DHS struggles to close vulnerabilities in nation's infrastructure

DHS struggles to close vulnerabilities in nation's infrastructure

The Homeland Security Department has identified 1,700 facilities across the country that pose a risk to the nation's critical infrastructure but lacks the authority to mandate companies and state and local government correct vulnerabilities, a DHS official told lawmakers yesterday.

'Since most process control systems reside in the private sector, our ability to always effect change are sometimes affected by business factors that we cannot control,' said James F. McDonnell, director of DHS' Protective Security Division. He testified before the Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.

A chief source of the weaknesses are supervisory control and data acquisition systems, added Robert F. Dacey, the General Accounting Office's director of information security issues. SCADA systems, which form the nexus of IT and physical infrastructure, pose a growing threat because of increasingly standardized software, network and remote connectivity and the availability of detailed data about the systems, he said.

In a new report, GAO recommended that DHS 'develop and implement a strategy for coordinating with the private sector and other governmental agencies to improve control system security.'

McDonnell said that's his job. 'I am the accountable executive at DHS for that,' he said. His division has established a Control Systems Section to identify and reduce infrastructure vulnerabilities. The section's asset identification shop'or targeting branch'identified the 1,700 soft targets from information reported to DHS by states. Of those targets, 565 have SCADA systems associated with them.

Dacey said vulnerabilities in these systems persist because of companies' 'concerns that it may not be economically feasible' to correct them.

McDonnell acknowledged there is no mandate for industry or local government organizations to spend money to correct problems, but that is not a big problem because most stakeholders want to do the right thing and DHS is making grant money available to states.

'There is plenty of money to do specific things,' McDonnell said. And if owners of facilities refuse to correct significant problems, they can be threatened with federal regulation 'down the road.'

'So there is a coercive element in this,' he added.

The subcommittee's chairman, Rep. Adam Putnam (R-Fla.), said asked McDonnell's to report back to Congress with a dollar amount for correcting problems in the 1,700 facilities, so that lawmakers could decide if and how to fund the work.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

  • Marines on patrol (US Marines)

    Using AVs to tell friend from foe

    The Defense Advanced Research Projects Agency is looking for ways autonomous vehicles can make it easier for commanders to detect and track threats among civilians in complex urban environments without escalating tensions.

Stay Connected