Ensuring Critical Infrastructure Protection

What Needs to Be Done | Key Reports

Figure 6: Examples of Critical Infrastructures (clockwise from upper left: chemical plants, nuclear power plants, hydroelectric dams, and railroads)

Examples of Critical Infrastructures

Sources (clockwise from upper left): © Corbis, PhotoDisc, © Corbis, Digital Vision.

DHS faces challenges in meeting its responsibilities to protect the nation’s vast critical infrastructure—18 broad ranging sectors including banking and finance, chemicals, communications, energy, public health and health care, transportation, and defense. Given that these sectors are largely owned and operated by the private sector or state and local governments, numerous parties have responsibility for securing and maintaining these networks. Key challenges include the following:

  • The Comprehensive National Cybersecurity Initiative (CNCI) consists of a set of projects aimed at reducing vulnerabilities, protecting against intrusions, and anticipating future threats. The White House and federal agencies have taken steps to plan and coordinate CNCI activities by establishing several interagency working groups. However, CNCI faces several challenges, such as in defining roles and responsibilities of federal agencies for cybersecurity; establishing measures of effectiveness; and reaching agreement on the scope of its educational and public awareness efforts.
  • Private sector stakeholders reported that they expect their federal partners to provide usable, timely, and actionable cyber threat information and alerts; access to sensitive or classified information; a secure mechanism for sharing information; security clearances; and a single centralized government cybersecurity organization to coordinate government efforts. However, according to private sector stakeholders, federal partners are not consistently meeting these expectations. Federal partners are taking steps that may address the key expectations of the private sector, including developing new information-sharing arrangements. However, while the ongoing efforts may address the public sector's ability to meet the private sector's expectations, much work remains to fully implement improved information sharing.
    Highlights of GAO-10-628 (PDF)
  • DHS issued guidance in 2006 that instructed lead federal agencies, referred to as sector-specific agencies, to develop plans for protecting the sector’s critical cyber and other (physical) infrastructure. These agencies issued plans in 2007, but GAO found that none fully addressed all 30 cyber security-related criteria identified in DHS’s guidance.  Although DHS has reported many efforts under way and planned to improve the cyber content of sector-specific plans, sector-specific agencies have yet to update their respective sector-specific plans to fully address key DHS cyber security criteria.  DHS has issued guidance specifically requesting that the sectors address cyber criteria shortfalls in their 2010 sector-specific plan updates. Until the plans are issued, it is not clear whether they will fully address cyber requirements. Accordingly, the continuing lack of plans that fully address key cyber criteria has reduced the effectiveness of the existing sector planning approach and thus increases the risk that the nation’s cyber assets have not been adequately identified, prioritized, and protected.
    Highlights of GAO-09-969 (PDF)
  • Some sectors must depend on other sectors to function and provide assistance when responding to and recovering from an attack or disaster. However, it is unclear how much progress sectors have made in identifying these interdependencies, which may make it difficult for sectors to ensure that they can access needed technologies, energy sources, and other sector assets during recovery.
    Highlights of GAO-08-113 (PDF), Highlights of GAO-07-706R (PDF)

^ Back to topWhat Needs to Be Done

  • DHS and the National Cybersecurity Coordinator should, in collaboration with the sector lead agencies, coordinating councils, and the owners and operators of the associated five critical infrastructure sectors (1) focus their information-sharing efforts, including their relevant pilot projects, on the most desired services, and (2) bolster the efforts to build out the National Cybersecurity and Communications Integration Center as the central focal point for leveraging and integrating the capabilities of the private sector, civilian government, law enforcement, the military, and the intelligence community.
    Highlights of GAO-10-628 (PDF)
  • DHS needs to assess whether the existing sector-specific planning process should continue to be the nation’s approach to securing cyber and other critical infrastructure and, in doing so, consider whether proposed and other options would provide more effective results.
    Highlights of GAO-09-969 (PDF)
  • For computer-reliant critical infrastructure, DHS needs to improve its coordination with stakeholders when planning for incident response and recovery, conducting exercises, completing continuity plans for federal systems, and planning for the recovery of Internet functions.
    Highlights of GAO-08-588 (PDF), Highlights of GAO-08-825 (PDF), Highlights of GAO-08-113 (PDF), and Highlights of GAO-08-1075T (PDF)
  • DHS needs to fully address its key cyber analysis and warning responsibilities related to monitoring networks, analyzing anomalies, providing timely warnings, and responding to threats.
    Highlights of GAO-08-212 (PDF), Highlights of GAO-08-588 (PDF), Highlights of GAO-08-825 (PDF), and Highlights of GAO-08-1157T (PDF)
  • DHS needs to continue to work with stakeholders to identify asset interdependencies within and across sectors so that it can use this information to plan future protective measures for assets that may be critical to the function of multiple sectors.
    Highlights of GAO-08-113 (PDF), Full Report of GAO-07-706R (PDF, 18 pages)

^ Back to topKey Reports

Critical Infrastructure Protection

Key Private and Public Cyber Expectations Need to Be Consistently Addressed
GAO-10-628, Jul 15, 2010

Cyberspace

United States Faces Challenges in Addressing Global Cybersecurity and Governance
GAO-10-606, Jul 2, 2010

Cybersecurity

Progress Made but Challenges Remain in Defining and Coordinating the Comprehensive National Initiative
GAO-10-338, Mar 5, 2010

Critical Infrastructure Protection

Current Cyber Sector-Specific Planning Approach Needs Reassessment
GAO-09-969, Sep 24, 2009

Critical Infrastructure Protection

DHS Needs to Better Address Its Cybersecurity Responsibilities
GAO-08-1157T, Sep 16, 2008

Critical Infrastructure Protection

DHS Needs to Fully Address Lessons Learned from Its First Cyber Storm Exercise
GAO-08-825, Sep 9, 2008

Cyber Analysis and Warning

DHS Faces Challenges in Establishing a Comprehensive National Capability
GAO-08-588, Jul 31, 2008

Plum Island Animal Disease Center

DHS Has Made Significant Progress Implementing Security Recommendations, but Several Recommendations Remain Open
GAO-08-306R, Dec 17, 2007

Critical Infrastructure Protection

Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain
GAO-08-119T, Oct 17, 2007

Critical Infrastructure

Sector Plans Complete and Sector Councils Evolving
GAO-07-1075T, Jul 12, 2007

Critical Infrastructure

Challenges Remain in Protecting Key Sectors
GAO-07-626T, Mar 20, 2007

Critical Infrastructure Protection

Progress Coordinating Government and Private Sector Efforts Varies by Sectors' Characteristics
GAO-07-39, Oct 16, 2006

Combating Bioterrorism

Actions Needed to Improve Security at Plum Island Animal Disease Center
GAO-03-847, Sep 19, 2003
More Reports More Results Toggle
GAO Contact
portrait of Stephen Caldwell

Stephen Caldwell

Director, Homeland Security and Justice

caldwells@gao.gov

(202) 512-9610

portrait of Gregory C. Wilshusen

Gregory C. Wilshusen

Director, Information Technology

wilshuseng@gao.gov

(202) 512-6244