6. Background

Critical Infrastructure Sectors and Information Security

Critical infrastructure, as defined in the USA PATRIOT Act, is "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic_security, national public health and safety, or any combination of those matters." Examples of critical infrastructure include electric power generation and transmission, oil and gas production and distribution, communications, chemicals, agriculture and food processing, banking and finance, transportation systems, and water processing systems. Because of its vital role in the U.S. security, economy, and quality of life, the elements of the U.S. critical infrastructure are a potential target for terrorists, who could use physical or cyber attacks to interfere with, disrupt, damage, or destroy important facilities and capabilities.

Industry is increasingly dependent on information technology for both business operations and process controls, and many of these information systems directly use, or are accessible through, public systems (e.g., the Internet) and technologies (e.g., Wi-Fi and common operating systems). Yet the Internet was not designed with security in mind.

Control systems (systems that run manufacturing and distribution facilities) raise different security issues than do the business/administrative systems. It is harder to shut the control systems down to make changes in software or hardware because doing so means shutting down an industrial operation, such as chemical manufacturing or electricity generation. In addition, the control systems operate equipment that represents a major capital expense and that is replaced or upgraded less frequently than are business systems. As a result, security fixes to control systems often require retrofitting, rather than just waiting for equipment to be replaced. Finally, while business systems (for activities like billing) are relatively similar across industries, the control systems generally use specialized protocols and configurations specific to a particular industry. As a result, customized security solutions and strategies, including specialized testing, need to be developed.

Industry responses to cyber vulnerability has depended on: (1) the type of information systems used in the sector, (2) how clear the risks associated with cyber attacks are, (3) what the value and return on investment in cyber security would be, (4) the availability of relevant cyber security technologies, and (5) (sometimes) what governmental action has been taken or is perceived as having the potential to be taken. For example, the financial and banking industries were very aggressive in adopting information security technologies, due in part to the fact that technologies to protect information and communications (the primary need in this area) have been a focus of cyber security development efforts for a long time because the extent of the vulnerability was very clear.

In other industries, there are a variety of cyber security-focused activities underway. In the electric power industry, the North American Electric Reliability Council (an industry coordination group) recently developed and adopted an interim cyber security standard that outlines minimum requirements needed to ensure the security of electronic exchange of information needed to support grid reliability and market operations; work on a permanent standard is underway. In addition, Congress has focused attention on cyber security as a key element of ensuring electric reliability and drinking water safety. The Environmental Protection Agency has worked with the industry on understanding how their water processing facilities depend on information systems and what risks that creates.

The chemical sector has developed a Chemical Sector Cyber Security Program, which is building on existing cooperative industry groups to carry out cyber security-specific activities. A sector-wide cyber security strategy was organized in 2002, and activities currently underway include work on establishing management practices, guidelines, and standards, on information sharing, and on encouraging accelerated development of improved security technologies. In addition, the chemical sector companies involved with the program support legislation that will establish national security guidelines for chemical facilities, require companies to conduct site vulnerability assessments and implement security plans, and create strong enforcement authority to help ensure facilities and systems are secure.

In addition to specific cyber security activities, all critical infrastructure sectors have Information Sharing and Analysis Centers (ISACs), which provide a forum for companies to exchange, analyze and disseminate information about vulnerabilities, threats, and incidents in a trusted environment. (The establishment of ISACS was mainly a response to Presidential Decision Directive 63 (issued in 1998), which encouraged industry to form such groups. Each ISAC has a different structure and relationship with the government, depending on the specific industry's needs, history,

and regulatory environment.) In general, discussion of cyber security issues are considered an important element of ISAC-based interactions, and cross-sector discussions of cyber security issues are coordinated by the information technology sector's ISAC.

Department of Homeland Security Cyber Security Activities and Responsibilities

Cyber security activities at DHS are carried out in two directorates: the National Cyber Security Division (NCSD), located in the Information Analysis and Infrastructure Protection Directorate, is responsible for operational cyber security; and the Science and Technology Directorate is responsible for cyber security research and development programs.

Operational Cyber Security at DHS

After the recently completed department-wide Second Stage Review, the Secretary of Homeland Security has proposed and begun to implement a number of organizational changes, including the creation of an Assistant Secretary for Cyber Security and Telecommunications position. This office will be responsible for identifying and assessing the vulnerability of critical telecommunications infrastructure and assets, providing timely and usable threat information, and leading the national response to cyber and telecommunications attacks. (To date, the NCSD has reported to the existing Assistant Secretary for Infrastructure Protection; going forward, the new Assistant Secretary will be parallel to this position.3)

The responsibilities of the NCSD are defined by several documents, including the National Strategy to Secure Cyberspace, Homeland Security Presidential Directive 7 (HSPD-7) on Critical Infrastructure Identification, Prioritization, and Protection,4 the Interim National Infrastructure Protection Plan, and the National Response Plan. In FY06, $73 million was requested for NCSD, a $6 million increase from the level appropriated for FY05. The NCSD's mission, as defined in HSPD-7, includes analysis, warning, information sharing, vulnerability reduction, mitigation, and aiding national recovery efforts for critical infrastructure information systems.5 Currently, within these broad goals, three areas of particular concern and focus for NCSD in the area of critical infrastructure protection are (1) strategies to improve the resiliency of the Internet against disruption, (2) improving the security of control systems, and (3) improving software assurance (trying to move from patch management to systems that emphasize security as software is being developed).

One of the most important activities of NCSD is coordination with the private sector on efforts to reduce vulnerabilities and minimize the severity of cyber attacks. Information sharing is necessary to ensure awareness of vulnerabilities, and ways to mitigate vulnerabilities, awareness of threats and attack methods, and preparedness for response and recovery. Companies are expected to be a source of information about what problems they are experiencing and what solutions have been effective, while the government (primarily via DHS) is expected to be a source of information about threats. Both government and industry acknowledge that information sharing needs to be improved. Industry has been reluctant to share sensitive information incidents. In addition, it has been unclear whether DHS has developed the policies or attracted the expertise to ensure the confidentiality of sensitive information and to provide reliable analysis and feedback about threats and potential solutions.

A variety of activities are underway in the NCSD to carry out its mission. These include the U.S. Computer Emergency Readiness Team (US-CERT), which was established in 2003 as a partnership between DHS and the public and private sectors. US-CERT is responsible for analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating

3 The new Assistant Secretary for Cyber Security and Telecommunications will be Presidentially appointed, but not Senate confirmed. The new position was announced on July 13, 2005, but as of the date of this hearing an appointment had not yet been made.

4 Homeland Security Presidential Directive 7 (HSPD-7) on Critical Infrastructure Identification, Prioritization, and Protection is available on line at http://www.whitehouse.gov/news/releases/2003/12/20031217-5.html.

5 To meet its responsibilities from HSPD-7, as well as other national strategies and plans, NCSD has defined for itself six core goals: (1) establish a National Cyber Security Response System to prevent, detect, respond to, and reconstitute rapidly after cyber incidents; (2) work with public and private sectors to reduce vulnerabilities and minimize the severity of cyber attacks; (3) promote a comprehensive national awareness program to empower American businesses, the general workforce, and the general population to secure their own parts of cyberspace; (4) foster adequate training and education programs to support the Nation's cyber security needs; (5) coordinate with the intelligence and law enforcement communities to identify and reduce threats to cyberspace; and (6) build a world-class organization that aggressively advances its cyber security mission and goals in partnership with its public and private stakeholders.

incident response activities. Another key NCSD activity is organizing exercises to test preparedness and response plans for cyber attack. The next such exercise is scheduled for November 2005 and will include public and private sector participants, including companies from the energy, financial, and transportation sectors.

Cyber Security Research and Development at DHS

Research and development related to cyber security are the responsibility of the DHS Science and Technology Directorate. In FY06, $16.7 million was requested for the cyber security programs in the Science and Technology Directorate, a $1.3 million decrease from the level appropriated for FY05. Specific programs focus on improving the security of Internet communication protocols and developing technologies to enhance the cyber security of critical infrastructure sectors, including of process control systems. Support and coordination is also provided for the collection of large-scale data sets about network behavior that researchers can use to better understand problems with networks and design potential solutions. Testbeds are also a critical element of DHS Science and Technology Directorate cyber security programs. They provide support for and participate in the NSF-funded Defense Technology Experimental Research (DETER) testbed (described below). They also work with the Department of Energy (at Sandia and Idaho National Laboratories) to support a control systems testbed, which is critical for design and verification of security technologies for control system applications. Since these systems often operate with real-time consequences and continuously or almost continuously, any security solution must be designed for the configuration in which the equipment and software is used and rigorously tested in realistic situations.

Cyber Security at Other Government Agencies and Interagency Coordination

Operational Cyber Security

Each critical infrastructure sector is associated with a lead government agency. For some sectors (e.g., chemicals, transportation systems, information technology and telecommunications), the lead agency is DHS, but for many other sectors, another agency is the lead (e.g., the Department of Energy for the electric power and oil and gas sectors, the Environmental Protection Agency for water treatment facilities, the Department of the Treasury for banking and finance, and the Department of Agriculture for the food sector). However, HSPD-7, the 2003 Presidential Directive that designated the lead agencies, also clearly articulated that DHS would continue to maintain an organization to serve as a focal point for the security of cyberspace. For example, DHS, the Department of Defense (DOD), and the Department of Justice co-chair the interagency National Cyber Response Coordination Group. In addition to coordinating with other agencies on the cyber security of critical infrastructure facilities, DHS also works with the Office of Management and Budget, which has significant responsibilities for the security of the Federal Government's information systems.

Cyber Security Research and Development Programs

Significant cyber security research and development programs are underway in a variety of federal agencies, including the National Science Foundation (NSF), the National Institute of Standards and Technology (NIST), and the Defense Advanced Research Projects Agency (DARPA). The programs at NSF and NIST were authorized by the Cyber Security Research and Development Act (P.L. 107–305).

At NSF, cyber security research is conducted under the auspices of the Cyber Trust program, which supports projects designed to make networked computer systems more predictable, more accountable, and less vulnerable to attack and abuse. This program is funded at $65 million in FY05, and the projects supported cover a wide variety of information security areas. Critical infrastructure applications are included; in August 2005, NSF provided funding to a new center at the University of Illinois to perform research to support the design, construction and validation of a secure cyberinfrastructure for the next-generation electric power grid. (Both the Department of Energy and DHS have pledged to collaborate with NSF to fund and manage this effort.) Another relevant project is the Cyber Defense Technology Experimental Research (DETER) testbed, which provides an experimental environment in which government, academic, and industry cyber security researchers can safely analyze and measure attacks and develop attack mitigation and confinement strategies. (DHS also provides some funding for DETER.) These research and testbeds projects also have educational elements, as the laboratories supported by those funds become centers of expertise in information systems for critical infrastructure and train the personnel that critical infrastructure companies and information technology companies need to improve the security of critical infrastructure sector applications. In addition to its cyber security research programs, NSF also

supports cyber security education activities, including scholarships and curriculum development (these programs received $16 million in FY05).

At NIST, cyber security activities are centered in the Computer Security Division, which was funded at $19 million in FY05. The division's activities include developing standards, metrics, tests, guidelines, and validation programs related to information security and studying and raising awareness of information technology risks, vulnerabilities, and protection requirements. NIST also has specific responsibilities under the Federal Information Security Management Act of 2002 for developing standards for federal information systems security and supporting federal agencies cyber security efforts. An example of a recent NIST cyber security project (supported by DHS) is the August 2005 launch of the National Vulnerability Database, which contains about 12,000 entries describing vulnerabilities in commonly-used information technology products. (About 10 new entries are added each day.) The database integrates all publicly available U.S. Government vulnerability resources and is designed to provide references to industry resources.

A number of other agencies, mainly in DOD, have cyber security research and development activities. The DOD activities focus mainly on specific information assurance requirements related to DOD's military and intelligence missions. The Department of Energy's programs are focused primarily on applications related to the energy and electric power sectors (as in the work on control systems testbeds at Department of Energy laboratories described above).

All of these programs are coordinated through the National Science and Technology Council's (NSTC's) Interagency Working Group on Critical Information Infrastructure Protection Research and Development. In response to recommendations from the President's Information Technology Advisory Committee, this interagency group has recently been reformulated to report to both the NSTC Subcommittee on Infrastructure and its Subcommittee on Networking and Information Technology Research and Development. This group has recently begun work on defining top cyber security research and development needs and mapping those needs against current federal activities.

7. Witness Questions

Questions for Mr. Andy Purdy:

• How do critical infrastructure sectors depend on public and private information systems? What are the possible consequences for these sectors of disruption or attack on their information systems? What steps is DHS taking to help these sectors secure their systems?

• How does DHS work with the critical infrastructure sectors to gather and communicate information about threats, risks, and solutions related to cyber security?

• In what areas are current cyber security technical solutions for critical infrastructure applications inadequate? Where is further research needed to mitigate existing and emerging threats and vulnerabilities? How is DHS working with industry and academic researchers to define priorities for and support research in these areas? How does DHS coordinate these efforts within DHS and with other federal agencies, such as NSF, NIST, and DARPA?

Questions for Mr. John Leggate:

• How does the energy sector depend on public and private information systems? What are the possible consequences for the energy sector of disruption or attack on its information systems? What steps is BP taking to secure its systems?

• What are the most critical responsibilities of DHS in cyber security for the energy sector and what are the most urgent steps the new Assistant Secretary for Cyber Security and Telecommunications should take?

• In what areas are current cyber security technical solutions for the energy sector inadequate? Where is further research needed to mitigate existing and emerging threats and vulnerabilities? How should federal agencies, such as DHS, NSF, NIST, and DARPA, and academic researchers work with industry to define priorities for and support research in these areas?

Questions for Mr. David Kepler:

• How does the chemical sector depend on public and private information systems? What are the possible consequences for the chemical sector of disrup

tion or attack on its information systems? What steps is Dow taking to secure its systems?

• What are the most critical responsibilities of DHS in cyber security for the chemical sector and what are the most urgent steps the new Assistant Secretary for Cyber Security and Telecommunications should take?

• In what areas are current cyber security technical solutions for the chemical sector inadequate? Where is further research needed to mitigate existing and emerging_threats and vulnerabilities? How should federal agencies, such as DHS, NSF, NIST, and DARPA, and academic researchers work with industry to define priorities for and support research in these areas?

Questions for Mr. Gerald Freese:

• How does the electric power sector depend on public and private information systems? What are the possible consequences for the electric power sector of disruption or attack on its information systems? What steps is American Electric Power taking to secure its systems?

• What are the most critical responsibilities of DHS in cyber security for the electric power sector and what are the most urgent steps the new Assistant Secretary for Cyber Security and Telecommunications should take?

• In what areas are current cyber security technical solutions for the electric power sector inadequate? Where is further research needed to mitigate existing and emerging threats and vulnerabilities? How should federal agencies, such as DHS, NSF, NIST, and DARPA, and academic researchers work with industry to define priorities for and support research in these areas?

Questions for Mr. Andrew Geisse:

• How does the communications sector depend on public and private information systems? What are the possible consequences for the communications sector of disruption or attack on its information systems? What steps is SBC taking to secure its systems?

• What are the most critical responsibilities of DHS in cyber security for the communications sector and what are the most urgent steps the new Assistant Secretary for Cyber Security and Telecommunications should take?

• In what areas are current cyber security technical solutions for the communications sector inadequate? Where is further research needed to mitigate existing and emerging threats and vulnerabilities? How should federal agencies, such as DHS, NSF, NIST, and DARPA, and academic researchers work with industry to define priorities for and support research in these areas?