DHS: Many critical facilities are at risk
But department lacks the teeth to force local authorities to fix infrastructure vulnerabilities
DHS needs more authority to ensure that the private sector and state and local governments secure superviosry control systems, GAO's Robert F. Dacey says.
The Homeland Security Department has identified 1,700 facilities at risk in the nation's critical infrastructures, but it lacks the authority to force corrections by companies or state and local governments.
The Government Reform Subcommittee on Tech-nology, Information Policy, Intergovernmental Relations and the Census held a hearing recently on the threat from poorly secured process-control systems, which form a nexus of the nation's physical and IT infrastructures.
DHS' Protective Services Division has an organization to address these vulnerabilities, division director James F. McDonnell said.
'Since most process-control systems reside in the private sector, our ability to effect change' sometimes is stymied by business factors out of DHS' control, McDonnell said.
Although there is no mandate for companies or state and local governments to correct infrastructure vulnerabilities, McDonnell said his division can use DHS grants and the threat of federal regulation in a carrot-and-stick approach.
Vulnerabilities in supervisory control and data acquisition, or SCADA, systems are a growing threat, said Robert F. Dacey, the General Accounting Office's director of information security issues.
SCADA systems are increasingly built from standard software whose vulnerabilities are well known.
GAO recommended that DHS 'develop and implement a strategy for coordinating with the private sector and other government agencies to improve control system security.'
McDonnell said that was the job of his division.
'I am the accountable executive at DHS for that,' he said.
Because the critical infrastructures overseen by the division include SCADA systems, McDonnell said, he works closely with Amit Yoran, director of the department's National Cyber Security Division.
The Protective Services Division assumed its responsibilities from the FBI and is concerned with the nuts and bolts of securing facilities, whereas the Cyber Security Division is concerned with national and global systemwide threats.Soft targets
The current list of 1,700 vulnerable facilities, which McDonnell called soft targets, covers both private and government facilities ranging from chemical plants and shopping malls to dams and bridges.
DHS compiled the list primarily from states' reports. Because the list dates back to last fall, several months before the Dec. 31 deadline for state reporting, it is incomplete, McDonnell said.
'It probably is going to be another two cycles before we are aware of all the things out there that need protection,' he said. He estimated at least 2,000 soft targets.
McDonnell said DHS has no oversight or enforcement authority, and his division's job is to collaborate with local authorities in correcting problems.
'We are trying to push these activities to the local level,' he said. But because much of the security and remediation work is 'inside the gate' of private facilities and the responsibility of owners, DHS cannot require that the work be done.
In its study of SCADA vulnerabilities, GAO found that many problems persist because of private-sector 'concerns that it may not be economically feasible' to correct them, Dacey said.
McDonnell discounted the concerns.
'My experience to date is that it is not a real problem,' he said. 'People are sensitive to being attacked,' and most people 'want to do the right thing.'
McDonnell said many problems, such as securing or disallowing remote connections, can be fixed inexpensively with DHS grants to cash-strapped local governments.
'There is plenty of money in place to do specific things,' he said. 'If cooperation is not forthcoming, offenders can be told, 'You are likely to be dealing with regulations down the road.' There is a coercive element in this.'