Skip to Highlights
Highlights

Control systems--computer-based systems that monitor and control sensitive processes and physical functions--perform vital functions in many of our nation's critical infrastructures, including electric power, oil and gas, water treatment, and chemical production. The disruption of control systems could have a significant impact on public health and safety, which makes securing them a national priority. GAO was asked to (1) determine cyber threats, vulnerabilities, and the potential impact of attacks on critical infrastructure control systems; (2) determine the challenges to securing these systems; (3) identify private sector initiatives to strengthen the cybersecurity of control systems; and (4) assess the adequacy of public sector initiatives to strengthen the cybersecurity of control systems. To address these objectives, we met with federal and private sector officials to identify risks, initiatives, and challenges. We also compared agency plans to best practices for securing critical infrastructures.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Homeland Security To improve federal government efforts to secure control systems governing critical infrastructure, the Secretary of the Department of Homeland Security should develop a strategy to guide efforts for securing control systems, including agencies' responsibilities, as well as overall goals, milestones, and performance measures.
Closed - Implemented
In response to this recommendation, DHS issued a 2009 Strategy for Securing Control Systems which included agencies' responsibilities and overall goals. In addition, DHS worked with the public and private sectors to establish roadmaps and plans which include milestones and performance measures. As a result of these actions, DHS has improved the federal government's ability to coordinate activities to improve the security of critical infrastructure control systems.
Department of Homeland Security To improve federal government efforts to secure control systems governing critical infrastructure, the Secretary of the Department of Homeland Security should establish a rapid and secure process for sharing sensitive control system vulnerability information with critical infrastructure control system stakeholders, including vendors, owners, and operators.
Closed - Implemented
In response to this recommendation, in 2010, DHS established a standardized process to share vulnerability information securely with control system stakeholders. The process includes steps to address the handling of incoming and outgoing communications, and the analysis and reporting of vulnerability information. As a result of establishing this process, federal agencies are equipped to more effectively and securely share vulnerability information with critical infrastructure stakeholders and DHS can more effectively serve as a focal point in the collection and dissemination of sensitive vulnerability information.

Full Report