GAO: Fresh approach to infrastructure security needed

Electric power grids, water utilities, train signal systems and other critical control systems often lack the computer processing power needed to implement traditional information technology security controls, according to a new report from the Government Accountability Office.

This puts the systems at increased risk of devastating cyber attacks that could disrupt the availability of electricity, water and other critical functions, GAO said.

Existing IT security technologies, such as authentication, encryption and intrusion detection, are infrequently implemented at control systems, the report states. This is because the control systems typically were built for specific tasks and round-the-clock operation and do not have adequate bandwidth, memory or computer processing power to handle additional tasks.

To solve the problem will require development of new IT security technologies, greater use of existing technologies when feasible, organizational changes in the industries involved and federal leadership, GAO said.

The nation needs a federal strategy, and more effective private-sector strategies, to improve the security of such systems, GAO concluded.

Although some work has occurred in developing such strategies, it has been hindered by a lack of information sharing and a lack of immediate incentives by owners and operators of the systems to make investments in strengthening IT security, GAO said. Without the ability to share information and without incentives to invest in better IT security, process control systems will continue to be at risk of severely damaging attacks.

"If key vulnerability information is not in the hands of those who can mitigate its potentially severe consequences, there is an increased risk that attacks on control systems could cause a significant disruption of our nation's critical infrastructure," the report said.

IT contractors stand to benefit from opportunities in securing such systems. At the same time, IT executives are likely to face technical and organizational challenges in applying solutions to control systems. For example, one of the organizational challenges is the tendency for IT security personnel and control systems engineers to have different priorities in addressing concerns about security and operation, GAO said.