Critical Infrastructure: Control Systems and the Terrorist Threat (CRS Report for Congress)
Premium Purchase PDF for $24.95 (22 pages)
add to cart or
subscribe for unlimited access
Pro Premium subscribers have free access to our full library of CRS reports.
Subscribe today, or
request a demo to learn more.
| Release Date |
Revised Jan. 20, 2004 |
| Report Number |
RL31534 |
| Report Type |
Report |
| Authors |
Dana A. Shea, Resources, Science and Industry Division |
| Source Agency |
Congressional Research Service |
| Older Revisions |
-
Premium Revised July 14, 2003 (19 pages, $24.95)
add
-
Premium Revised April 23, 2003 (17 pages, $24.95)
add
-
Premium Revised Feb. 21, 2003 (17 pages, $24.95)
add
-
Premium Oct. 1, 2002 (16 pages, $24.95)
add
|
Summary:
Much of the U.S. critical infrastructure is potentially vulnerable to cyber-attack. Industrial
control
computer systems involved in this infrastructure are specific points of vulnerability, as cyber-security
for these systems has not been previously perceived as a high priority. Industry sectors potentially
affected by a cyber-attack on process control systems include the electrical, telephone, water,
chemical, and energy sectors.
The federal government has issued warnings regarding increases in terrorist interest in the
cyber-security of industrial control systems, citing international terrorist organization interest in
critical infrastructure and increases in cyber-attacks on critical infrastructure computer systems. The
potential consequences of a successful cyber-attack on critical infrastructure industrial control
systems range from a temporary loss of service to catastrophic infrastructure failure affecting
multiple states for an extended duration.
The National Strategy for Securing Cyberspace , released in February 2003,
contains a number
of suggestions regarding security measures for control systems. A focus on the further integration
of public/private partnerships and information sharing is described, along with suggestions that
standards for securing control systems be developed and implemented.
The Homeland Security Act of 2002 ( P.L. 107-296 ) transferred and integrated several federal
entities that play a role in cyber-security of control systems into the Department of Homeland
Security. These entities include the Critical Infrastructure Assurance Office, the National
Infrastructure Protection Center, the National Infrastructure Simulation and Analysis Center, and
parts of the Department of Energy's Office of Energy Assurance. Additionally, the Homeland
Security Act of 2002 created a new class of information, critical infrastructure information, which
can be withheld from the public by the federal government.
Efforts in increasing the cyber-security of control systems occur both at federal government
facilities and, in critical infrastructure sectors, through industry groups. The Department of Energy
National Laboratories, the Department of Defense, and the National Institute of Standards and
Technology all have programs to assess and ameliorate the cyber-vulnerabilities of control systems.
Industry-based research into standards, best practices, and control system encryption is ongoing in
the natural gas and electricity sector.
Possible policy options for congressional consideration include further development of uniform
standards for infrastructure cyber-protection; growth in research into security methods for industrial
control systems; assessing the effectiveness of the new exemptions to the Freedom of Information
Act; and the integration of previous offices in the new Department of Homeland Security.
This report will be updated as events warrant.
