By using this website you allow us to place cookies on your computer. Please read our Privacy Policy for more details.

Critical Infrastructure: Control Systems and the Terrorist Threat

View Publication


 

Publication Date: January 2004

Publisher: Library of Congress. Congressional Research Service

Author(s):

Research Area: Government

Type:

Abstract:

Much of the U.S. critical infrastructure is potentially vulnerable to cyber-attack. Industrial control computer systems involved in this infrastructure are specific points of vulnerability, as cyber-security for these systems has not been previously perceived as a high priority. Industry sectors potentially affected by a cyber-attack on process control systems include the electrical, telephone, water, chemical, and energy sectors.

The federal government has issued warnings regarding increases in terrorist interest in the cyber-security of industrial control systems, citing international terrorist organization interest in critical infrastructure and increases in cyber-attacks on critical infrastructure computer systems. The potential consequences of a successful cyber-attack on critical infrastructure industrial control systems could be high and range from a temporary loss of service to catastrophic infrastructure failure affecting multiple states for an extended duration.

The National Strategy for Securing Cyberspace, released in February 2003, contains a number of suggestions regarding security measures for control systems. A focus on the further integration of public/private partnerships and information sharing is described, along with suggestions that standards for securing control systems be developed and implemented.

The Homeland Security Act of 2002 (P.L. 107-296) conglomerated several federal entities that play a role in cyber-security of control systems into the Department of Homeland Security. These entities include the Critical Infrastructure Assurance Office, the National Infrastructure Protection Center, the National Infrastructure Simulation and Analysis Center, and parts of the Department of Energy’s Office of Energy Assurance. Additionally, the Homeland Security Act of 2002 created a new class of information, critical infrastructure information, which can be withheld from the public by the federal government.

Research and other efforts into increasing the cyber-security of control systems occurs both at federal government facilities and through industry groups in critical infrastructure sectors. The Department of Energy National Laboratories, the Department of Defense, and the National Institute of Standards and Technology all have programs to assess and ameliorate the cyber-vulnerabilities of control systems. Industry-based research into standards, best practices, and control system encryption is ongoing in the natural gas and electricity sector.

Possible policy options for congressional consideration include further development of uniform standards for infrastructure cyber-protection; growth in research into security methods for industrial control systems; assessing the effectiveness of the new exemptions to the Freedom of Information Act; and the integration of previous offices in the new Department of Homeland Security.

This report will be updated as events warrant.