[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]
TELECOMMUNICATIONS AND SCADA: SECURE LINKS OR OPEN PORTALS TO THE
SECURITY OF OUR NATION'S CRITICAL INFRASTRUCTURE?
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TECHNOLOGY, INFORMATION
POLICY, INTERGOVERNMENTAL RELATIONS AND
THE CENSUS
of the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
SECOND SESSION
__________
MARCH 30, 2004
__________
Serial No. 108-196
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
______
U.S. GOVERNMENT PRINTING OFFICE
95-799 WASHINGTON : 2004
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
COMMITTEE ON GOVERNMENT REFORM
TOM DAVIS, Virginia, Chairman
DAN BURTON, Indiana HENRY A. WAXMAN, California
CHRISTOPHER SHAYS, Connecticut TOM LANTOS, California
ILEANA ROS-LEHTINEN, Florida MAJOR R. OWENS, New York
JOHN M. McHUGH, New York EDOLPHUS TOWNS, New York
JOHN L. MICA, Florida PAUL E. KANJORSKI, Pennsylvania
MARK E. SOUDER, Indiana CAROLYN B. MALONEY, New York
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
DOUG OSE, California DENNIS J. KUCINICH, Ohio
RON LEWIS, Kentucky DANNY K. DAVIS, Illinois
JO ANN DAVIS, Virginia JOHN F. TIERNEY, Massachusetts
TODD RUSSELL PLATTS, Pennsylvania WM. LACY CLAY, Missouri
CHRIS CANNON, Utah DIANE E. WATSON, California
ADAM H. PUTNAM, Florida STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia CHRIS VAN HOLLEN, Maryland
JOHN J. DUNCAN, Jr., Tennessee LINDA T. SANCHEZ, California
NATHAN DEAL, Georgia C.A. ``DUTCH'' RUPPERSBERGER,
CANDICE S. MILLER, Michigan Maryland
TIM MURPHY, Pennsylvania ELEANOR HOLMES NORTON, District of
MICHAEL R. TURNER, Ohio Columbia
JOHN R. CARTER, Texas JIM COOPER, Tennessee
MARSHA BLACKBURN, Tennessee ------ ------
PATRICK J. TIBERI, Ohio ------
KATHERINE HARRIS, Florida BERNARD SANDERS, Vermont
(Independent)
Melissa Wojciak, Staff Director
David Marin, Deputy Staff Director/Communications Director
Rob Borden, Parliamentarian
Teresa Austin, Chief Clerk
Phil Barnett, Minority Chief of Staff/Chief Counsel
Subcommittee on Technology, Information Policy, Intergovernmental
Relations and the Census
ADAM H. PUTNAM, Florida, Chairman
CANDICE S. MILLER, Michigan WM. LACY CLAY, Missouri
DOUG OSE, California STEPHEN F. LYNCH, Massachusetts
TIM MURPHY, Pennsylvania ------ ------
MICHAEL R. TURNER, Ohio
Ex Officio
TOM DAVIS, Virginia HENRY A. WAXMAN, California
Bob Dix, Staff Director
Dan Daly, Professional Staff Member
Juliana French, Clerk
Adam Bordes, Minority Professional Staff Member
C O N T E N T S
----------
Page
Hearing held on March 30, 2004................................... 1
Statement of:
Dacey, Robert F., Director, Information Security Issues, U.S.
General Accounting Office; and James F. McDonnell,
Director, Protective Security Division, Department of
Homeland Security.......................................... 14
Weiss, Joseph, executive consultant, KEMA, Inc.; Dan Verton,
senior writer, Computerworld Magazine; Gerald S. Freese,
director of enterprise information security, American
Electric Power; and Jeffrey H. Katz, enterprise IT
consultant, PSEG Services Corp............................. 65
Letters, statements, etc., submitted for the record by:
Clay, Hon. Wm. Lacy, a Representative in Congress from the
State of Missouri, prepared statement of................... 8
Dacey, Robert F., Director, Information Security Issues, U.S.
General Accounting Office, prepared statement of........... 16
Freese, Gerald S., director of enterprise information
security, American Electric Power, prepared statement of... 90
Katz, Jeffrey H., enterprise IT consultant, PSEG Services
Corp., prepared statement of............................... 97
McDonnell, James F., Director, Protective Security Division,
Department of Homeland Security, prepared statement of..... 45
Miller, Hon. Candice S., a Representative in Congress from
the State of Michigan, prepared statement of............... 11
Putnam, Hon. Adam. H., a Representative in Congress from the
State of Florida, prepared statement of.................... 4
Verton, Dan, senior writer, Computerworld Magazine, prepared
statement of............................................... 80
Weiss, Joseph, executive consultant, KEMA, Inc., prepared
statement of............................................... 68
TELECOMMUNICATIONS AND SCADA: SECURE LINKS OR OPEN PORTALS TO THE
SECURITY OF OUR NATION'S CRITICAL INFRASTRUCTURE?
----------
TUESDAY, MARCH 30, 2004
House of Representatives,
Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 2:05 p.m., in
room 2154, Rayburn House Office Building, Hon. Adam H. Putnam
(chairman of the subcommittee) presiding.
Present: Representatives Putnam, Miller, and Clay.
Staff present: Bob Dix, staff director; John Hambel, senior
counsel; Dan Daly, professional staff member and deputy
counsel; Juliana French, clerk; Suzanne Lightman, fellow; Erik
Glavich, legislative assistant; David McMillen and Adam Bordes,
minority professional staff members; and Cecelia Morton,
minority office manager.
Mr. Putnam. Good afternoon. A quorum being present, this
hearing of the Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census will come to order.
I want to thank everyone for joining us for another
important hearing on cyber security. I want to welcome all of
you to this hearing entitled, ``Telecommunications and SCADA:
Secure Links or Open Portals into the Security of the Nation's
Critical Infrastructure.''
Clearly, the issue of protecting the cyber element of our
Nation's critical infrastructure is of paramount concern to
this subcommittee and we will continue to examine these matters
comprehensively.
This is our second hearing dealing with the issue of SCADA
or industrial control systems. Our first hearing was a closed
hearing. Through our hearings and other high level briefings,
it has become abundantly clear that our Nation is not protected
sufficiently from cyber attack against our critical
infrastructure. Given the fact that roughly 80 percent of these
systems are owned or controlled by the private sector, it is
important that we work collaboratively and aggressively to
address this matter. The testimony today will, obviously, not
reveal specific vulnerabilities; but I hope it will raise the
alarm so that necessary steps will be taken to secure our
critical infrastructure from the potential of cyber attack.
Additionally, this hearing will focus attention on the
telecommunications that connect SCADA devices to their control
and monitoring networks and review the associated
vulnerabilities.
Industrial control systems, often referred to as SCADA,
which is an acronym for Supervisory Control and Data
Acquisition, underlie most of the infrastructure that makes
everyday life possible in America.
These systems support the processes that manage our water
supply and treatment plants; control the pipeline distribution
system and the electric power grid; operate nuclear and
chemical power plants; and support the manufacturing of food
and medicines, just to name a few.
The Nation's health, wealth, and security rely on these
systems, but, until recently, computer security for these
systems was not a major focus. As a result, these systems on
which we rely so heavily are undeniably vulnerable to cyber
attack or terrorism.
When I first began to inquire about this topic, I must say
that I did not necessarily grasp the scope of the challenge.
The more I have learned, the more concerned I have become. The
critical infrastructure of our Nation lies mostly in private
hands and this Nation is dependent upon their assessment of
risk and, certainly, profit. Many private sector firms are not
convinced of the business case to invest their resources in
information security upgrades. Clearly, there is a much wider
acknowledgement of potential physical threats at this point.
But make no mistake, the cyber threat is real, it is 24 x 7, it
could come from anywhere, and we must take this threat just as
seriously.
In a book just published, Thomas Reed, a former Air Force
Secretary, details how our Government allowed the Soviets to
steal software used to run gas pipelines. What the Soviets did
not know is that the United States had sabotaged the software
to cause explosions in a Siberian natural gas line.
I became so concerned about the security of our SCADA
systems, that I have asked the General Accounting Office to
report to the Congress on the state of SCADA in America. GAO
has produced an outstanding product and we are releasing the
report at today's hearing.
Months ago, at our first SCADA hearing, I said, ``It is
also apparent to me that we have not developed a comprehensive
strategy for addressing this weakness in our critical
infrastructure.''
In today's GAO report they conclude: ``We are recommending
that the Secretary of DHS develop and implement a strategy for
coordinating with the private sector and other government
agencies to improve control system security, including
developing an approach for coordinating the various ongoing
efforts to secure control systems. This strategy should also be
addressed in the comprehensive national infrastructure plan
that the department is tasked to complete by December 2004.''
I look forward to today's GAO testimony as they provide
more detail on their findings. As a farmer, I rely on SCADA
systems in local dams to prevent my fields from flooding and
putting me out of business. It had never occurred to me that
the potential threat from a computer somewhere half way around
the world might exceed the harm that could be perpetrated by
Mother Nature.
I have learned that today's SCADA systems have been
designed with little or no attention to computer security. Data
is often sent as clear text; protocols for accepting commands
are open, with no authentication required; and communications
channels are often wireless, leased lines, or the Internet
itself. Remote access into these systems for vendors and
maintenance is common. In addition, information about SCADA
systems is widely available. Not only are they increasingly
based on common operating systems with well-known
vulnerabilities, but also information about their
vulnerabilities has been widely posted on the World Wide Web.
Contributing to the security challenge is the requirement
for public disclosure about the use of public airwaves.
Utilities, factories, and power plants must register the
frequencies that they use and provide detailed information on
the location and structure of their communications networks.
Sensitive information about these critical infrastructure
systems is easily available. This is a special concern for
communications systems that are easily interfered with, such as
wireless.
Finally, SCADA systems now also seem to be victims of
common Internet dangers. It has been reported that the blackout
this summer may have been partially exacerbated due to the
widespread Blaster worm, which disrupted communications among
data centers controlling the grid. The Nuclear Regulatory
Agency has warned nuclear power plants about infiltration by
the worms and viruses after a nuclear plant's systems were
infected by a contractor's laptop.
According to U.S. law enforcement and intelligence
agencies, SCADA systems, specifically water supply and
wastewater management systems, have been the targets of probing
by Al Qaeda terrorists. Some Government experts have concluded
that terrorists have existing plans to use the Internet as an
instrument of bloodshed, by attacking the juncture of cyber
systems and the physical systems they control. A recent
National Research Council report has identified ``the potential
for attack on control systems'' as requiring ``urgent
attention.''
America must not be so focused on preventing physical
attacks that we leave our cyber back door wide open and
unattended. The tragedy of September 11 has taught us that we
must imagine the unimaginable, prepare for the unthinkable, and
not leave any stone unturned. To do so could mean devastating
economic losses and tragic loss of life. The threat is real and
the time to act has long since passed.
I look forward to the testimony from today's witnesses and
I thank you for your contribution to the security of our
Nation. Today's hearing can be viewed live via Web cast by
going to Reform.House.Gov and clicking on the link under ``Live
Committee Broadcast.''
[The prepared statement of Hon. Adam. H. Putnam follows:]
[GRAPHIC] [TIFF OMITTED] T5799.001
[GRAPHIC] [TIFF OMITTED] T5799.002
[GRAPHIC] [TIFF OMITTED] T5799.003
Mr. Putnam. I want to welcome the distinguished ranking
member of the subcommittee from Missouri, Mr. Clay, and
recognize him for his opening statement. You are recognized.
Mr. Clay. Thank you, Mr. Chairman, especially for calling
this hearing. I thank the witnesses for taking the time to
share their thoughts with us on how we can best prepare to
secure our Nation's critical infrastructure systems.
As all of us remember, the electricity blackout on the East
Coast during August 2003 was another warning sign of the
trouble which lies ahead should we continue to fail in securing
the control networks that deliver us the necessary services for
our daily activity. Although the Federal Government has made
considerable efforts in producing public-private partnerships
to improve the cyber security of our critical infrastructure
control systems, a tremendous amount of work remains in
coordinating these efforts among Government agencies, private
entities, and standard-setting bodies.
Furthermore, if we fail to establish an enforceable public
policy blueprint for adequate critical infrastructure
protection, how can we expect the necessary implementation of
minimal security requirements for control systems throughout
the private sector.
Like our hearing last Fall, today's testimony from GAO will
detail several challenges inherent in security both public and
private control systems against cyber threats from both foreign
and domestic sources. They include: our limited technological
capacities in securing such systems, the economic cost in
providing such security, and indecision within many
organizations about making control systems security a priority.
These problems are exacerbated by the introduction of new
technologies that are not always accompanied by adequate
security measures, such as wireless systems. While being both
economically and operationally efficient, many technology
professionals still lack a detailed understanding of the
vulnerabilities contained in wireless systems.
As the subcommittee seeks to define the most practical
public policy remedies for these problems, we must be aware of
all such variables in order to find an appropriate balance for
both governmental and nongovernmental organizations.
As I stated during our hearing on SCADA systems last Fall,
``The solution to cyber security and control systems is similar
to efforts for resolving security issues in Government
computers. The efforts require sound management, skilled and
committed employees, and the understanding that security
involves all employees in an organization, not just the chief
information officer or other designated security officials.''
I hope our witnesses today can provide some further
insights on how our work should proceed in defining an adequate
public policy response in this area. Thank you, Mr. Chairman. I
ask that my written testimony be submitted for the record.
Mr. Putnam. Without objection.
[The prepared statement of Hon. Wm. Lacy Clay follows:]
[GRAPHIC] [TIFF OMITTED] T5799.004
[GRAPHIC] [TIFF OMITTED] T5799.005
Mr. Putnam. Thank you, Mr. Clay.
The distinguished vice chair of the subcommittee, the
gentlelady from Michigan is also joining us. You are recognized
for your opening statement, Mrs. Miller.
Mrs. Miller. Thank you, Mr. Chairman. I appreciate your
holding this very important hearing today. I think as we
examine the security of our Nation's critical infrastructure,
we certainly are reminded, unfortunately, of our
vulnerabilities and the importance of securing our Nation's
control systems.
These systems were developed when fears of cyber attacks
were non-existent. Certainly their structure and the lack of
expansive cyber security frameworks typifies the attitude of
our Nation, quite frankly, pre-September 11th when we thought
our Homeland was safe from the act of terrorists. But in
today's world, the United States is particularly vulnerable
because the terrorists look to use our freedoms against us.
They look to disrupt our electrical networks, our financial
systems, clearly our way of life. These are the things that we
tend to take for granted. But we have to be proactive so that
we can prevent future attacks from happening.
So the question is, obviously, how can we secure these
systems to the best of our ability. And I am hopeful that the
witnesses who are testifying today can inform us of how Federal
agencies are working with one another, how they are working
with the private sector to provide a reasonable solution to the
problems that we face. Obviously, building a fail-safe system
is impossible but we must strive for what is reasonable. Time
is of the essence because an attack on our critical
infrastructure can happen from anywhere in the world, at any
time. Security of control systems must be given the highest
priority, and new technology must continue to be developed.
I certainly want to thank all the witnesses for testifying
here today. I am looking forward to your testimony. Thank you,
Mr. Chairman.
[The prepared statement of Hon. Candice S. Miller follows:]
[GRAPHIC] [TIFF OMITTED] T5799.006
[GRAPHIC] [TIFF OMITTED] T5799.007
[GRAPHIC] [TIFF OMITTED] T5799.008
Mr. Putnam. Thank you, Mrs. Miller.
I want to welcome our witnesses again. Mr. Dacey is a
frequent flier to the committee. We gave Karen Evans the week
off but brought Mr. Dacey back. And as experienced witnesses,
you understand the light system so I will not rebrief you on
that. As you know, the subcommittee swears in witnesses, and in
addition to the seated witnesses, anyone who is joining you who
will be contributing to your testimony before the subcommittee.
[Witnesses sworn.]
Mr. Putnam. I would note for the record that the witnesses
responded in the affirmative.
We will move directly into testimony. Our first witness is
Mr. Dacey. Mr. Dacey is currently Director of Information
Security Issues at the U.S. General Accounting Office. His
responsibilities include evaluating information systems
security in Federal agencies and corporations, assessing the
Federal infrastructure for managing information security,
evaluating the Government's efforts to protect our Nation's
private and public critical infrastructure from cyber threats,
and identifying best security practices at leading
organizations and promoting their adoption by Federal agencies.
You are recognized for 5 minutes. Welcome to the
subcommittee.
You may proceed.
STATEMENTS OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY
ISSUES, U.S. GENERAL ACCOUNTING OFFICE; AND JAMES F. MCDONNELL,
DIRECTOR, PROTECTIVE SECURITY DIVISION, DEPARTMENT OF HOMELAND
SECURITY
Mr. Dacey. Mr. Chairman and members of the subcommittee, I
am pleased to be here today to participate in the
subcommittee's hearing on the security of control systems. As
you requested, I will briefly summarize my written statement
which is based on our report on control systems that you
released today.
For several years, security risks have been reported in
control systems upon which many of the Nation's critical
infrastructures rely to monitor and control sensitive processes
and physical functions. In addition to general cyber threats,
which have been steadily increasing, several factors have
contributed to the escalation of risks that are specific to
control systems, including the adoption of standardized
technologies with known vulnerabilities, connectivity of
control systems with other networks, insecure remote
communications, and widespread availability of technical
information about control systems.
Control systems can be vulnerable to a variety of attacks.
These attacks could have devastating consequences--such as
endangering public health and safety; damaging the environment;
or causing a loss of production, generation, or distribution by
public utilities. Control systems have already been subject to
a number of cyber attacks, including documented attacks on a
sewage treatment system in Australia in 2000 and, more
recently, on a nuclear power plant in Ohio.
Several challenges must be addressed to effectively secure
control systems, including one, the lack of specialized
security technologies for such systems; two, the perception
that securing control systems may not be economically
justifiable; and three, conflicting priorities within
organizations regarding the security of control systems.
The Department of Homeland Security, other Government
agencies, and the private industry have independently initiated
several efforts intended to improve the security of control
systems. These initiatives include efforts to promote research
and development activities, to develop requirements and
standards for control systems security, to increase security
awareness and information sharing, and to implement effective
security management programs. Our report describes these
initiatives in greater detail.
Further, implementation of our recommendation for the
Department of Homeland Security to develop and implement a
strategy to improve control system security, including better
coordination of these initiatives, can accelerate progress in
securing these critical systems. The department concurred with
our recommendation and reported that improving the security of
control systems against cyber attack is a high priority for the
department.
Additionally, improvements in implementing existing IT
technologies and approaches, such as those discussed in our
recent report to the subcommittee on commercially available
cyber technologies, can accelerate progress in securing these
critical systems, including implementing more secure
architectures with layered security, for example, by segmenting
process control networks with robust firewalls and strong
authentication; (2) establishing effective security management
programs that include appropriate consideration of control
systems; and (3) developing and testing continuity plans within
organizations and industries to ensure safe and continued
operation in the event of an interruption such as a power
outage or a cyber attack, including consideration of
interdependencies on other sectors.
In summary, in the face of increasing cyber risks and
significant challenges in securing control systems, several
initiatives are in progress to improve cyber security of these
systems. However, further efforts are needed to address these
challenges to carry out and better coordinate such initiatives
and to improve implementation of existing technologies and
approaches.
Mr. Chairman and members of the subcommittee, this
concludes my statement. I would be pleased to answer any
questions that you have.
[The prepared statement of Mr. Dacey follows:]
[GRAPHIC] [TIFF OMITTED] T5799.009
[GRAPHIC] [TIFF OMITTED] T5799.010
[GRAPHIC] [TIFF OMITTED] T5799.011
[GRAPHIC] [TIFF OMITTED] T5799.012
[GRAPHIC] [TIFF OMITTED] T5799.013
[GRAPHIC] [TIFF OMITTED] T5799.014
[GRAPHIC] [TIFF OMITTED] T5799.015
[GRAPHIC] [TIFF OMITTED] T5799.016
[GRAPHIC] [TIFF OMITTED] T5799.017
[GRAPHIC] [TIFF OMITTED] T5799.018
[GRAPHIC] [TIFF OMITTED] T5799.019
[GRAPHIC] [TIFF OMITTED] T5799.020
[GRAPHIC] [TIFF OMITTED] T5799.021
[GRAPHIC] [TIFF OMITTED] T5799.022
[GRAPHIC] [TIFF OMITTED] T5799.023
[GRAPHIC] [TIFF OMITTED] T5799.024
[GRAPHIC] [TIFF OMITTED] T5799.025
[GRAPHIC] [TIFF OMITTED] T5799.026
[GRAPHIC] [TIFF OMITTED] T5799.027
[GRAPHIC] [TIFF OMITTED] T5799.028
[GRAPHIC] [TIFF OMITTED] T5799.029
[GRAPHIC] [TIFF OMITTED] T5799.030
[GRAPHIC] [TIFF OMITTED] T5799.031
[GRAPHIC] [TIFF OMITTED] T5799.032
[GRAPHIC] [TIFF OMITTED] T5799.033
[GRAPHIC] [TIFF OMITTED] T5799.034
Mr. Putnam. Thank you, Mr. Dacey.
Our second witness on our first panel is James McDonnell.
Mr. McDonnell is the Director of the Protective Security
Division at the Department of Homeland Security. Prior to this
position, Mr. McDonnell was the Director of Energy Assurance at
the Department of Energy, and director of national security
operations at Oak Ridge associate universities. Mr. McDonnell
has over 25 years of experience managing national security and
homeland security activities and was a member of the leadership
team assigned to craft the Department of Homeland Security in
the White House Transition Planning Office. In 1995, Mr.
McDonnell completed a 20 year career as an officer in special
operations and special warfare in the U.S. Navy.
I want to welcome you to the subcommittee. We appreciate
the experience that you bring. You are recognized for 5
minutes.
Mr. McDonnell. Good afternoon Chairman Putnam and
distinguished members of the subcommittee. It is an honor to
appear before you today to discuss activities that the
Department of Homeland Security is engaged in regarding process
control systems and our Nation's critical infrastructure. I am
James McDonnell, Director of the Protective Security Division,
part of the Information Analysis and Infrastructure Protection
Directorate within the Department.
Established by the Homeland Security Act, and directed by
Homeland Security Presidential Directives, IAIP is responsible
for reducing the Nation's vulnerability to terrorism by one,
developing and coordinating plans to protect critical
infrastructure and key assets; and two, denying the use of the
infrastructure as a weapon.
Our goal is to ensure a national capacity to detect
indicators of terrorist activity, deter attacks, and devalue
targets, and to defend potential targets against terrorist
threats to our critical infrastructures.
To meet this goal, IAIP identifies those sites and
facilities that may be an attractive target for terrorists
based on risk and identifies how best to reduce those
vulnerabilities. Once we know what we should protect and what
the vulnerabilities are, we conduct risk assessments. We map
threat and vulnerability information. This information is then
used to prioritize the implementation of protective measures
focused on mitigating our Nation's vulnerability to attack and,
more importantly, sharing in a timely manner that information
with State and local officials.
The complexity of the infrastructure requires a
comprehensive understanding of how this ``system of systems''
operates and it is this complexity that adds another dimension
of vulnerability--the use of complex process control systems.
Process control systems are industrial measurement and
control systems used to monitor and control plants and
equipment. They are utilized in numerous industries, including
energy, manufacturing, chemical production and storage, food
processing, and drinking water and water treatment facilities.
These systems are often referred to generically by one of the
most prevalent types, SCADA, Supervisory Control and Data
Acquisition, but there are many other types of these systems.
The systems vary in function, size, complexity, and age.
Some function in an automated fashion. Some rely on a human/
machine interface, where the system provides critical
information upon which an operator bases process control
decisions. Some digital controls systems can be reprogrammed
from offsite through dial-up connections or through Web-based
access. This cyber-physical nexus creates a complexity that
requires a comprehensive approach for protection.
To address the protection of these critical systems, IAIP
has developed a comprehensive strategy to protect each element
of process control systems. Our focus is on joint Government-
industry efforts to identify key assets, discover
vulnerabilities, analyze risk, implement effective protective
measures, conduct joint exercises and training, disseminate
information, and develop inherently safer technology. Since
most process control systems reside in the private sector, our
ability to always effect change is sometimes affected by
business factors that we cannot control.
IAIP manages this as a team effort that includes all parts
of the Directorate, including the Protective Security Division,
the National Cyber Security Division, the Infrastructure
Coordination Division, and the National Communication System.
The bulk of the remediation and protective activities are
conducted by PSD and National Cyber Security Division.
Immediate efforts focus on protective measures that can be
implemented within the as installed/legacy environment, such as
inexpensive technical or procedural changes that can be
implemented at the site and in the immediate future. Near term
efforts include detailed testing and assessment of
vulnerabilities. In the long term, we will work with the
private sector on the development of inherently safer
technology.
As part of PSD, we have established a Control Systems
Section that will oversee the SCADA security program. The
Control Systems Section will identify and reduce
vulnerabilities critical to domestic security related to
control systems. This section also includes the development and
integration of the understanding of offensive capabilities, and
providing relevant hands-on operational support during DHS
heightened security events.
We have identified approximately 1,700 facilities across
the country that we hope to engage in a major vulnerability
reduction effort during fiscal year 2004. Of those sites, we
have identified 565 with process control systems. As
appropriate, reduction in SCADA vulnerabilities will be
undertaken just as reductions in physical vulnerabilities are.
In closing, I would like to reiterate first that SCADA
vulnerabilities are a fact, just like a hole in a perimeter
fence. The problem is that the SCADA vulnerability is not seen
by the casual observer and therefore goes easily unnoticed.
SCADA vulnerabilities are seen by those who would do us harm
through their manipulation and it is incumbent upon IAIP to
ensure that those responsible for protecting America are seeing
them and doing
something about it. Finally, as earlier stated, the Department
of Homeland Security views this as a national effort involving
many directorates within the Department and many organizations,
both public and private, outside DHS.
I would be happy to answer any questions you may have.
[The prepared statement of Mr. McDonnell follows:]
[GRAPHIC] [TIFF OMITTED] T5799.035
[GRAPHIC] [TIFF OMITTED] T5799.036
[GRAPHIC] [TIFF OMITTED] T5799.037
[GRAPHIC] [TIFF OMITTED] T5799.038
[GRAPHIC] [TIFF OMITTED] T5799.039
Mr. Putnam. Thank you, Mr. McDonnell. Let me begin with one
of the last things that you said--it is a national issue with
many directorates of the Department of Homeland Security
involved. What one directorate is ultimately accountable for
the successful protection of this critical infrastructure?
Mr. McDonnell. Sir, I am the accountable executive at the
Department of Homeland Security for this effort.
Mr. Putnam. OK. And how do you coordinate then with Amit
Yoran and the cyber security folks?
Mr. McDonnell. Well, Amit and I both work for Bob
Liscouski, who is the Assistant Secretary for Infrastructure
Protection. We talk daily. This is one of the many issues we
deal with. We are in the process of developing a joint package
to understand how we both deal with each part of cyber. When
you look at SCADA, we have Amit looking at the ones and zeroes,
and that is how the hacker is going to come in, some guy
sitting in an Internet cafe in Paris being able to hack in
there or even locally coming in and affecting the code,
rewriting the code. We also have to look at what are the
systems themselves, how can they be intercepted. We are moving
toward wireless technology, that has already been mentioned,
and that adds another dimension of an avenue into the systems.
My teams when they are in the field look at all of the
security considerations at a site. The vulnerability of their
SCADA systems is one of the things that the teams look at. I
have had teams just since the Department stood up the 226 sites
around the country, as mentioned in my opening statement, we
are going to be at another 1,700 during this year, at every one
of those we are looking at the physical nexus for is there a
control box that somebody can get into and tap into, are there
wires set that use an induction system, you can get in and take
over the controls.
So Amit and I have to work extremely closely to make sure
we understand what each arm of the organization is doing. But
we are doing it from a different level. He is at a global
level, looking at how people are using the Internet globally,
not just the Internet, but other malicious code types of
attacks, where I am at the local level, looking at what is at
the site, what are the vulnerabilities there that could be
taken advantage of. It is an ongoing process. We talk literally
all the time about this as well other issues.
Mr. Putnam. Thank you. The users of SCADA seem divided by
their lines of business. The electrical industry does not
necessarily talk to oil and gas industries, does not
necessarily talk to the chemical industry. But according to the
testimony provided by Siemens at our last SCADA hearing, SCADA
systems are largely the same from industry to industry. What
role does the lack of coordination within the private sector
play as you work to solve these problems? I will begin with Mr.
McDonnell and then go to Mr. Dacey.
Mr. McDonnell. Thank you, Mr. Chairman. When PD No. 63 was
written back in 1997, infrastructure protection was stovepiped,
so to speak. It was a Federal agency overseeing the care and
feeding of all the different business sectors out there. So,
for example, prior to the Department of Homeland Security, I
was the Director of Energy Assurance. My responsibility was the
energy sector, there was another department that had the
chemical sector, Treasury had banking and finance, etc.
What has happened now with the President signing HSPD No. 7
several months ago and the creation of the Department is we now
at the Department of Homeland Security are responsible for the
coordination across all of the sectors, with all of the Federal
agencies to ensure that the good things that are happening in
one get to the others.
To your point, SCADA systems, there may be one manufacturer
and maybe one patch that Nork found for the electric grid folks
that may apply in the chemical sector. That is exactly the same
in the other systems that we are dealing with out there. I may
find a physical vulnerability that is common across many
different business sectors.
So the way we are addressing that is my office produces
common vulnerability reports. When I have teams out that are
looking at these things, what are common in different sectors,
at different facilities, and then how do we ensure that folks
that need to do something about it can track those things down
and see if they have the same problem and fix them. We will be
doing that--and we do that to some extent in SCADA right now
but it is still, quite frankly, in its early stages of
development. I have a SCADA common vulnerability report in the
works that I should see before too long that will just be part
of the package along side chemical site security and other
types of things.
The whole concept of this is the Department has to know
where we have specific vulnerabilities. Then we have to pull
back from where that specific vulnerability is, ask the
question, where else are those vulnerabilities, and make sure
that fixes that apply to a specific site in, say, New Jersey
get to the guy in Florida or California that need the same
information.
Mr. Putnam. Mr. Dacey.
Mr. Dacey. As we discussed in our report, when we were
doing our work in research and talking to a lot of experts in
SCADA field, the general consensus continued to come back that
there needed to be more coordination. There are a lot of
activities taking place. It, quite frankly, took us quite a bit
of effort to try to put together all of the initiatives we
described in our appendix because they were not readily
available in one central place.
So I think in terms of the interest in the industry, there
is an interest to get together because these SCADA systems
share common vulnerabilities and common problems and some of
the solutions, quite frankly, are common as well. So I think
that is an important area and that is what led to our
recommendation that the Department, in its role as laid out in
the strategy to secure cyber space, put together a strategy for
developing and coordinating those activities in one central
place. And I am pleased to hear today that they are taking
efforts to do that of late. Again, we have not been in and
looking at the Department since we did our report, and I
believe your section was set up sometime in December, if I
recall. So it is good that action is taking place. It is a very
critical element that needs to be carried forward.
The other part of that is the research and development. I
think it is very critical that the folks that are affected by
SCADA systems get together and try to sort out what research
and development needs to be done and needs to be accomplished
to help secure these systems, because, as you discussed in your
opening statement and as we discussed in our report, there is
some inherent insecurity in these systems and they do not have
a lot of capacity to lay on encryption and things of that
nature. So I think that is another area that needs to be looked
at carefully, again through a coordinated effort, which the
Department should be working with the private sector and other
Government agencies.
Mr. Putnam. Do you have a breakdown, either of you, for
what percent of SCADA systems are in private sector hands
versus Government? But then within the Government, what I am
concerned with is municipalities versus counties versus
regional governments like flood control districts, water
management districts, mosquito control districts, whatever, and
States. If you are talking about a small county on the banks of
the Mississippi River that is managing a very important piece
of the flood control structure, that maybe the Corps does not
have the money to upgrade SCADA systems, certainly, in south
Florida we are dealing with it around Lake Okeechobee and the
Everglades, control structures that are quasi-governmental. Do
they even hit your radar screen, or are you really kind of
focused on the bigger, more visible ones at this point?
Mr. McDonnell. Those absolutely hit our radar screen. The
first part of the process in the Protective Security Division
is what we call the asset identification shot. It is
essentially a domestic targeting branch where we work with
State and local officials, with private industry, with sector-
specific agencies and say what are the things out there we
should be concerned about protecting. We do that absent a
vulnerability analysis initially because we need to know what
are the things, the systems, the specific facilities, the
systems of facilities, that, if affected, would have an impact
that is unacceptable. Now we look at that in four different
ways: First is public health and safety, what is the prompt
effects of an attack on a facility; the second is economic
impact; third is a symbolic nature; and fourth is national
security, and that is the ability to support military
mobilization and those types of things.
We are in the process, for example, of building a new set
of data for fiscal year 2005 and fiscal year 2005 activities
and we have had 13,000 items already submitted to us by the
States after looking at their systems. I have a team, it is the
Asset Identification Section, who is sitting down with their
counterpart agencies and saying, OK, for example, that levee on
the Mississippi, just for the sake of argument, it gets on the
list, the State says this is critically important for crop
protection, or it floods the town. It is incumbent on us then
to help them identify what that is vulnerable to. It may be a
physical attack or it may be a cyber attack. If it is a cyber
attack, then the next step in the process is what can we do
about it.
It sets up a process where we are actually going to
operate, and we are operating now, based on if anyone thinks
that something should be considered for protection, it will be
considered for protection. How far down the road we go of
actually implementing protective actions will depend on the
analysis between that nomination of a facility for protective
actions and the actual implementation of protective measures.
Who does what protective measures will be a collaborative
effort. We have inside the gate activities that need to take
place, for example, where owners and operators have to do
fixes, and we have outside the gate. A major effort underway
now is to create buffer zone security plans. It is taking the
operational environment away from the terrorists in the
vicinity of the targets. We could build fences as high as we
want and we could make a static security environment inside of
a facility be impregnable or seem to be, but if we leave the
area around it open for people to operate in, we leave the
people vulnerable that are trying to protect our facilities.
It is exactly the same in SCADA. We have to know what is
there. We have to know the ways a terrorist could get in. And
then we have to figure out how we plug that hole, so to speak.
Mr. Putnam. Thank you very much. I would like to now
recognize Mrs. Miller for 10 minutes.
Mrs. Miller. Thank you, Mr. Chairman. Mr. McDonnell, if I
could followup a bit. I tried to take some notes there. You
were saying that the DHS had identified about 1,700 different
facilities thus far. Did you actually do that work yourself?
How did you coordinate and cooperate with the States? Now it is
my understanding that each State was responsible to deliver to
DHS a State plan, their own assessment plan of the kinds of
soft targets that they might find within their respective
States. So I guess my first question is, did you actually do
that work, or was that done by the States?
Mr. McDonnell. It was done in combination. The plan that
the States had to submit was due in at the end of December of
this year. For the grant process for putting funds out to the
States in the fiscal year 2004 appropriations, we were required
by October 15 to brief leadership on the Hill of what we were
going to use for infrastructure protection grants and what
strategy we went through picking facilities. So we actually
this year had to pick facilities pre-dating the inputs that
were coming in through the strategic planning process that the
States were in the process of submitting.
Now that being said, what we did is, over the last year we
have collected a lot of information, we have consolidated that
into a list. I then took that and I met with the Homeland
Security advisors and I said here are the 1,700, what do you
think? For example, there was a shopping mall that ended up on
there that was in the Meadowlands in New Jersey that does not
exist yet. It is licensed, you look at all the business records
and it shows that it is there, but nobody got around to
building it. So we decided to take that off. We are not going
to pour a lot of protection into that. But it was critically
important in that case because Syd Casper, in New Jersey, said,
hey, Jim, we do not have that here, but there is something else
there that does need to be protected. And so it is an iterative
process.
I think, quite frankly, it is going to be another probably
two cycles before we really have a very good handle on all the
different things that are out there that need to be protected.
But it is going to take continuous dialog. Hearings like this
are good. Any time we can get people together to talk about
this and get people thinking about getting the information back
and forth so we can put good plans around things, I think we
win.
The 1,700 sites will probably, by the time we get done with
this cycle with the State, be closer to 2,000 for actions
during this year. We already see a little bit of a bump up.
They are not the top 2,000 critical sites in the country, per
se. But a big part of it is soft targets. We are putting a lot
of effort right now into those areas that do not have any
protection and looking at places where people are gathering and
we could have low level attacks outside of the critical
infrastructures, stadiums, shopping malls, those types of
things. So there is quite a bit of movement in that area as
well as the traditional sites. Included on the list at the top
tier are chemical facilities, the most hazardous facilities,
nuclear plants, rail, bridges, those types of things. And of
that 1,700, there is somewhere in the range of 560 that have
digital control systems that, as we put these buffer zone plans
in place, will be part of the consideration.
Mrs. Miller. Have all the States complied? Where are you
nationwide? Have all the States complied with the requirement
to have their State plan in? And then when they were doing
their State plan, did DHS actually set a criteria? I mean, if
you have some State telling you you are going to have a
shopping mall in 5 years and they have that on their plan as
opposed to an existing nuclear facility, there should have been
some criteria as the States were doing their own assessments I
suppose.
Mr. McDonnell. Right. I will have to get back to you on the
specific number. I know we are very near everyone having
submitted those.
Quite frankly, the process that we used in asking the
States to do the submission pre-dates the development of the
division that I run and a lot of the other parts of the
Department. What we did not want to do was, the States were
pretty far down the road getting a strategic plan done, and so
we did not to stop them and ask them to start all over again.
So that process has continued. What we did in parallel is
engaged with the States to say now let us start talking more
specifically about what criteria we want to use for identifying
critical infrastructure and then how we go forward with that.
So it is an ongoing process. We have the dialog underway,
we have common goals and objectives, we still have to work out
details as far as what is the best reporting scheme going to
be, how do I make sure that one State looks at things the same
way another State does. Honestly, they are going to look at
them differently. I have to understand their perspective and
figure out how I support them and try to get a national
picture.
Mrs. Miller. There has to be a standard I think. And the
States have to look to us, the Federal Government, through you,
to set those standards. And I asked this because you also
mentioned about grants to the States. My State of Michigan I am
aware has submitted their plan, although I do not know what the
plan looks like. We have been told it is not for us to see,
quite frankly. So I am hoping the plan is fine. We did have
Secretary Ridge in my district most recently, and we were
talking about appropriations to DHS based on some of the
criteria as the States were doing their assessments.
I guess I would ask you if you have any comment on this.
For instance, in regards to some of the grants, a big part of
the criteria there is based on population, which makes sense at
first blush. But we have a situation in my district. As I
mentioned, Secretary Ridge came in and we took him on a
helicopter tour--if you can think of Michigan as a mitten, I am
talking about this area here, which is the St. Clair River. We
share a very long liquid border with Canada there and we have
the third busiest border crossing on the Northern tier there
called the Blue Water Bridge, which is the only commercial
corridor on the Northern tier that can accept hazardous
material across, unlike either Buffalo or the Ambassador Bridge
in the city of Detroit. We have the CN rail tunnel there. We
have what we call chemical valley. Sarnia in Canada there has a
number of chemical plants across there. And yet this is a
county that has a very small population base but, obviously,
some unique characteristics in regards to a soft target. So I
do not know if you are able to assist in this, but I certainly
want to keep talking about that, that the criteria for the
grants has to take into consideration a much more global
perspective I think. And it is so important that your
Department continues to work with the States. So I guess my
question would be then, when you get these plans from the
States, what are you doing with them?
Mr. McDonnell. What we are doing now with the States is we
are actually taking their inputs, we are refining what the
lists are, and then we are going out and providing them support
for buffer zone security planning and so on. The population and
population density piece of the formula was used in the Urban
Area Security Initiative which, by definition, was focused on
the large cities. The selection of critical infrastructure
assets for the other grant programs and the activities that my
division is leading does not consider that they have to be in a
city.
So what I would expect in that case, and I will go back and
check on the Blue Water Bridge, is I would expect the Michigan
Homeland Security advisor, if that was not already on the list,
would come back and say, hey, you need to add this, and we
would do so. And then that would just be part of the process of
my teams would be working with the State and assisting the
State in developing those security plans, identifying where we
can help, and just doing a better job nationally of dealing
with the problem.
Mrs. Miller. I just keep going on about setting the
standards. I think it is so important that the Federal
Government, through your agency, sets the standards, whether it
is for as they are making their analysis throughout the States
for their soft targets, or whether they are talking about
setting up communications systems in all the various counties.
The Secretary and many others have mentioned and almost
everybody has agreed that is a priority in every county, right?
Every municipality has such antiquated communication systems
and everybody is running around trying to get grant money to
put into communications systems to talk to one another. There
is sort of a lack of standards, I think, on communications
towers, all of these things. So I mention that to you as well.
Once you have identified, and I do not know if you have
gone this far, but as you have assessed where all of your soft
targets are and that, how will you provide oversight for the
States? How does that part of it work? Would you do that from a
centralized location, from Washington? Would you do that
through your proposed regional homeland security centers
through the DHS? Do you have any next step there on how you
would oversight that?
Mr. McDonnell. Yes. I would use the term verification as
opposed to oversight in that I am not directing the States or
sort of telling them what to do. It is more of an assist role.
And that being said, it is very effective. I do not have any
real problems in dealing with the States in that area.
I inherited a program from the FBI in the transition called
the Key Asset Program, which was a field agent in all 56 of the
field divisions who was responsible for critical infrastructure
protection. I am in the process of hiring new replacement
agents to be in the Secret Service offices throughout the
country who would do sort of the daily care and feeding of
those sites. This is very similar to the way MI-5 does it in
the U.K. I went over and worked with those guys quite a bit to
figure out how they handled this on a national scale.
Say the person I have in Detroit will have a set number of
sites, jurisdictions they have to work with. Their job will be
on a daily basis to visit those places, talk to them, see how
things are going, identify if vulnerabilities have been
plugged, just spot checking, if you will. And those folks,
prior to the regional offices being stood up, will report
directly to my office at headquarters. I have a Secret Service
agent detailed to me to manage that. And then over a period of
time, as the Department's regional offices mature, we will have
protective security detachments in each. Right now, everything
is being run out of headquarters because I do not have regional
and local activities yet. But as that evolves, then those local
guys will work for the regional folks who will work for our
headquarters policy oversight shop in Washington.
But we really want the protective security activities to be
community-based activities, much like the disaster recovery.
The security at a site is not just the company, it is not just
the local sheriff or law enforcement, it is a team effort and
everybody has to be part of that team. So we are trying to push
these activities to the local level. And this again gets to the
difference between Amit Yoran's organization looking at global
activities where there are not people necessarily local, to my
shop really working at boots on the ground, talking face to
face, knowing the people, having a relationship, and being able
to be a reach-back capability for those local folks that need
help.
Mrs. Miller. Just one more question. Both of you gentlemen
are trying to talk about what the necessary safeguards would
be. Obviously, we are talking about dollars here, whether that
be a local municipality, local sheriff's department, or whether
it is a public utility, or what have you. Do you have any ideas
at all about how the private sector might try to pay for some
of these things? A utility, for instance, would have to go
through their State's public service commission, that is what
we call it in Michigan, I do not know what they call it in
every State, to look for rate increases. Or do you think that
some of these utilities or what have you would be looking to
the Federal Government to set sort of a standard, some way of
recouping some of these costs? Are you thinking about that at
all or getting any feedback on that?
Mr. Dacey. In terms of working on our report, again, the
message we heard consistently from a variety of sources,
vendors of SCADA and control systems, industry representatives,
was a concern that it may not be economically feasible for them
to proceed and invest the additional dollars in control systems
security. And as a result of that, some of the vendors
indicated they were not promoting heavily advances in that
area. So we heard that a lot. Again, this is assertions that
were made to us by a wide variety of people.
But I think the issue becomes what level of security is
appropriate. Some of the efforts that are underway to do
research and development to develop standards and some kind of
a basis for expectations, if you will, on what should be done
to secure these technologies I think would be helpful out
there. And then it becomes upon the private sector and the
States to determine whether or not they are going to be
financially able to afford whatever that level or standard
might be. And I believe in the strategy it talks about the
Department coordinating with the private sector to work on
developing some type of standards. So I think that is an
important area.
We reported in the past, relating to CIP and general
critical infrastructure protection, that the Department now
needs to look at and consider the need for public policy tools
to determine whether or not they are going to be necessary,
whether it be grants, tax incentives, or whatever might be
appropriate, to consider the need for those to provide
additional incentives for the private sector to proceed. There
have been a couple of situations where EPA has provided funding
to do vulnerability assessments at water treatment facilities
for major municipalities, for example.
So there has been some activity. But what we had
recommended was more of a broad based needs assessment to try
to figure out what would be the best incentives for the private
sector and State and local governments. But part of that I
think is really setting an expectation about the level that
needs to be attained and whether or not they are willing to do
that without additional public policy tools.
Mr. McDonnell. Just to followup on that. As I mentioned, I
was at Energy Department before I started the office at
Department of Homeland Security. In my 2\1/2\ years, my
experience has been that corporate leadership wants to do the
right thing if they are given the right information. And, quite
frankly, the Federal Government becomes a holder of the
information quite a bit.
And a big part of what we are seeking to do at the
Department of Homeland Security is build the pipes to get the
information out to people so they can make intelligent
decisions. We need to get the specifics of SCADA
vulnerabilities, for example, out of rhetoric and into, hey,
here is a specific thing that is out there. One way to do that
is the development of standards. We are working with the
American Society of Mechanical Engineers, for one, to help us
develop industry-based standards for risk assessment in the
various sectors. SCADA will be a part of that.
The other is setting expectations. One thing that we can
help to do, and we are exploring this right now, is something
like a DHS seal of approval, an underwriters laboratory, if you
will, for if somebody comes out with a new software package for
digital control systems, it goes to our test bed, the guys take
a look at it and they say here is an assessment of it. I think
from a business model, what you end up with then is you have a
vendor who says, hey, this has been vetted, they have looked at
this based on knowing what the vulnerabilities are, what the
adversaries might try, and I am selling you something that is
secure. The corporate executive then can go to his board and
say, look, we are making the right decision. It frees them up
from litigation for not using due diligence. There are good
ways to build this but we have to build a baseline where there
is actionable information in the hands of the executives and
decisionmakers in the companies and an option. If we can move
toward a particular system, and we are not saying this is a
better system than this one, it is just an honest assessment of
its vulnerabilities versus another, then that company can say I
am going to buy that one and not the other. And I think that
starts driving the business case for across the board
improvement in security of the systems.
Mrs. Miller. Thank you.
Mr. Putnam. Thank you, Mrs. Miller.
Let me followup on her line of questioning about standards
and assistance. I do not know that I ever got an answer on the
breakdown of municipal, State, county versus private sector so
that we have a handle on who is actually going to be
responsible for paying the bills. But once you have this 1,700
list finalized, then presumably we would have the price tag for
bringing them into a higher level of preparedness or security.
So then the question is who bears the cost. And if it is the
private sector, and we know that 80 percent of the critical
infrastructure is in private hands, then they are expected to
bear the cost, but they are not mandated to bear the cost. Is
that correct?
Mr. McDonnell. In most cases, yes, sir.
Mr. Putnam. So if they are presented with the options, as
you illustrated, of a more secure system versus a less secure
system, or upgrading versus not upgrading, there is no
compulsion to act in the law. Is that correct?
Mr. McDonnell. I think that is fair if it is strictly a
question of investment. So, say, if I come in and say you have
a whole year, if you do not fix it, somebody might attack you,
and they say, yeah, yeah, whatever, thank you very much, I am
not going to do anything about it anyway, what my experience
has been to date is that is not a real problem right now. Now
it may be a problem that evolves over time, but people are
very, very sensitive to being vulnerable to attack. Some of the
fixes that we are talking about are literally unplugging a
phone line. Not all of the fixes are very complex.
The key is to make the decisionmakers aware of where they
are vulnerable. That is where the nexus between the Government
operations, understanding the intelligence that is out there,
the threat that is out there, and the vulnerabilities of the
systems, and then being able to look a corporate executive in
the eye and say you have this vulnerability, I am on record for
telling you you have it, that it is your choice whether you do
something about it right now, but if you do not, you are liable
to be dealing with regulation down the road, if you do not, you
are liable to be dealing with litigation if something goes
wrong. So there is a coercive element to this.
Now, that being said, in the energy sector, for example,
the FERC has a lot of ability to help push these types of
things. There is a question about rate recovery. The FERC, for
example, can put out a rule that says if you are going to
operate in the interstate transmission of electricity, here are
some minimum standards that you have to follow, and then can
encourage the State public utility commissions to allow rate
recovery for those activities.
Mr. Putnam. That is true. They are a legal monopoly and
they have a price fix regulated by State legislatures or FERC
or whomever. But what if it is a private chemical company that
does not have the benefit of all of that and they have to make
decisions about their bottom line? And in the real world, as
you know better than any of us, the threat matrix is changing
every day. You find some scrap of paper in a cave and it has
got a picture of a chemical plant. The next week you find a
picture of a dam. The next week you find a picture of a bridge.
And you are expecting businesses, if you go make this pitch,
well, this week is chemical plant week, or next week is bridge
week, and next week is tourist attraction week, then how do
they really make informed decisions.
And correct me if I am wrong, there is no safe harbor. You
were using this liability issue as a threat, that I am on
record telling you that you have a vulnerability, I am telling
you this is a problem, you can act or not act. If they choose
to act, is there a reward by saying we put them on notice, they
made use of the best practices and technology of the day,
therefore they are protected?
Mr. McDonnell. I think, as you point out, it is extremely
complicated in how we actually push this down the road. It
really gets to what is the consequences of failure. If, in
fact, a dam, for example, has a SCADA vulnerability that we
identify that risks the lives of thousands of people, I think
with that piece of information it is pretty easy to ensure that
dam does something about it.
Mr. Putnam. OK. Let's stop right there.
Mr. McDonnell. Sure.
Mr. Putnam. Perfect example. Who pays for it? It is a
county in the Midwest or in south Florida in the middle of the
glades, their total county budget is $30 million a year and it
is going to cost them $5 million to fix the dam. Who pays for
it?
Mr. McDonnell. I have the ability to sit down with the
State Homeland Security advisor and say you need to take some
of that grant money and fix that problem at that dam. And we
have done that. So there is a process. There is plenty of money
in place to do specific things. Now where you run into a
problem is when people say, well, the sector needs to be fixed.
Well, not all the dams are equal. All the dams may have the
exact same problem but what we have to do is say that is an
unacceptable risk. It is a risk-based decision, it may be a
public health and safety decision, but we can find a way to fix
it when we get to that specificity. And that is the challenge
for our organization is to get to that specificity.
Mr. Putnam. Here is my couple of concerns, and then I need
to move to a few other questions that we need to get down for
the record. But human nature being what it is, and the threat
being as complicated as it is--and it is far more complicated
than us just saying we are going to go make everything prepared
for any threat. It just does not work that way. You have
basically identified 1,700 sites. You and your colleagues
around the country and in the States have basically said there
is a top 1,700 list. My thinking, being a little bit cynical,
is that the people who did not make the list are going to say,
oh, but wait, we are vulnerable too. Look at all these things
that we have that we need grant moneys to fix. Just like every
police department in America wants to have first responder
equipment equal to and greater than New York and L.A. and
Washington. I mean, you see it. It is a feeding frenzy.
I see there are certain sites particularly that meet
Category III of your rubric, which are symbolic sites, that
probably would just as soon not be there. But I can see a lot
of sites saying, hey, this is the spot we need to be in, we
cannot even afford to meet EPA water quality standards now
because we have a plant that was built in the 1940's, but if we
say that we are at risk of poisoning a half a million people,
we will get a brand new sewer treatment plant, or we are going
to get a brand new weir, or we are going to get a brand new
whatever. So that is my concern in the real world process of
how all this stuff works. And it is never ending because you
cannot be more prepared than the terrorists' imagination.
And I commend you for making a first step by saying these
are the top 1,700, 560 of them have process control systems. At
some point I hope you will be able to say the price of bringing
these to an acceptable level is X amount. You, Congress, can
decide whether you want to do it all in 1 year, whether you
want to put it on a 5-year phase-in, but that is our call to
make. And put it on sort of a milestone and task-oriented
funding plan. But those are my concerns.
The other issue is that GAO says in their report that these
are the folks involved in SCADA security--DHS, Energy, Defense,
5 different national labs, EPA, FDA, NIST, 2 multiagency
working groups, the NSF, 11 private sector groups, and 1
government-private partnership, for a total of 26 players. How
does all that work, Mr. Dacey?
Mr. Dacey. That gets back to our recommendation again.
Sorry to get back to that, but the bottom line is that is what
we recognized is that a lot of these efforts were initiated
independently of each other. It was a need recognized by that
particular group or sector to deal with a specific issue. DOD
did work on determining what the effect of weaknesses in SCADA
had on their ability to carry out military operations. And each
one had its own genesis. That is why there is a need to
coordinate these efforts so that we are getting the most
leverage out of the activities and resources that are being put
into this to get to the best answer as quickly as possible. I
think that is a key issue in coordinating these efforts, again,
something we heard consistently throughout discussions with
those.
Mr. Putnam. We wrestle with this on corporate information
security and we put together a working group and we spent
several months working through all those issues. It came about
as a result of industry saying there is not any one law that
you can pass that is going to solve this, it has to be
collaborative and it has to be voluntary, and we need to have
this underwriter's laboratory type model, very similar to what
you are talking about for SCADA. But at the end of the day,
there has to be some compelling reason for everybody to work
and play well with others. I do not know what the proper
formula there is, whether it is a safe harbor in the liability
issues, whether it is tax credits, or whether it is just a cold
hard law, but these are the issues we have to deal with to make
these systems more secure.
Mr. McDonnell, both the Science and Technology Directorate
and the National Cyber Security Directorate at DHS have
initiated several activities in the area of SCADA security. How
are you coordinating their efforts? We talked about the 26
outside of there. Even within DHS you have all this going on.
Do you expect there to be one overriding plan that comes out in
this SCADA vulnerability report that you referred to earlier?
Mr. McDonnell. Yes, sir. We are in the process of taking
the President's Directive on Infrastructure Protection, HSPD
No. 7, and putting in place now how we operationalize that
across all the sectors, across all the departments, and truly
build a national plan. It is our intent that SCADA activity
will be working to a common goal through a common process. Now,
there will always be outside of government competitive folks
out there that want to be doing their own thing. That being
said, we absolutely are starting to pull all that stuff
together and we will have a single national effort led by the
Federal Government for SCADA.
It is going to take some time to pull all this in. As my
colleague mentioned, there are some equities in there, Defense,
for example, has very specific reasons for looking at SCADA,
the Department of Energy has a totally separate shop that is
looking at SCADA and the processes in the nuclear control
systems at the laboratories, the nuclear weapons processes, and
they are never going to just kick that into a big interagency
collaborative effort. But what we do have to make sure is that
we understand what is going on in these sort of compartmented
areas and we are not duplicating effort, that I am not paying
for an R&D program that kicks out something that has already
been invented over at the Defense Department but I just did not
know about it. So that is absolutely part of the plan, sir.
Mr. Putnam. As you know, we have a very open records policy
in this country and even more openness depending on the States
that involve the availability of design and blueprints,
specific site locations, wiring configurations, frequencies.
Could each of you speak to the risk or the lack of risk that is
associated with public access to this type of information.
Mr. Dacey. Certainly, there is definitely increased risk
when there is more information about the security of specific
systems that people could use. If you look at some of the stuff
that is on the Internet, there are operations manuals, there is
just a lot of information out there that is publicly available
to understand how these systems operate and what is being done
with them. There are even many other sites, vendor sites which
even tell you where their equipment is installed and how it is
installed, or at least a general idea of how it is installed.
So there is a lot of information out there that could be used
by someone if they wanted to do some damage to learn and
prepare themselves for a potential cyber attack on SCADA
systems.
I think that combined with some of the other risks we
talked about, such as the combination of these networks with
other enterprise networks, exposes a real threat for hackers
using just general purpose hacking tools to get into a network
that is in one of these companies and use that opportunity to
then get access to the SCADA systems if they are not
compartmentalized and secured. That is where we saw in the
Davis-Bessey plant where, as you mentioned in your opening
statement, there a worm, the slammer worm migrated apparently
from a vendor system through a trusted VPN, if I recall, right
on into the nuclear power plant's main enterprise system and
interfered with the traffic running in the control systems. So
you have real issues there.
So you combine the two with the fact that you can go in,
there is clear text going across these things, it does not take
a lot of imagination to think someone who is really studying
and intent on doing something could not start to get a pretty
good understanding of how these systems work, how the messages
flowed, what they look like, and so forth and so on, if they
could get into these systems. So I think there is a real risk.
But it is not just the fact that the data is out there and
available, that it is the other things which are really
compounding that risk I think.
Mr. Putnam. Does the access to information present a risk
such that we should consider policy changes to public access to
those plans and designs and operations and sites?
Mr. Dacey. A lot of these systems, particularly newer ones
which are moving to some of the common protocols, communication
protocols and networks that we see out there and using the
Internet as well, I think a lot of that information is public
knowledge now. I think the bigger key is to better secure these
networks and systems so that people cannot get to them through
defense in-depth and other means. In other words, if a lot of
these systems are adopting these current technologies, it does
not take a lot to imagine getting in. Even if the information
was not out there, one could still get in and gain a lot of
insights if you could break into these systems. So I think the
real key gets back to protecting the systems adequately so
people cannot get in and start looking at traffic, you know,
so-called sniffer software you can put in if you break into a
system that looks at all the traffic going through, and you can
use those to identify a lot of information on specific traffic
that the control systems are using. So, again, it would help if
that were not there, but I think there are a lot of other
issues that need to be addressed that are just as important, if
not more important.
Mr. Putnam. Mr. McDonnell.
Mr. McDonnell. Yes, sir. You asked specifically about
change of public policy. Within the Homeland Security Act was
the Critical Infrastructure Information Act, and that does
provide an avenue for a company to submit information to the
Department of Homeland Security, have it stamped as critical
infrastructure information, and it is exempt from FOIA. And it
is preemptive legislation and it is therefore exempt from State
sunshine laws and so on. So there is an avenue for newly
submitted information.
Mr. Putnam. Prospective.
Mr. McDonnell. Yes, sir. But once a barn door is open, it
is open. There is an unbelievable amount of information that is
available out there. You cannot get it back. The best thing
that we can hope for is more discipline in what gets put on Web
sites and controlled. And over time, a good operational
security program will have better and better controls on those
critical information. Quite frankly, if someone has information
out there already and they have to go back and do something to
change it, they have to physically change the system, they are
not going to get the information back. The only way to mitigate
that. My worst nightmare is somebody doing all of their
planning from an Internet cafe in Paris. They can sit overseas
and look at the floor plan of a chemical site, see what kind of
control system it has, see what defenses look like, see what
the local response capabilities are by going to the city's Web
site. We have to influence that and we have to do that by the
originator stopping posting public records, management, those
types of things. So we have to identify the information we want
to protect, and we do have a way to protect it now, but it is
going to take some time to get people to sort of turn that and
start putting it into the system.
Mr. Putnam. When I was a kid, which was not all that long
ago, but you would go to the encyclopedias. And you can go to
the Internet and you get the encyclopedia and learn how to
build a bomb. That does not mean you could actually build an
atomic bomb just because it showed you how to do it. But today,
you are talking about not just the chemical plant or the
nuclear power plant's blueprints, which I think, frankly, are
inherently fairly secure by their nature, people knew when they
built a nuclear power plant long before Al Qaeda that it was
something that needed to be protected, but rather the isolated
valve 12 miles away, or switching station, or router, or
whatever that is in the middle of nowhere with maybe nothing
but a chain link fence around it, if that. That is the kind of
stuff that concerns me, not a $50 million factory or facility
or whatever. Anyway, that is what bothers me about the access.
And I appreciate your input on that.
According to your testimony in October 2003, the Science
and Technology Directorate began a study of the current
security state. When do you expect that study to be completed,
Mr. Dacey?
Mr. Dacey. Let me check my notes. I do not recall if we
have a date for when that statement of work was supposed to be
concluded.
Mr. Putnam. And Mr. McDonnell, are you aware of the study?
Mr. McDonnell. Not specifically, no, sir.
Mr. Dacey. The statement of work called for delivery on
about 90 days after beginning performance with an interim draft
report, with a final draft report about 150 days after
beginning performance. So that is kind of a general timeframe.
So you are talking about 5 months. And I am not sure exactly
when the study began.
Mr. Putnam. Mr. McDonnell, are you more concerned about,
with regard to SCADA system threats, not everything else that
is on your plate, do you worry more about an international
threat, as you put it, from an Internet cafe in Paris, or do
you worry more about domestic home-grown type threats?
Mr. McDonnell. I think international.
Mr. Putnam. Mr. Dacey, do you have an opinion on that?
Mr. Dacey. I think they are a significant threat. The thing
I would add to my prior statement too is that there are not
that many types of different control systems out there and they
are used throughout the world. So it would not take much for
someone potentially to get access to someone who had
significant knowledge of operating systems in other countries
that might be available to assist in some kind of attacks that
might occur.
But it could be virtually anywhere. If you look at some of
these SCADA systems for some of the large institutions that
carry them out, you will see that for operational purposes and
better management a lot of these SCADA screens can be pulled up
from virtually anywhere in the world. Now several of the
institutions we talked to have implemented stringent controls
to authenticate everybody going in there. But, quite frankly,
it is conceivable that if it was not secured and you broke into
the system, you could literally see right in front of you the
operator's screen for the SCADA system. It is a frightening
thought.
Mr. Putnam. The DOE has not adequately funded the SCADA
test bed. Is this something that DHS plans to fund, or is it
still limping along in Energy?
Mr. McDonnell. That is something DHS intends to do.
Mr. Putnam. OK. Mrs. Miller, do you have additional
questions?
Mrs. Miller. I do not.
Mr. Putnam. We are expecting votes between 3:30 and 3:45.
So at this point, I would like to excuse our first panel and
seat the second one as quickly as possible and at least begin
testimony before we have to leave to vote.
Gentlemen, I want to thank you for your responses and your
candor and your interest in this very important issue. The
subcommittee is grateful for your testimony.
Mr. McDonnell. Thank you, Mr. Chairman.
Mr. Putnam. With that, the committee will stand in recess.
The first panel is excused. We will seat the second panel as
quickly as possible.
[Recess.]
Mr. Putnam. The subcommittee will reconvene.
We will seat the second panel of witnesses and move
immediately into the administration of the oath and then we
will get into your testimony.
[Witnesses sworn.]
Mr. Putnam. Note for the record that all of the witnesses
responded in the affirmative.
I will precede my introduction of our witnesses by saying
that we are expecting votes very shortly. We would like to ask
you to keep your remarks to 5 minutes. We will undoubtedly be
interrupted for votes. I believe we have two votes, so we
should be away for approximately 30 minutes and will return
immediately. So we apologize beforehand. We will keep things
going as quickly as possible.
Our first witness for the second panel is Joseph Weiss. Mr.
Weiss is an industry expert on control systems and electronic
security of control systems, with more than 30 years of
experience in the energy industry. He serves as KEMA's leading
expert on control systems cyber security. He spent more than 14
years at the Electric Power Research Institute where he led a
variety of programs, the last of which was cyber security for
digital control systems.
Welcome to the subcommittee. You are recognized for 5
minutes.
STATEMENTS OF JOSEPH WEISS, EXECUTIVE CONSULTANT, KEMA, INC.;
DAN VERTON, SENIOR WRITER, COMPUTERWORLD MAGAZINE; GERALD S.
FREESE, DIRECTOR OF ENTERPRISE INFORMATION SECURITY, AMERICAN
ELECTRIC POWER; AND JEFFREY H. KATZ, ENTERPRISE IT CONSULTANT,
PSEG SERVICES CORP.
Mr. Weiss. Thank you very much. Good afternoon Mr.
Chairman, Ranking Member Clay, and members of the committee. I
would like to thank the subcommittee for your commitment to a
comprehensive examination of cyber security of the control
systems utilized in our Nation's critical infrastructure. I
also want to thank you for the opportunity to be here today to
discuss this very important topic. My remarks will provide
details on one, control systems design considerations and
cultural issues; two, control systems cyber vulnerabilities;
and three, key activities that need to be addressed and funded
to secure control systems.
Control systems form the backbone of our critical
infrastructures. A control system controls a process such as
regulating the flow of water in a power plant or opening a
breaker in a substation. I have been working with the key
organizations that have a role to play in this area, including
the Government, end-users, equipment suppliers, standards
organizations, and others, none of which have been adequately
coordinated. My formal testimony has been reviewed by
representatives of DOE's Office of Energy Assurance and the
National Energy Technology Lab, DHS' Cyber Security and
Protective Security Divisions, the Idaho National Lab, the
Sandia National Lab, the General Accounting Office, Carnegie
Mellon Software Engineering Institute, the United Telecom
Council, and a utility member of the NERC Critical
Infrastructure Protection Committee which is responsible for
issuing the utility industry cyber security standard.
Cyber security has been viewed as an information and IT, or
Internet, concern. The basic design assumptions inherent in
control systems are they would be stand alone and all control
system users would be trusted users. However, competitive
pressures have forced businesses to interconnect office and
electronic commerce systems with control systems. This has
exposed control systems directly to the Internet, Intranets,
and remote dial-ups. Additionally, there is also a tradeoff
between security and control system performance.
There are only a handful of control systems suppliers and
they supply industrial applications worldwide. The control
systems architectures and default passwords are common to each
vendor. Consequently, if one industry is vulnerable, they all
could be. Additionally, utilities in North America and
elsewhere are able to obtain the source code for electric
industry SCADA systems.
There have been more than 40 cases where control systems
have been impacted by electronic means. These events have
occurred in electric power transmission and distribution
systems, power generation including fossil, hydro, gas turbine,
and nuclear, there have been three commercial nuclear plants
with denial of service events, water, oil, gas, chemicals,
paper, and agribusiness. Some of these events have actually
resulted in damage. Actual damage from cyber intrusions have
included opening valves resulting in discharge of millions of
liters of sewage, opening electric distribution breaker
switches, tampering with boiler control settings resulting in
shutdown of utility boilers, shutdown of combustion turbine
power plants, and shutdown of industrial facilities.
The traditional Internet vulnerability tracking
organization, such as the Computer Emergency Response Team
[CERT], SANS, and the Computer Security Institute, are focused
on traditional Internet and business system exploits and
damage. The events and statistics quoted by these organizations
do not specifically address control systems. Additionally, none
of the control system impacts have been identified by these
organizations. This lack of awareness is keeping executives
from identifying cyber security as a business imperative.
This also results in a quandary, as you brought up earlier.
Control systems suppliers are not building secure control
systems because they do not believe there is a market, and end-
users are not specifying secure control systems because they do
not exist and would be more expensive. This lack of awareness
concerning control system vulnerabilities and impacts is a gap
that needs to be addressed.
Consequently, DOE's OEA tasked KEMA and Carnegie Mellon's
CERT/CC to perform a scoping study for establishing a CERT for
control systems, which we called e-CERT. The funding for
establishing and conducting the e-CERT function would be
approximately $3 million a year. The investment would
substantially improve the reliability and availability of the
critical infrastructure as well as providing the awareness
necessary.
Existing cyber security technology has been developed for
business functions and the Internet. Control systems require a
degree of timing and reliability not critical for business
systems. Because of this, employing existing IT security
technology in a control system can range from lack of
protection to creating a denial of service condition in and of
itself. This has actually occurred in attempting to employ
encryption in control systems. We do not know the true
vulnerabilities of control systems. Penetration testing of
business and control systems can lead to system interruption or
require the system to be rebooted. Consequently, this testing
must stop at confirming control systems can be accessed.
The National SCADA Test Bed allows vulnerability testing of
control systems to help identify the actual vulnerabilities.
This testing will also enable test bed personnel to identify
the necessary technologies to mitigate the vulnerabilities.
Several suppliers of SCADA systems have already provided
systems to the test bed. Adequate funding is lacking, however,
to enable the test bed to function in a complete and timely
manner. A significant multiyear investment is required, and you
will hear from others as to what those estimates are.
In summary, there are two key areas that require modest
funding to help secure control systems throughout the
industrial infrastructure--e-CERT and the National SCADA Test
Bed. If these two activities are adequately funded, they can
address awareness, minimize vulnerabilities, and evaluate and
develop technology to secure control systems. This will
minimize the threat of extended blackouts, like what happened
on August 14th, and impacts on industrial production which will
have a positive impact on the quality of life and security of
the American population.
Thank you for your time and interest. I would be happy to
answer any questions, including about industry coordination.
[The prepared statement of Mr. Weiss follows:]
[GRAPHIC] [TIFF OMITTED] T5799.040
[GRAPHIC] [TIFF OMITTED] T5799.041
[GRAPHIC] [TIFF OMITTED] T5799.042
[GRAPHIC] [TIFF OMITTED] T5799.043
[GRAPHIC] [TIFF OMITTED] T5799.044
[GRAPHIC] [TIFF OMITTED] T5799.045
[GRAPHIC] [TIFF OMITTED] T5799.046
[GRAPHIC] [TIFF OMITTED] T5799.047
[GRAPHIC] [TIFF OMITTED] T5799.048
[GRAPHIC] [TIFF OMITTED] T5799.049
Mr. Putnam. Thank you, Mr. Weiss. You will undoubtedly get
some questions on that.
Our next witness is Dan Verton. Mr. Verton is a senior
writer and investigative reporter with ComputerWold Magazine
based in Washington, DC, where he covers homeland security,
critical infrastructure protection, and Government. Prior to
joining ComputerWorld, Mr. Verton was the associate editor for
defense at Federal Computer Week. He entered the journalism
field after 7 years in the military intelligence community as
an intelligence officer in the U.S. Marine Corps. He has a
master's degree in journalism from American University in
Washington.
You are recognized for 5 minutes. Welcome to the
subcommittee.
Mr. Verton. Thank you, Mr. Chairman. In the interest of
time, obviously, I am going to summarize my remarks today, but
actually I am going to diverge a little bit from what I had
planned to say based on what I have already heard from the
previous panel. I think what I have heard so far has been quite
instructive for your work in this area.
This hearing is supposed to be about SCADA systems security
and telecommunications. But, surprisingly, what I heard from
the first panel was that we are, in fact, at this current time
erecting fences and digging moats around physical facilities
that house SCADA systems. So where does this disconnect come
from? I have a feeling it comes from the one individual from
the Government that I do not see here that I think you would
very much benefit from hearing from, which is Amit Yoran. I sat
behind Mr. Yoran a few weeks ago in the Senate and listened as
we were discussing the National Intelligence Estimate that was
recently released or was supposed to have been released on the
cyber threat to the United States stemming from, specifically,
terrorist organizations around the world. And I was a little
bit surprised that our director of national cyber security
could not answer any general questions about the terrorist
threat to the United States in the cyber realm.
So I do not think it is necessarily doing anything for us
to be creating layered defense in depth in a physical sense
when the electronic infrastructure that powers these systems
knows no borders. This also I think stems from what I think is
a very dangerous approach to countering terrorism in
cyberspace, which is the threat independent model. DHS takes a
threat independent approach to threats in cyberspace. And what
does that mean? That means that we approach terrorist incidents
the same way we might approach a hurricane or a flood or an
earthquake. And I think the danger that lies in this is that it
presents us with a possibility of having the lowest common
denominator for security when in fact you are talking about,
for example, a hurricane which is very indiscriminate and
random, whereas terrorist incidents are very much a highly
targeted, very specific incident that might be indiscriminate
in the killing and destruction, but it is very much a highly,
well-planned incident that we are talking about. And I think we
need to take that into consideration when we talk about these
critical facilities.
Finally, just briefly, I think there is some questions that
should be asked about the funding for cyber security in the
grant process. We were talking in the first panel about the
money that has been made available to the States and
localities. But I think there has been some questions raised
out there about how that money can be used. So while the money
may be used to build fences and dig moats around these
facilities, I think there is some question out there about how
much of it, if any of it, can be used to fund cyber security
improvements for the SCADA systems.
Basically, I think our challenge today stems from two
perspectives. I think we need to try to reverse the
intellectual rigidity that surrounds the issues of cyber
terrorism. We already knew from evidence prior to August 14th
that Al Qaeda had been studying SCADA systems from some of the
evidence that we had picked up on the battlefield in the war on
terrorism. If there was any doubt in the minds of the
terrorists who are also trying to kill us that they should be
studying SCADA systems, the international demonstration
effective August 14th pretty much eliminated that doubt in
their minds.
Second, I think if we insist on continuing to refer to
these facilities, as we have here today, as critical to
national security, we should treat them as such. I am aware of
anecdotal evidence from people who are very much involved on
the inside of the energy industry that not all people with
authorized access to critical control systems are necessarily
subjected to background investigations, and this is across the
board, it is not just the energy industry. These are
individuals with authorized access to the systems that both
touch SCADA systems and to SCADA systems themselves. That is a
vastly different picture from any national security
infrastructure that I have been aware of in my time as an
intelligence officer.
And just one final point on the Web content, which you were
asking about earlier. I wrote an entire book on the fact that
the information we make available to the people who are trying
to do us harm is really, as was mentioned, beyond the pale. It
is unbelievable what you can find on the Internet. Now the
genie may be out of the bottle already. But let me give you an
example of just what I was able to dig up during my research.
There are Web sites that provide interactive maps of the
entire natural gas pipeline system in the United States. And
they are not flat files. They give you latitude and longitude
for every critical interconnection point in the United States,
including the most critical interconnection point for the
natural gas industry in the country. Some 40-plus percent of
the entire GDP of natural gas passes through this one
interconnection point. And you can not only find the latitude
and longitude, but you can find the terrain features
surrounding the particular point. And you can do this for the
entire United States. I found that on the Internet during my
research, including long-haul telecommunications termination
points along the entire Eastern Seaboard, so on and so forth.
So I think there is an argument to be made for a public policy
approach to what we provide on the Internet, who we provide it
to, and whether or not there is a business case for any of this
information being out there.
So with that, Mr. Chairman, I will be happy to answer any
questions.
[The prepared statement of Mr. Verton follows:]
[GRAPHIC] [TIFF OMITTED] T5799.050
[GRAPHIC] [TIFF OMITTED] T5799.051
[GRAPHIC] [TIFF OMITTED] T5799.052
[GRAPHIC] [TIFF OMITTED] T5799.053
[GRAPHIC] [TIFF OMITTED] T5799.054
[GRAPHIC] [TIFF OMITTED] T5799.055
[GRAPHIC] [TIFF OMITTED] T5799.056
[GRAPHIC] [TIFF OMITTED] T5799.057
Mr. Putnam. Thank you very much.
Our next witness is Gerald Freese. Mr. Freese is the
director of enterprise information security at American
Electric Power. In this capacity, he is responsible for
defining, developing, and executing all information security
programs to effectively protect AEP data and systems. He is
responsible for regulatory compliance and critical
infrastructure protection for cyber security, and has been
instrumental in the development of the NERC cyber security
standards for the energy industry. He is a recognized security
and infrastructure protection expert. He is American Electric
Power's primary data security architect.
You are recognized for 5 minutes. Welcome to the
subcommittee.
Mr. Freese. Good afternoon, Chairman Putnam, and members of
the subcommittee. Thank you for offering me the opportunity to
speak with you today. I am testifying as a representative of
American Electric Power, as the director of enterprise
information security of one of the largest utilities in the
United States with over 11 States of operation and 5 million
customers. Today I will be discussing issues of supervisory
control and data acquisition, telecom interdependencies, and
critical infrastructure protection.
Energy utilities use a number of communications media to
connect various SCADA system components, from private microwave
to fiber networks and public networks. Each of these transport
methods enables the data flow to and from SCADA networks and
also creates the potential pathways of attacks. In telecom
network interface roles, there are a number of device exploits
of instances of malicious code that can effectively disable
SCADA information flow. The point to take away from this is
basically that SCADA and telecom vulnerabilities are not
mutually exclusive.
The growth of open systems is compounding the SCADA/telecom
vulnerability issue. By use of common technology sets, public
telecom providers are increasing the susceptibility of SCADA
and telecom resources to multiple attacks from anywhere in the
world. The open systems, with lower cost, ease of use, provide
attackers with the same benefits as legitimate users enjoy.
While we cannot effectively halt the move toward open system,
we can work to establish best practices in security to
counteract potential exploitation.
Availability of engineering and data system expertise is
another factor. In Pakistan, American energy companies and
vendors helped design the Pakistani infrastructure based on the
U.S. model. In Afghanistan, analysis of recovered computers, as
Mr. Verton mentioned, show that terrorists were engaged in
research on software and programming instructions for
distributed control and SCADA systems. This and the vast amount
of data on energy SCADA and telecommunications available
through open sources, such as the electric industry
publications, FERC filings, and on the Internet strongly
support the assumption that there are few, if any, SCADA or
telecom system unknowns and no boundaries on accessibility to
the information. The growth of open systems technology and
increasing ranks of the computer skilled show us that there is
no logical basis for discounting the possibility of cyber
attacks against targeted telecommunications and SCADA systems
or components.
The U.S.-Canadian task force investigation following the
August 14, 2003 blackout concluded in its interim report that
the outage across a large portion of the United States and
Canada was not caused by malicious cyber events. If we
substitute some well-known forms of intentional attack as the
cause of the initial line malfunction, we can see that many
forms of internal or external intrusion could bring the same
net result. If we take that concept one step further,
coordinated attacks against multiple vulnerable systems and
networks over the Internet and other telecom resources could
redirect processes, manipulate data and equipment, and
eventually disrupt service across entire regions.
The foundation of critical infrastructure protection lies,
first of all, in awareness that it is a responsibility across
both private and Government domains. It must be a priority in
industry backed by executive support and viewed as an incentive
to investment, not a roadblock. For example, at AEP security
implementation is listed in the third paragraph of the annual
report, which is quite an accomplishment. Industry, with
government support, must take the lead in information sharing.
This is one of the critical aspects of critical infrastructure
protection.
To that end, there must be a greater protection of
information from public disclosure. The ISACs, the Information
Sharing and Analysis Centers, through public and private
collaboration, must work toward consolidating information on
risk-based vulnerability assessments and remediation and
extending security best practices across all critical
infrastructure sectors. Cost recovery initiatives with similar
information protection must be supported at the State level
with the possibility of Federal tax incentives for industry to
defray the significant cost of current and future security. All
of these activities will provide the necessary backdrop for the
diverse U.S. critical infrastructure to comply with voluntary
industry standards and eliminate the need for Federal
regulation.
Mr. Chairman, that concludes my statement. I would be happy
to answer any questions.
[The prepared statement of Mr. Freese follows:]
[GRAPHIC] [TIFF OMITTED] T5799.058
[GRAPHIC] [TIFF OMITTED] T5799.059
[GRAPHIC] [TIFF OMITTED] T5799.060
[GRAPHIC] [TIFF OMITTED] T5799.061
Mr. Putnam. Thank you, Mr. Freese.
Our fourth, and final, witness for the second panel is
Jeffrey Katz. Mr. Katz is the enterprise IT consultant for PSEG
Services Corp., a subsidiary of Public Service Enterprise
Group, Inc., in Newark, NJ, which, among other things, serves
77 percent of New Jersey's population and is the State's
largest utility. Mr. Katz has held a number of management
positions within PSEG and PSEG Services Corp. in his 34 years
with the companies. For the last 7, Mr. Katz has concentrated
exclusively on wireless telecommunications projects and
systems. Mr. Katz is also the former two-term mayor of his
community.
Welcome to the subcommittee. You are recognized for 5
minutes.
Mr. Katz. Thank you, Mr. Chairman, and members of the
committee. I am here today testifying on behalf of the United
Telecom Council as the Chair of its Public Policy Division. I
will discuss the impact of Federal and State policies on
critical infrastructures [CI] SCADA systems. UTC is the
association that represents the telecom interests of America's
CI entities. UTC and its association partners represent
virtually every electric, gas, and water utility, and every
communications network used to operate, control, and maintain
our Nation's critical infrastructure.
Today our Nation depends upon reliable and available
services provided by CI SCADA supported systems. They are
critical and essential to the health, safety, and welfare of
our Nation and our people. Just as our Nation depends upon CI
services, every CI entity depends upon telecommunication
systems for SCADA, telemetry, command and control, remote
actuation, and protective relaying operations. In addition, for
both routine communications and during disasters and outages,
CI entities depend upon private internal data and voice
networks to direct the work force and to restore service.
From a broad policy perspective, we ask the committee and
Congress to consider this question. What Federal or State
policies, laws, or regulations impact negatively upon CI's
ability to avoid service interruptions, to reduce their
duration and scope, and to make CI, including SCADA systems,
less vulnerable to attack by non-physical intrusion? For a
detailed discussion on that issue, I would refer the committee
to my written testimony. However, in a nutshell, UTC asks the
committee to consider these five points.
First, public access to sensitive radio frequency data
provides information useful to those who would do us harm. The
Federal system of record, the FCC's universal licensing system,
is available to the general public through the Internet.
Wireless CI, SCADA, telemetry, command and control, voice and
data systems can be compromised using information contained
within the FCC's public data bases. This information must be
made less public, either through creation of a confidential
licensing category, or by providing the FCC with other
authorities, such as that enjoyed by NTIA, to make confidential
certain CI spectrum use data. UTC also encourages providing
NTIA with authority to share spectrum with non-Federal CI
entities to assure greater confidentiality of spectrum use
data.
Second, CI data is made public unnecessarily through the
FCC's pole attachment regulations with little regard to
infrastructure safety. Pursuant to FCC rules, maps of utility
infrastructure must be made available to potential attachers
upon the most minimal of showings. Moreover, those who would
attach fiber optic cable or other equipment to utility
infrastructure are permitted to employ third party contractors
rather than personnel trained to observe strict safety
regulations. The FCC's original limited jurisdiction over
utility infrastructure is being stretched to the point of
endangering worker and public safety. That authority should be
balanced by safety-based jurisdiction elsewhere in the Federal
Government.
Third, CI investment to improve and better secure
communications systems is discouraged because such investments
often are not immediately recoverable in rates and because the
spectrum in which SCADA systems operate is not exclusive.
Regulated entities recover capital investment costs through
rate relief. Rate cases are time consuming, tedious, costly,
and must be filed in each State in which the utility serves
customers. However, most utilities have a multistate presence
that would require consistent cost recovery schemes between and
among the States involved.
SCADA systems are system-wide and not limited to the
borders of a single State. Prudent and necessary investments in
enhanced security, reliability, and functionality should be
recoverable immediately in rates, without the need to file a
rate case in each State, and the specifics of the investment
should be privileged and confidential. Furthermore, the
investment must be protected. CI entities are reluctant to
invest in new wireless SCADA systems because the spectrum is
not exclusive. This subjects SCADA systems to interference that
can compromise effectiveness.
Fourth, State and local governments should receive guidance
from the Federal Government as to what security expenditures
and investments should be considered reasonable. UTC does not
advocate that additional mandates be imposed on CI to ensure
SCADA and/or telecommunications system security. This panel has
heard my colleague's testimony about industry efforts already
underway and the ideal role that the Federal Government should
play. However, in an area as complex as homeland security,
State and local governments and regulators look to the Federal
Government for guidance on what constitutes reasonable
investment. CI entities that invest in security measures
meeting defined guidelines should expect to win cost recovery
approval from State regulators. Federal guidance would
facilitate investments not only by larger investor-owned
utilities, but also by co-ops and municipals, all of which are
faced with severe budget constraints and are under constant
pressure to control rates.
Fifth, and finally----
Mr. Putnam. If you could just summarize.
Mr. Katz. The plain fact, there is also a push on the part
of many Federal agencies who believe that commercial wireless
services can substitute for private internal networks. Quite
frankly, they are even more vulnerable than anything that we
could build ourselves. When power fails, it is commercial
networks that go down first. Plus, they do not have a
ubiquitous presence throughout an operating territory for any
particular critical infrastructure
entity, and they just cannot be relied upon. There is no
exclusivity, no reliability, and no availability that is
guaranteed to us.
This basically summarizes my comments, Mr. Chairman. I
would be happy to answer any questions that you may have.
[The prepared statement of Mr. Katz follows:]
[GRAPHIC] [TIFF OMITTED] T5799.062
[GRAPHIC] [TIFF OMITTED] T5799.063
[GRAPHIC] [TIFF OMITTED] T5799.064
[GRAPHIC] [TIFF OMITTED] T5799.065
[GRAPHIC] [TIFF OMITTED] T5799.066
Mr. Putnam. Thank you very much, and I appreciate your
patience with the bells. And I appreciate all of your patience
with the fact that we have three votes pending which will take
about 30 minutes to handle. So with that, the subcommittee will
recess. Feel free to get something cold to drink or hang loose
and we will be back in approximately 30 minutes.
The subcommittee is in recess.
[Recess.]
Mr. Putnam. The subcommittee will reconvene.
I want to thank the witnesses for their patience and
tolerance of the congressional voting schedule. We will go
right into questions since we did complete the opening
testimony before we recessed.
Let me begin with Mr. Weiss. When communication systems are
installed in SCADA systems, how much consideration is given to
security, in your opinion?
Mr. Weiss. Let me respond to the question with a question.
What do you mean by ``communication systems?''
Mr. Putnam. The method of transmission of instructions, the
network connections.
Mr. Weiss. OK. In general, and I am going to give you a
general statement that may not apply to everybody, and I am
also phrasing it as a control system, not just a specific
SCADA, usually security is not a critical aspect in a design of
a control system. The implementation is usually most concerned
with meeting performance specs. And the other thing that it is
usually very much concerned with is the ability to communicate
with the different systems that are being identified in that
specification. There are very few specifications that include
security.
Mr. Putnam. So very few considerations then are given to
eavesdropping, disruption, issues like that?
Mr. Weiss. Correct.
Mr. Putnam. Mr. Freese, Mr. Katz, or Mr. Verton, would you
like to add anything to that question? Mr. Freese.
Mr. Freese. Yes, Mr. Chairman, I would. Although it is true
historically that when it came to developing SCADA digital
control systems, there was not security planned up front. But I
know, speaking for AEP and a lot of other companies, we have
since integrated security into all of those applications, as
many SCADA systems as we possibly can because we do understand
the need to secure those resources. So it has become now
commonplace for a lot of companies to introduce security up
front in the planning process, and then retrofitting on those
areas that we did not have security prior to this.
Mr. Putnam. Mr. Katz.
Mr. Katz. Thank you, Mr. Chairman. I think what we need to
do is delineate a difference between then and now. A lot of
legacy systems that are installed and still in place probably
do not have a lot of security on them. To upgrade them would
either mean replacing them or redesigning them and investing
considerable dollars to do so. Newer systems that are being
implemented take into account security concerns. They are
generally taken into account in the RFP stage and all the way
through.
But I am more concerned about the legacy systems and the
fact that if we are going to upgrade, we do need to make a
significant investment in that. And in the utility business
every investment competes with every other one. Hierarchy is a
priority. A substation transformer in danger of failure may
cost $2.5 million to replace and that may end up displacing
another project, because if you cannot capture the investment
cost through a rate increase, then you need to do it either
with cash-flow or bonds or stock and none of them is a
particularly great alternative. But if it increases the
reliability of the utility plant, it is something that we would
rather see the ratepayers--I think any utility would rather see
the ratepayers pay. But that takes a rate case and many BPUs
and public utility commissions are reluctant to entertain rate
cases except once every 5 or 6, or 7 or 8 years.
Mr. Putnam. What is the average age of a control system?
Whomever may answer that one.
Mr. Weiss. The average age of a control system in a power
plant is probably on the order of maybe 5 years old. SCADA
systems in utilities, not in, if you will, the independent
system operators because the ISOs are fairly new, but SCADAs in
electric utilities are probably, again, just a rough order,
probably 7 to 10 years old.
Mr. Putnam. And what about non-electric utilities--water
control systems, flood control structures, things of that
nature?
Mr. Weiss. At least in those that I have dealt with, a lot
of these industries, particularly water, flood control, etc.,
in a sense just recently put in automation and so they have, if
you will, newer systems. But here is the other thing I think
that maybe is important to point out. In a control system,
there are really two aspects. One is where the operator sits,
that is usually a MicroSoft-based or a Unix-based operator
screen. And in a spec, it is pretty straightforward, if you
will, to specify that type of security. The other part of the
control system is where you have the field devices, those
things that actually measure temperatures, voltages, currents,
and do the real-time calculations. That is where we really do
not have the security technology at all yet. So putting that in
a spec does not help. It does where you have the operator
interface but not at the actual control. That is part of what I
am hoping, and I am not speaking for anybody but myself, this
is what I am hoping will come out of the National SCADA Test
Bed.
Mr. Putnam. That was a point that I made in panel I, that
the main facility is of less concern to me than the field
facilities at the weir, at the dam, at the valve or the pump or
whatever.
Let me followup on your point. A lot of those non-electric
utility systems are only recently automated, meaning that they
are newer, perhaps have more security hopefully built into
them. But as a consequence, if there is a failure of those
systems, have they removed the ability to manually override
whatever it is, and are people adequately trained to do it the
old fashioned way? Or are they out there with their palm pilots
or their wireless or their computer and they are being told
exactly which valve, which line, which wire, and, absent
electronic assistance, they are unable to make whatever
corrective actions they need to make?
Mr. Freese. Mr. Chairman, if I may. In our remote
substations, for example, we have a lot of them that require
either an in person interface or some other type of control
that can be used at a short range or short distance to be
effective. Our people are trained in both the electronic means
and the manual means. The problem with security, as you were
mentioning at the remote substations, for example, or any of
the substations that are equipped with data concentrators or
RTUs are using computers. The problem with the more remote you
get, the more difficult it is to keep security up to date; for
example, antivirus, operating system patches, those types of
things. So there is always kind of a lag between what needs to
be done and what is done. And that is one of the focuses of the
energy industry right now is to try to remedy that.
Mr. Putnam. Mr. Verton, you were very blunt in your
assessment of where we are. Walk us through a plausible
scenario for a terrorist act against using one of these control
systems or SCADA systems, if you would.
Mr. Verton. Well, Mr. Chairman, we have already seen some
examples in recent history where disgruntled insiders have done
things like let loose raw sewage by hacking into sewage
treatment facilities in Australia. But my biggest point, I
think the best example would be the August 14th blackout which,
while it was not a deliberate act of terrorism, it was most
likely a self-inflicted wound, if you will. The demonstration
effect of what happened afterwards and the fact that these
systems are vulnerable to electronic disruption means that we
cannot discount a scenario that includes a deliberate
disruption of electric power throughout a major metropolitan
area of the country that is quickly followed up by a preplanned
series of physical traditional terrorist attacks. For example,
we saw thousands of people caught in the subway systems in
Manhattan who were sitting ducks for a chemical or biological
attacks. We saw people coalescing by the thousands on the
streets who could have been the targets of a suicide bomber or
something of that nature. So these types of scenarios are by no
means what you might consider a Hollywood movie script. They
are very much possible.
Also I might add, we started in the first panel talking
about the physical vulnerabilities of these systems. The
physical aspects of cyber terrorism are something that we have
not paid a lot of attention to. But you can conduct the same
sorts of denial of service attacks in an electronic sense by
physically destroying key nodes in the electronic
infrastructure. When certain nodes are taken off line, it could
ripple out of control throughout other various portions of the
infrastructure and other sectors of the economy. So you do not
necessarily have to conduct an electronic attack sitting there
with a computer, but you can, if you have access, physically
destroy certain nodes and cause similar effects that you can
then go ahead and take advantage of. Does that answer your
question, Mr. Chairman?
Mr. Putnam. Yes. The counter argument to adequate
preparation has been that the economic case just is not there
for a number of local governments, municipalities, States, and
private sector to invest in the security upgrades. Is that a
flawed economic model, or is it an accurate economic model? And
what could we do to encourage those investments in those
upgrades? And I will begin with Mr. Katz and then work my way
back toward Mr. Weiss.
Mr. Katz. Speaking on behalf of the UTC and the industry in
general, I think one of the things that the industry would not
encourage are specific mandates to the industry about how to
proceed with regard to investments in infrastructure.
Certainly, if the industry were asked to come up with specific
plans and guidelines or industry standards and best practices,
that ought to happen within some reasonable timeframe.
But the real dichotomy here is that investment needs to be
recaptured, money has to be spent, and it is real dollars. So
you have to spend money and you better have the money to spend.
So where do you get the money? If it is not through rate
relief, or the sale of bonds, or the sale of stock, no one is
going to just come over and hand us a bundle of money, and we
are not asking for specific grants from the Federal Government
either because we are the private sector. But if it takes that,
we are certainly not going to turn it down.
The thing is that nobody really wants to be subject to
mandated standards because the industry itself, the entire
critical infrastructure component of the Nation is so diverse.
A set of standards for a water company, a set of standards for
electric companies, chemical, railroad, pipelines, you cannot
adopt the same exact standard across the entire industry range.
It is going to take some kind of voluntary cooperative effort
on the part of Government and private sector in order to come
up with a set of standards. That is the first thing.
The other thing is that if there is an uncertain regulatory
environment with regard to the technologies that we implement,
we do not want our assets or our investments to be stranded.
So, for example, if there is really some good technology out
there for wireless SCADA control, because we have point-to-
point, end-to-end control over the infrastructure itself, as
communications medium is independent of the common carrier, it
is owned entirely by the critical infrastructure entity that is
going to use it, so it is private wireless facilities, then the
problem arises as to why was it exclusive, is it going to be
subject to interference. Could some future regulation end up
forcing us to compromise the security of that system simply
because it is not really ours to use, it is part of some grant
from a Federal agency, either the NTIA or the FCC. So it is a
combination of factors and I am not really sure what the real
answer is. But I think the industry itself needs to be given a
chance to come up with a set of standards and best practices
first, and perhaps a major investment in the INL labs is going
to be very helpful that regard.
Mr. Putnam. Mr. Freese.
Mr. Freese. I will go back to the budget question, the
economic question. There are many companies, ours is one of
them, who have expended millions in the last couple of years to
improve security. Of course, we are going after cost recovery
options with the States on these things and, again, we are
trying to get people to listen to us based on tax incentives,
things like that. However, I kind of go back to this is an
awareness issue, first off. A company has to first of all have
executive support for security, understand its responsibilities
in the critical infrastructure organization. It is also an
investor-incentive. At some point we are going to be judged on
how secure is our company and how safe an investment is it in
the face of all of the potential threats that are out there. To
that end, we are following the NERC cyber security standards,
first iteration of those, industry-based standards, and hoping
to get other companies on board with those standards as well so
we can all work toward information sharing, collaboration on
security. I think budget is an important issue but a company
that is serious about infrastructure protection will allocate
funds for security, for both a business case and a security
case.
Mr. Putnam. Does the cyber security take a backseat to
physical security?
Mr. Freese. It does not take a back seat. In our
organization, we moved security out of IT and out of
facilities, to both under risk management. So we are part of
enterprise risk management right now. The budget is pretty much
allocated among the two sectors and we have been doing a very
comprehensive program of physical security upgrades for our
substations and plants as well as cyber security upgrades of
our SCADA systems. So we try to split it fairly equitably among
both of those sectors.
Mr. Putnam. Mr. Weiss.
Mr. Weiss. I see three areas. Again, I am trying to answer
more as a technologist, if you will. The first one is the
business case. One of the most difficult things I have seen is
that it is difficult for an executive to justify protecting a
system if he does not think it is at risk. And that is such a
great importance to the CERT for control systems. If an
executive realizes that his system is at risk and systems like
his have been compromised, there is much more of a reason that
he would be willing to spend the money.
The second thing is that as technology stands today, there
is not technology, as I mentioned, to secure the control system
itself. What there is are, as mentioned, best practices. They
are policies, they are procedures, they are audit functions, if
you will, the low hanging fruit. The longer term is the work
with the test bed to develop the technology.
The other piece, and I think this is important too because
it is a big issue in the cyber world, we have a culture issue
in many companies--this is not electric power, this is across
the board--and the culture issue is between the IT organization
and the operational organization. We need to figure out how to
resolve that because many operational organizations feel that
IT is more of a menace to them than somebody from the outside.
And we need to be able to address that because IT has that
security expertise. So it is, if you will, a multifaceted
problem.
Mr. Putnam. Mr. Verton, what policies can be enacted that
would encourage businesses to make the investment in security?
Mr. Verton. Mr. Chairman, just to answer that question
directly, I think the insurance industry in other sectors of
the economy is already making great strides to offer favorable
insurance rates to companies that meet certain standards and
guidelines. There are one or two companies now that are
offering those types of incentives. That is a type of effort
that would do the one thing that is not happening right now,
which is the national strategy to protect cyberspace only works
if all of the infrastructure sectors are moving simultaneously
forward. You cannot have one sector of the economy moving ahead
of the others. So that is a type of a very simple way to get
companies to apply these simple standards and practices.
Now if I could answer the previous question. My opinion is
that the current economic model is flawed. I believe that the
sellers will continue to sell what the buyers are buying. And
the problem is that too much of the burden has been shifted to
the end-user and the consumer of the technology as opposed to
the developers. Right now the buyers are buying a lot of junk
and they are being told to bear the burden to secure it after
the fact. I know you are doing a lot of work on that particular
type of issue, working with both the vendor and the end-user
community.
Standards and best practices are fine but they only work
when they are applied equally across the board. You cannot have
a standard or a best practice that is not mandatory for
everybody involved in this particular infrastructure. Somebody
is always going to be somebody else's weakest link. So if they
opt out, you have not really improved security for the entire
infrastructure. In that regard, suggestions that cost money go
nowhere unless you have some sort of mandatory requirement to
meet some sort of standard. I find it very ironic that the only
thing from what I can see that has resulted in an across the
board, cross industry, cross sector improvement in security has
been the one thing that the software industry and the hardware
industry pretty much have been dead set against, which is
regulation. Sarbanes-Oxley, HIPPA, and some other regulations
have been the only thing that have really driven an across the
board substantive improvement in security. And I think it is
very ironic that the one thing that the developers of software
and other technologies are dead set against is the only thing
that seems to have worked so far.
Mr. Putnam. So you do not see an industry-based, volunteer,
collaborative effort as being successful?
Mr. Verton. No, I do not think I would go that far. But my
opinion is that the private sector, when faced with tough
choices, when it comes to making a choice between spending a
lot of money that they cannot afford to secure the systems
because they are being told that they own and operate a
national security infrastructure, they need somebody to help
them with that. The Government cannot tell them that it is
their responsibility without saying and here is how we are
willing to help you. Because private sector is not in the
business of being defenders of America. This is an
unprecedented situation in American history, in my opinion,
that so much of our national security and our economic
stability is in the hands of private companies. So if you are
going to ask the private sector to bear the burden, you also
have to come to the table with some practical suggestions on
how that burden is going to be shared.
Mr. Freese. Mr. Chairman, may I add something to that?
Mr. Putnam. You may.
Mr. Freese. From the energy industry's perspective, we are
not asking the Government to do everything for us or to give us
all the money for all the security implementation we need to
have done. We are asking to help prepare us for the
extraordinary security event, extraordinary threat and attack
on the energy industry. The other things we will take care of
ourselves. But we try to get some assistance on the major
upgrades, major changes across the industry.
Mr. Putnam. I hear what you are saying. But as somebody who
is in business, granted, you have to meet a higher standard
when you are a public utility or a private utility.
Mr. Freese. Right.
Mr. Putnam. But at the end of the day, we have to strike
some balance between addressing vulnerabilities and doing a
good, thorough risk assessment and then trying to be all things
for all potential threats. And I do not know where that line
is. You squeeze the balloon here and you tighten up there, you
dig deeper moats and you build taller fences, and then you have
the cyber threat and so you move to the cyber threat, and in
the meantime your fences have gotten rusty and your moats have
filled in with sand and so you have to go back and dig those
out deeper and replace the fence, and then technology has
changed and everybody has gotten ahead of themselves, and then
terrorists give up on attacking a new plant when all they
really have to do is go into a shopping mall and use low tech
devices that are being used in the Middle East on a regular
basis.
As we wade through all this stuff and you start adding up
what it would take to secure the magic 1,700 that DHS has now
identified, knowing how many tens of thousands are not on that
list, you are going to go out of business making yourself
secure. You are not investing in R&D, you are not investing in
upgrades of the service that is your core mission because every
ounce of profit is going back into something that is not
generating economic growth. It is a dead-end issue
economically. So I do not know where the line is. You have an
obligation to do certain things. But I do not know that you
have an obligation to imagine every conceivable bad threat,
malicious attack that a gazillion people are out there trying
to think of against the United States. It just makes your head
hurt, doesn't it?
What is the role of the Department of Homeland Security in
this effort? And are they the right group of folks to fill this
mission on the cyber threat, particularly on control systems?
Mr. Verton. I will take that, Mr. Chairman.
Mr. Putnam. Go right ahead.
Mr. Verton. Since I started the frontal attack, if you
will, on DHS. My opinion has been pretty much the same as that
of Mr. Richard Clark, you might have heard of him recently,
that the position of cyber security has been, not the
individual but the position, demoted. I think that right now
the position is several layers down below where it needs to be.
Basically, it has been removed from a Presidential advisor role
to an advisor to an Assistant Secretary level. And I do not
think that Mr. Yoran at the moment has the ability to see
things that need to be fixed and take immediate action. So I
think there are still some thought that needs to be given to
the current organizational structure of DHS, particularly with
respect to the role of cyber.
Mr. Putnam. Is there a Presidential level advisor on
chemical-biological-radiological-nuclear devices?
Mr. Verton. I believe there is still a Presidential level
advisor for terrorism. The problem being, if I know the history
correct, as Mr. Clark has told it, a special position was
created for cyber terrorism that was recommended by Mr. Clark
and he I think had every intention of remaining a Presidential
level advisor until the DHS proposal came around and it was
placed in the DHS, unfortunately not up at the secretary level
but several layers below.
Mr. Putnam. I think it is real easy to get hung up on what
the flow chart is instead of what the mission is.
Any other thoughts on that, Mr. Weiss?
Mr. Weiss. Yes. My thoughts are a little bit different.
Control systems are not unique to any single industry. To be
able to protect control systems, that function needs to reside
in whatever organization has the widest breadth to cover the
most industries. DOE's function is really energy. But the same,
for example, Honeywell control system that is in a power plant
is also in a refinery, it is also in a water plant, it is in a
chemical plant, it is in a paper mill. So I am really giving
you more of a question back. But the real issue in where this
needs to reside is what is the organization that will really
cover the industrial infrastructure because that is where the
vulnerability lies.
Mr. Putnam. Within the overall universe of cyber threats,
are threats to SCADA systems the greatest of cyber threats
because of their connection to the physical infrastructure?
Mr. Weiss. Again, I am going to answer this as a control
system engineer. The reason I believe that cyber threats are,
if you will, critical to control systems, our control systems
were not designed to be protected from them. So what is
happening is you have a much less resistant system. It is also
a system that has a lot higher consequence if something happens
to it. I hope, because I am not a policy person, that the
number of threats to these systems are much less than they are
to other places. But the other systems, in general, have been
designed or supposedly have been designed to resist those other
threats.
Mr. Putnam. Mr. Verton.
Mr. Verton. Mr. Chairman, I will answer that question from
a terrorism perspective. I think the answer is absolutely yes,
only because any time you have computers that control real
things in the real world that have public safety implications,
they inherently immediately become a potential target for
terrorists. So I think my technical colleagues on the panel
would agree that description fits the bill for SCADA systems,
if you will, across industries. So, yes, I think from a
terrorism perspective, they are a primary national security
concern.
Mr. Putnam. Mr. Freese.
Mr. Freese. I agree with Mr. Verton. Again, a lot of the
energy industry agrees with Mr. Verton because they are trying
to secure their control systems as much as they can. It is a
huge task and it is going to take a long time.
Mr. Katz. I would agree with that, too. From the
perspective of critical infrastructure industries, the threat
to SCADA systems and command and control systems is probably
much greater and would have greater consequences than threats
to our standard traditional data processing systems.
Mr. Putnam. How helpful would a SCADA-specific cert be?
Mr. Weiss. I believe from all of the meetings I have had
with different industries, through ISA, through IEEE, through
all of these different organizations, when the concept of a
cert from control systems is brought up, it is almost always on
the top of the list of what they think would be most helpful.
Mr. Putnam. Does everyone agree with that? OK. Let the
record reflect that everyone agrees with that.
Let us talk about public disclosure. I am going to start
with the reporter on this one. I always love hearing their
views on open records. Telecom systems use control systems that
require the public spectrum, that is an FCC issue, disclosure
is an important part of it. As you know, blueprints, plans,
designs, electrical wiring, circuitry, everything is generally
available and easily accessible. What are your thoughts on
restricting that?
Mr. Verton. Mr. Chairman, I am obviously interested as a
journalist, somebody who would be interested in finding this
information and publishing it. But there have been many cases
where I have not published information because of my own
concerns and understanding of the damage it could do. Now I may
be unique among journalists in that respect.
I think there is a lot that can be done about restricting
not necessarily the disclosure of the information, but how it
is communicated to the people that need to know it. Let me give
you some examples of some very recent post-September 11
security assessments that were done just on public Web sites
for major, major corporations in, of all places, Lower
Manhattan. A CIA psychological profiler was hired to do a study
of the Web sites of various large Fortune 500 companies to find
out to what extent the content of their Web sites would make
them targets of Al Qaeda. This particular survey found detailed
maps and drawings of air conditioning and ventilation systems
for large office complexes, it found the load bearing
capacities of elevators, it found private data on some of the
senior executives, the number of people present at any one
office facility and where they worked, some banks had posted,
for example, notices that they had frozen Al Qaeda related bank
accounts for the world to see, support for globalization issues
which we know has been known to stimulate portions of the Al
Qaeda network.
So there needs to be a business case and a balance struck
between what you post on the Internet and maybe how you
communicate it to the people who need to know certain
information. For example, a local community has every right to
know that they are living within striking distance of a
dangerous chemical facility. They want to know that their
children are potentially in danger. But do we need to post, for
example, detailed information on that facility to the people in
that particular community. Do we need, for example, to post
detailed information on a uranium mining facility so that a
potential terrorist could figure out how to do the most harm.
And that is the balance that needs to be struck.
From a private sector perspective, the companies that own
and operate the critical infrastructures need to take a look at
what they are putting out in the public to determine whether or
not it serves their business. If it does not serve their
business, they need to start asking themselves hard questions
as to why are we putting it out there to begin with. And a lot
of these companies fall into that first category of putting our
air conditioning and ventilation diagrams for their office
complexes. It makes absolutely no sense from a sales or a
marketing perspective.
Mr. Putnam. Does the public have a right to know that there
is a site in their community that is 1 of the 1,700 identified
lead targets?
Mr. Verton. I think a community has a right to know if that
1 of 1,700 is a dangerous chemical facility or a nuclear
reactor of some sort. Certainly, they have a right to know that
they are living within a danger zone. The question becomes how
do you communicate that to the public and to what level do you
communicate that information. I found, for example, I found a
map of the entire United States with the locations of all spent
nuclear fuel storage facilities on the Internet. Did that need
to be up there post-September 11? I am not sure. To my
knowledge, it was eventually taken down by the Department of
Energy. So that is the type of balance we need to strike, in my
opinion.
Mr. Putnam. Our right to know in the past, particularly
with the types of sites we are talking about here, was driven
by environmental concerns. And now we are talking about terror
threat-based concerns which are somewhat different. You have a
right to know if a particular chemical plant is discharging X
number of pounds of sulfur per year that has been known to have
a connection to higher incidents of cancer or whatever. All
that kind of stuff that is imbedded in our environmental law.
But what are the consequences of letting the world know what we
think the top 1,700 are; meaning that everything that is not on
the top 1,700 has a lesser degree of preparation or prevention,
and what effect does that have on your business. Obviously, if
you run a nuclear plant, I do not think being on the top 1,700
is going to be a surprise to anyone. It is not going to affect
your insurance rate and it is not going to affect who your
neighbors are; they are pretty well aware of what they bought
into when they moved to the neighborhood. But the rubric that
they used was public health and safety, economic, which is very
nebulous, symbolic, which is extraordinarily subjective and
nebulous, and national security, which that ought to be fairly
identifiable. But people living next to a tourist attraction
might think that is a pretty good thing, not realizing that it
also might be a target for terrorists.
So, as we move down this road, and I wish there were
Members here from the other side of the aisle because they have
an outstanding record, as do most Members of Congress, pushing
for increased public disclosure, a very rigid FOIA law. But as
we deal with these new issues, we have to have this debate. And
I do not know where we end up.
Mr. Katz.
Mr. Katz. Thank you, sir. It is part of the dichotomy of
the entire process; and that is, yes, the public is entitled to
know certain things that may harm them, and at the same time
there is certain information that we make available because it
is required to be made available that can fall into the wrong
hands and be used against us. For example, Mr. Verton refers to
why would a utility market anything that deals with its
infrastructure and its office building about air conditioning
systems. Well, it does not do that. If we are building an
office building, at least in my State, we are probably going to
have to get local land-use approval, we are going to be before
a planning board or a zoning board of adjustment. Once that is
approved, now we are going to have to file plans with the
building department and secure all proper permits. So all of
those mechanical drawings, all of the electrical
infrastructure, everything about that building is now public
record because it is in the building department in the
municipality that is issuing the permits. So that is a public
record. Anybody who wants to find that can go get it.
We have Federal agencies that we need to deal with that
also discloses information to the public. At the same time, we
all comply with SARA Title III. And in the local level, every
business and industry in a community has to report to its local
Office of Emergency Management once each year all of the
chemicals and hazardous substances that it has onsite. That is
available to the public and it is also available to anybody who
wants to go break in to those facilities to be able to steal
harmful materials and use them against us.
So, yes, I agree that there is a need for public
disclosure. As a former chief executive officer of a
municipality, yes, the public should know these things. But to
what extent do we let them know about certain things that could
be used against us in a manner that hurts a lot of people. And
that is a wonderful policy issue for Congress to deal with,
and, Mr. Chairman, I wish you an awful lot of luck with that.
But, yes, it is there and I think we all recognize it.
Mr. Putnam. At what point does disclosure become harmful in
and of itself.
Mr. Katz. Exactly.
Mr. Putnam. Disclosure is intended to protect the public
from harm. But at what point does disclosure become harmful.
And that is clearly something we are going to have to deal
with. I do not know what ill purpose the public is served by
not having access to the blueprint of a nuclear power plant. I
cannot think of how the public is poorly served by not knowing
that, or knowing the precise latitude and longitude of switches
and valves and everything else. But I am sure that there are
plenty of people who would be happy to tell me what they are.
At this point, we are going to bring this in for a landing.
I want to give all of you the opportunity to give closing
remarks, deal with any issue that you came prepared to discuss
that we did not get to, or add your closing thoughts on the
topic in general. We will begin with Mr. Weiss and move down
the table.
Mr. Weiss, you are recognized.
Mr. Weiss. First of all, I wanted to thank you for inviting
me here. I very much appreciate that. I also appreciate that
this discussion itself took place. I just want to reiterate
three things. One is that control systems are truly important
but security was never a basic premise when they were designed.
They need to be protected. The second part is that there really
needs to be a business case for their protection. And that is
part of where that e-cert comes in. The third part is we need
an adequately funded test bed for, if you will, the entire
infrastructure to be able to evaluate and develop and
demonstrate technologies to secure these, and, to me, that is
the SCADA test bed. So, thank you.
Mr. Putnam. Thank you. Mr. Verton.
Mr. Verton. Mr. Chairman, thank you very much again for
having me here today. I will just close by saying that I feel
that these are very dangerous times for us post-September 11
because I think we are entering a phase where we are
potentially becoming dangerously complacent because of the fact
that nothing has happened since September 11. Particularly in
electronic realm of this problem, the threat of cyber
terrorism, as we have been discussing today, faces a very
significant perception problem because people do not think that
people who are trying to kill us are interested in these
tactics, they do not think that they are capable of it. I have
documented plenty of instances arguing the opposite point of
view in that. I will just say that I think this is an urgent
national security matter. Also, I would hope that the private
sector gets some sort of real practical assistance in this
effort to make sure that these systems are secured in a way
that works for everybody.
Mr. Putnam. Thank you. Mr. Freese.
Mr. Freese. Taking the information disclosure one step
further, a lot of the discussions earlier from the Government
side focused on industry and Government cooperation, providing
information to each other to help secure the critical
infrastructure. But I think it needs to go further. Right now,
I think there needs to be a better awareness between Government
and industry of what the scope of the threat really is. I think
they have to make a joint commitment that they have to work
together, not just lip service like we have always heard, but
something that is concrete, some kind of a plan that we will
work together. This will require better information protection
for information submitted from utilities, between utilities, to
the States. All of those things have to be addressed. Right
now, a lot of the blockage on getting things done--for example,
the 1,700 list from the States is derived in a lot of cases
without energy companies or other infrastructure organizations
providing what they consider to be critical. The State says I
think that is critical, let's send it in. They ask the
infrastructure organizations for information. How can you
protect my information if I give it to you? If you cannot, I
cannot provide it. So there is kind of a roadblock there. We
need to eliminate that roadblock as soon as possible.
Mr. Putnam. Mr. Katz.
Mr. Katz. I agree, gentlemen. So I am not going to
duplicate that. On behalf of UTC, I would just like to thank
the committee for its time and attention to this matter. I
think it is extremely important to all of us. It is certainly
important to the critical infrastructure industries. And one of
the areas in which the Federal Government could really be
helpful is if there could be just one Federal agency with
accountability and responsibility to push this effort through.
Right now, DHS is still organizing itself, the other
independent Federal agencies do not see a lot of these issues
as in their ballpark or part of their jurisdiction. So it would
be very, very helpful if there was one point of contact within
the Federal Government for all of this in cyber security.
And I agree with Mr. Verton. I think the level of attention
that needs to be paid to cyber security at the Executive level
probably needs to be raised. With the departure of a cyber
security czar, it probably is not there anymore. And I realize
there are a number of national priorities and this is just one
of them. But it is an important one and you have the folks here
who are involved with that on a day-to-day basis and we
recognize it as being important. But we do need some Federal
leadership on this and the public sector will help and the
private sector will cooperate to the extent that it needs to in
order to get the job done because it helps all of us.
Mr. Putnam. Thank you, all of you for your comments. I
would urge you to keep DHS' feet to the fire and help us do the
same. At some point the excuse that they are a new department
will cease to be valid. It has already reached that point with
me. It is no longer an issue. They have had their 1 year
anniversary, they have cut the cake, and now no more excuses.
So we thank all of you very much for your candor and
insight and for your patience with the disjointed nature of
this hearing. I also want to thank Mr. Clay and Mrs. Miller for
their participation and interest in this issue.
In the event that there may be additional questions that we
did not have time for today, the record will remain open for 2
weeks for submitted questions and answers.
With that, the subcommittee stands adjourned.
[Whereupon, at 5:17 p.m., the subcommittee was adjourned,
to reconvene at the call of the Chair.]
[Additional information submitted for the hearing record
follows:]
[GRAPHIC] [TIFF OMITTED] T5799.067
[GRAPHIC] [TIFF OMITTED] T5799.068
[GRAPHIC] [TIFF OMITTED] T5799.069
[GRAPHIC] [TIFF OMITTED] T5799.070
[GRAPHIC] [TIFF OMITTED] T5799.071
�