
directive and other critical infrastructure policy, see CRS Report RL30153, Critical
(continued...)
CRS-10
critical infrastructure assurance and promotes national outreach and awareness
campaigns about critical infrastructure protection. NIPC is a national critical
infrastructure threat assessment, warning, vulnerability, and law enforcement
investigation and response agency. Among other programs, NIPC has developed the
InfraGard program, which serves as a clearinghouse for information sharing and
analysis for members of critical infrastructure industries.
NISAC was created in 2001 through the passage of the USA PATRIOT Act.
It is charged to “serve as a source of national competence to address critical
infrastructure protection and continuity through support for activities related to
counterterrorism, threat assessment, and risk mitigation.”45 This center is to provide
modeling and simulation capabilities for the analysis of critical infrastructures,
including electricity, oil, and gas sectors.46 It is located at Sandia National
Laboratories and Los Alamos National Laboratory.47
The Department of Energy’s Office of Energy Assurance has also been involved
in developing techniques to secure energy production and availability.48 Part of this
effort has been the development of “simple, common-sense approaches to improve
the overall level of protection in SCADA and digital control networks.”49 A
document describing a general approach to improving cyber-security in SCADA
systems has been released.50
The President’s Critical Infrastructure Protection Board has released The
National Strategy to Secure Cyberspace, in which a general strategic overview,
specific recommendations and policies, and the rationale for these actions are
presented.51 This document addresses concerns regarding digital control systems and
SCADA networks, rates SCADA network security as a national priority, and
recommends joint public/private efforts in discovering solutions to potential
vulnerabilities. This strategy identifies the Department of Homeland Security, in
coordination with other federal agencies, as the department responsible for
developing best practices and new technologies to increase SCADA security. Some
44 (...continued)
Infrastructures: Background, Policy, and Implementation by John D. Moteff.
45 USA PATRIOT Act, P.L. 107-56, Section 1016.
46 Jennifer Jones, “Models of Mayhem,” Federal Computer Week, September 30, 2002.
47 For more information on NISAC, see [http://www.sandia.gov/CIS/NISAC.htm].
48 The Department of Energy’s Office of Energy Assurance can be found online at
[http://oea.dis.anl.gov/oea_home.html].
49 Remarks of James F. McDonnell, Director of the Office of Energy Assurance, September
19, 2002, found online at [http://oea.dis.anl.gov/documents/mcdonnell_remarks.html].
50 “21 Steps to Improve Cyber Security of SCADA Networks,” Department of Energy, 2002.
51 The National Strategy to Secure Cyberspace is available for download at the President’s
Critical Infrastructure Protection Board website, found online at
[http://www.whitehouse.gov/pcipb/].
CRS-11
cyber-security experts have criticized this plan, claiming that vulnerabilities will
remain because of its lack of enforcement regulations.52
The Department of Homeland Security has created a National Cyber Security
Division to identify, analyze and reduce cyber-threats and vulnerabilities; disseminate
threat warning information; coordinate incident response; and provide technical
assistance in continuity of operations and recovery planning.53 This division will,
based on the needs of public and private sectors partners, implement programs for
research and development in cyber-security using expertise from the Science and
Technology Directorate to provide research and development functions and
execution.
Department of Energy Laboratories
The Department of Energy laboratories have developed a series of test bed
facilities to test security measures developed for critical infrastructure. The Idaho
National Engineering and Environmental Laboratory, in conjunction with Sandia
National Laboratory, are developing a SCADA test bed to help identify
vulnerabilities and improve the security and stability of SCADA systems.54 The
Pacific Northwest National Laboratory has developed a Critical Infrastructure
Protection Analysis Laboratory where, among other things, the vulnerability of
SCADA systems can be determined.55
Research into advanced technologies is currently underway at Department of
Energy laboratories to address process control system security. For example, Sandia
National Laboratory under the Laboratory Directed Research and Development
program has been developing secure control systems for the energy industry.56
Research includes new information architectures, cryptographic methods, and
information system security assessments. Much of this work arises from needs
discovered through partnerships with systems manufacturers. While a prototype
system to demonstrate proof of principle has been implemented at the Sandia
National Solar Thermal Test Facility, this system has not been widely implemented
in the field.57 Similar security efforts, though less directly focused on industrial
52 Robert Lemos, “Bush Unveils Final Cybersecurity Plan,” CNET News, February 14, 2003.
53 Office of the Press Secretary, Department of Homeland Security, “Ridge Creates New
Division to Combat Cyber Threats,” June 6, 2003.
54 For more information about the Idaho National Engineering and Environmental
Laboratory’s Critical Infrastructure Protection Program, see online at
[http://www.inel.gov/nationalsecurity/critical_infrastructure_protection_program/].
55 Securing Our Homeland, Pacific Northwest National Laboratory, available online at
[http://www.pnl.gov/main/sectors/homeland.html].
56 Rolf Carlson, “Sandia SCADA Program High-Security SCADA LDRD Final Report,”
Sandia Report SAND2002-0729, Sandia National Laboratories, April, 2002.
57 Sandia National Laboratories, “Dish/Sterling Provides Test for Secure Control System,”
Sandia Technology, Vol. 3, No. 1, Spring, 2001.
CRS-12
control systems, are being developed at both Lawrence Livermore National
Laboratory and Los Alamos National Laboratory.
National Institute of Standards and Technology
The National Institute of Standards and Technology (NIST) has initiatives in
industrial control system security. NIST, in conjunction with a number of industry
groups, federal government agencies, and professional societies, have created the
Process Control Security Requirements Forum to develop process control
information security requirements. Through their Critical Infrastructure Protection
program, the National Institute of Standards and Technology is developing
information security requirements, best-practice guidelines, and test methods for the
process control sector.58
Department of Defense
The Department of Defense, through the Combating Terrorism Technology
Support program, provides support for the protection of infrastructure elements. As
part of this program, encryption algorithms for SCADA systems are being developed
and tested with the end goal of providing recommendations to industry regarding
their use.59
Information Sharing and Analysis Centers
Critical infrastructure industries have also developed non-profit organizations
called Information Sharing and Analysis Centers (ISACs) to allow industry sector
members to share security information in a private forum. Information sharing,
especially regarding the magnitude and nature of observed cyber-attacks,
vulnerabilities and their solutions, is seen as an important step in preparing for and
protecting against cyber-terror.
There has been limited public/private cooperation on divulging information
about and technical solutions to discovered vulnerabilities. Because of perceived
limitations in Freedom of Information Act (FOIA) exemptions, industry
representatives have generally limited the quantity and quality of information
volunteered to the government. Also, the ISAC system has not risen to its full
potential in all critical infrastructure areas, due to fears over disclosure of sensitive
corporate information to competitors. In testimony before the House Committee on
Energy and Commerce, Subcommittee on Oversight and Investigations, Bill Smith,
Chief Technology Officer of the BellSouth Corporation stated,
With respect to FOIA, many companies are hesitant to voluntarily share sensitive
information with the government because of the possible release of this
information to the public. BellSouth currently shares cyber-related intrusion
58 For more information on the Critical Infrastructure Protection program and the Process
Control Security Requirements Forum, see [http://www.mel.nist.gov/proj/cip.htm].
59 Office of the Secretary of Defense, Department of Defense, OUSDC Budget Justification
Materials, FY 2004 Budget, PE 0603122D8Z, February 2003.
CRS-13
information with the Telecom Information Sharing and Analysis Center–the
Telecom ISAC–located within the NCC. However, because of the concerns just
noted, the information sharing is done on a limited basis, within trusted circles,
and strictly within a fashion that will eliminate any liability or harm from FOIA
requests for BellSouth information. This is neither maximally efficient nor
effective.60
Partially in an effort to address these concerns, the Homeland Security Act of
2002 created a new FOIA exemption for critical infrastructure information:
Notwithstanding any other provision of law, critical infrastructure information
(including the identity of the submitting person or entity) that is voluntarily
submitted to a covered Federal agency for use by that agency regarding the
security of critical infrastructure and protected systems, analysis, warning,
interdependency study, recovery, reconstitution, or other informational purpose,
when accompanied by an express statement ... shall be exempt from disclosure
under section 552 of title 5, United States Code (commonly referred to as the
Freedom of Information Act).61
The breadth of this exemption has caused concern that information showing
safety violations or consumer hazards could be hidden through such an exemption.62
At the confirmation hearing of Homeland Security Secretary Ridge, Senator Levin
noted that the exemption language should be clarified:
The Freedom of Information Act language has got to be clarified. We are
denying the public unclassified information in the current law which should not
be denied to the public. ... [Y]ou could get information that, for instance, a
company is leaking material into a river that you could not turn over to the EPA.
If that company was the source of the information, you could not even turn it
over to another agency. It means that a member of Congress that finds out about
that information through oversight cannot act on that information, even though
its unclassified information. We would be stymied from acting on it, making it
public, for instance, or doing anything else in relation to information which
comes to us or comes to you as a result of a voluntary submission.63
The Department of Homeland Security has published the proposed rule for
handling critical infrastructure information.64 The comment period on this rule
closed on June 16, 2003. For more information on critical infrastructure information,
see CRS Report RL31547, Critical Infrastructure Information Disclosure and
Homeland Security, by John D. Moteff and Gina Marie Stevens.
60 Testimony of Bill Smith, Chief Technology Officer of the BellSouth Corporation before
the House Committee on Energy and Commerce, Subcommittee on Oversight and
Investigations, July 9, 2002.
61 Homeland Security Act of 2002, P.L. 107-296.
62 Lauren Weinstein, “Taking Liberties With Our Freedom,” Wired News, December 2,2002.
63 Hearing on the Nomination of Tom Ridge to be Director of Homeland Security, Senate
Committee on Government Affairs, January 17, 2003.
64 Federal Register, Volume 68, Number 72, April 15, 2003, pp. 18523-18529.
CRS-14
Federal Energy Regulatory Commission
The Federal Energy Regulatory Commission (FERC) is an independent
regulatory agency within the Department of Energy that, among other duties,
regulates interstate commerce in oil, natural gas, and electricity. FERC has published
a final rule related to critical energy infrastructure information. In this rule, critical
energy infrastructure information (CEII) is defined as:
information about proposed or existing critical infrastructure that: (i) Relates to
the production, generation, transportation, transmission, or distribution of
energy; (ii) Could be useful to a person in planning an attack on critical
infrastructure; (iii) Is exempt from mandatory disclosure under the Freedom of
Information Act, 5 U.S.C. 552; and (iv) Does not simply give the location of the
critical infrastructure.65
Whether or not information falls under the CEII categorization is initially determined
by the companies submitting the information to FERC. Categorization of select
information as CEII may lead to greater information sharing between industry and the
federal government.
FERC has also published a notice of public rulemaking which includes cyber-
security for the electric industry.66 This proposed regulation would require the
electric industry to self-certify that they are meeting the cyber-security standards. It
has been reported the FERC will likely adopt standards issued by the North American
Electric Reliability Council in the final version of this regulation.67 The final version
of this regulation has not been issued.68
Industry Initiatives
Some industry groups have taken steps towards addressing control system
security, generally as part of an overall cyber-security initiative.69 Some groups have
65 Federal Register, Volume 68, Number 41, March 3, 2003, pp. 9857-9873.
66 Federal Register, Volume 67, Number 168, August 29, 2002, pp. 55451-55550.
67 “FERC Likely to Adopt Electric Industry’s Cyber Security Standards,” Electric Power
Alert, Vol. 13, No. 14, July 9, 2003, and Rick Nicholson and Terry Ray, “How Tight Is Your
Padlock?” Platts Energy Business & Technology, May 2003.
68 Due to controversies surrounding other provisions of this proposed regulation, questions
have arisen regarding when, or if, this proposed regulation will be promulgated. For more
general information on this proposed regulation, see CRS Report RS21407, Federal Energy
Regulatory Commission’s Standard Market Design Activities by Amy Abel.
69 For example, the chemical sector has begun a Cybersecurity Practices, Standards and
Technology Initiative, which will develop practices and standards and encourage
development of improved security technology. For more information, see online at
[http://www.cidx.org/default_CyberSec.asp?Level=2&SecondLevelURL1=/Security/Sec
urity.asp].
CRS-15
launched initiatives in developing infrastructure security programs.70 The North
American Electric Reliability Council has developed a set of minimum cyber-security
standard for the electricity industry, as well as guidelines for securing remote access
to critical electric infrastructure.71 The Partnership for Critical Infrastructure Security
has established a working group to improve understanding of security issues relating
to process control systems.72 Another approach developed by industry groups has
centered on developing cryptographic protection of SCADA communications.73
Policy Options
Several policy options may decrease the vulnerability of industrial control
systems. One option is for the federal government to mandate and enforce a uniform
security standard for industrial control systems. Because of the national importance
of critical infrastructure systems, a uniform standard might be developed, with the
input of advocates, industries and the federal government, which would include the
functionality necessary to protect industrial control systems. A voluntary, standards-
based approach has been developed for server operating systems with some success,
and a similar mechanism could be used to develop standards for commercial off-the-
shelf control systems.74 Alternately, processes and specifications currently being
developed through federal programs might be generalized to other critical
infrastructure industries and established as a voluntary standard. Critics of this
approach cite the many different uses of industrial control systems in different
industry sectors as making such a standard unwieldy. They also contend that a
mandated standard would be less effective than a voluntary standard, as solutions to
new problems could not be implemented immediately, but would wait for changes
to the standard.
Identifying the dependencies between critical infrastructure sectors, the
vulnerabilities that are present in information technologies in these sectors, and the
possible impacts of a control system attack may lead to a greater understanding of the
scale of the control system threat. Both the Department of Homeland Security, in its
role of protecting infrastructure, and the Department of Energy, in its role of ensuring
a robust and reliable energy infrastructure, perform such activities. Policymakers
may wish to enhance current funding into SCADA security research, test bed
70 The Electric Power Research Institute, for example, has developed a series of primers
addressing information security within the energy and power industry. For more
information about the Electric Power Research Institute, see [http://www.epri.com].
71 Information on the North American Electric Reliability Council’s efforts in critical
infrastructure protection can be found online at [http://www.nerc.com/cip.html].
72 For more information about the Partnership for Critical Infrastructure Security working
groups, see online at [http://www.pcis.org/library.cfm?urlSection=WG].
73 See, for example, American Gas Association, “Cryptographic Protection of SCADA
Communications,” AGA Report 12-1, April 2003.
74 The Center for Internet Security, a not-for-profit organization, develops consensus
security standards for computer systems. They can be found online at
[http://www.cisecurity.org/].
CRS-16
modeling, or critical infrastructure vulnerability assessment to further clarify the
current threat.
Another option would involve supporting encryption research to protect
industrial control system data transfer. Encrypting the information transmitted
between remote units and their controllers would inhibit inclusion of false
information to and from industrial control systems. Current encryption technology
may not compatible due to the time required to process the encrypted data and the
level of technology built into control system components. Industrial control systems
have stringent timing requirements and tend to be built out of less computationally
robust components, which complicate the use of current encryption technologies.75
While a prototype encryption method for industrial control systems has been
developed, it is still in the validation process76 and being implemented in industry.77
Further research into encryption techniques for these processes could provide
efficient, market-driven technology for securing industrial control systems
information.
The new FOIA exemptions created in the Homeland Security Act of 2002 may
provide a higher volume, freer exchange of information between the federal
government and industry, as industry may become more forthcoming about potential
vulnerabilities. Policymakers may wish to inquire into whether vulnerabilities
transmitted to the federal government are eventually reduced, and how the
information being provided to the federal government is used.
Policymakers may also wish to assess the effectiveness of the Department of
Homeland Security in coordinating security enhancements to control systems,
promoting government/industry partnerships, and performing risk and vulnerability
assessments. With the concentration of previously existing agencies into the
Directorate of Information Analysis and Infrastructure Protection, previous
duplication of effort may be removed, but critics have suggested that difficulties in
integrating these agencies may lead to a reduction in effectiveness.
75 See, for example, Alan S. Brown, “SCADA vs. the Hackers,” Mechanical Engineering,
December, 2002.
76 William F. Rush and John A. Kinast, “Here’s What You Need To Know To Protect
SCADA Systems From Cyber-Attack,” Pipeline & Gas Journal, February 2003.
77 Jennifer Alvey, “Digital Terrorism: Holes in the Firewall? Plugging Cyber Security Holes
Isn’t as Easy as Everyone Wants to Think,” Public Utilities Fortnightly, March 15, 2002.