Ensuring Critical Infrastructure Protection
Figure 6: Examples of Critical Infrastructures (clockwise from upper left: chemical plants, nuclear power plants, hydroelectric dams, and railroads)
Sources (clockwise from upper left): © Corbis, PhotoDisc, © Corbis, Digital Vision.
DHS faces challenges in meeting its responsibilities to protect the nation’s vast critical infrastructure—18 broad ranging sectors including banking and finance, chemicals, communications, energy, public health and health care, transportation, and defense. Given that these sectors are largely owned and operated by the private sector or state and local governments, numerous parties have responsibility for securing and maintaining these networks. Key challenges include the following:
- Sectors vary considerably in their maturity and ability to develop their own protection plans, and face challenges in organizing and developing protection plans, such as a lack of full sector representation, the lack of an effective relationship with DHS, and a hesitancy by the private sector to share information with the government or within the sector.
Highlights of GAO-07-626T (PDF), Highlights of GAO-07-706R (PDF), Highlights of GAO-08-113 (PDF), and Highlights of GAO-08-1075T (PDF) - Some sectors must depend on other sectors to function and provide assistance when responding to and recovering from an attack or disaster. However, it is unclear how much progress sectors have made in identifying these interdependencies, which may make it difficult for sectors to ensure that they can access needed technologies, energy sources, and other sector assets during recovery.
Highlights of GAO-08-113 (PDF), Highlights of GAO-07-706R (PDF) - DHS must continue to allay private-sector concerns regarding sharing information
on vulnerabilities and gaps in protection with the federal government, fearing
that the information will not be protected.
GAO-07-626T (PDF), Highlights of GAO-07-706R (PDF) -
Representatives from the private sector coordinating councils and the Homeland Security Advisory Committee are concerned that DHS's emphasis on protective measures—such as adding guards and gates to protect assets—may not be the optimal approach for securing the national critical systems. They indicate that DHS should emphasize infrastructure resiliency in addition to protection.
- There are serious security vulnerabilities at the Plum Island Animal Disease Center, the national laboratory responsible for diagnosing and researching exotic livestock diseases, such as foot-and-mouth disease. The accidental or deliberate release of pathogens from this facility, or the new facility replacing Plum Island, could be devastating to our nation's economy.
Full Report of GAO-08-306R (PDF, 10 pages), Highlights of GAO-03-847 (PDF)
^ Back to topWhat Needs to Be Done
- While DHS has developed a national infrastructure protection plan, and facilitated the development of sector specific plans, DHS needs to continue to oversee the implementation of these plans, measure sectors’ success at fulfilling the responsibilities identified within those plans, and systematically assess sectors’ planning to determine whether plans are adequate or if further steps are needed to secure these sectors.
Highlights of GAO-07-626T (PDF), Highlights of GAO-07-706R (PDF), Highlights of GAO-08-113 (PDF), Highlights of GAO-08-212T and Highlights of GAO-08-1157T (PDF) - For computer-reliant critical infrastructure, DHS needs to improve its coordination with stakeholders when planning for incident response and recovery, conducting exercises, completing continuity plans for federal systems, and planning for the recovery of Internet functions.
Highlights of GAO-08-588 (PDF), Highlights of GAO-08-825 (PDF), Highlights of GAO-08-113 (PDF), and Highlights of GAO-08-1075T (PDF) - Although DHS has made risk management a cornerstone of departmental policy,
and some components have successfully applied it to certain functions,
the department needs to refine its methodologies for measuring vulnerabilities
across sectors and allocate resources accordingly.
Highlights of GAO-06-91 (PDF), Highlights of GAO-08-852 (PDF) - Although DHS is sponsoring efforts to better secure control systems—such as computer systems used by industries to monitor and control sensitive processes and functions—it needs to better coordinate these efforts and share information with public- and private-sector entities, as appropriate.
Highlights of GAO-07-1036 (PDF) - DHS needs to fully address its key cyber analysis and warning responsibilities
related to monitoring networks, analyzing anomalies, providing timely warnings,
and responding to threats.
Highlights of GAO-08-212 (PDF), Highlights of GAO-08-588 (PDF), Highlights of GAO-08-825 (PDF), and Highlights of GAO-08-1157T (PDF) -
DHS needs to continue to work with stakeholders to identify asset interdependencies within and across sectors so that it can use this information to plan future protective measures for assets that may be critical to the function of multiple sectors.
Highlights of GAO-08-113 (PDF), Full Report of GAO-07-706R (PDF, 18 pages)
^ Back to topKey Reports
- Critical Infrastructure Protection: DHS Needs to Better Address Its Cybersecurity Responsibilities
- GAO-08-1157T, September 16, 2008
- Summary (HTML) Highlights Page (PDF) Full Report (PDF, 19 pages) Accessible Text
- Critical Infrastructure Protection: DHS Needs to Fully Address Lessons Learned from Its First Cyber Storm Exercise
- GAO-08-825, September 9, 2008
- Summary (HTML) Highlights Page (PDF) Full Report (PDF, 39 pages) Accessible Text Recommendations (HTML)
- Cyber Analysis and Warning: DHS Faces Challenges in Establishing a Comprehensive National Capability
- GAO-08-588, July 31, 2008
- Summary (HTML) Highlights Page (PDF) Full Report (PDF, 67 pages) Accessible Text Recommendations (HTML)
- Plum Island Animal Disease Center: DHS Has Made Significant Progress Implementing Security Recommendations, but Several Recommendations Remain Open
- GAO-08-306R, December 17, 2007
- Summary (HTML) Full Report (PDF, 15 pages) Accessible Text
- Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain
- GAO-08-119T, October 17, 2007
- Summary (HTML) Highlights Page (PDF) Full Report (PDF, 15 pages) Accessible Text
- Critical Infrastructure: Sector Plans Complete and Sector Councils Evolving
- GAO-07-1075T, July 12, 2007
- Summary (HTML) Highlights Page (PDF) Full Report (PDF, 27 pages) Accessible Text
- Critical Infrastructure: Challenges Remain in Protecting Key Sectors
- GAO-07-626T, March 20, 2007
- Summary (HTML) Highlights Page (PDF) Full Report (PDF, 30 pages) Accessible Text
- Critical Infrastructure Protection: Progress Coordinating Government and Private Sector Efforts Varies by Sectors' Characteristics
- GAO-07-39, October 16, 2006
- Summary (HTML) Highlights Page (PDF) Full Report (PDF, 68 pages) Accessible Text
- Combating Bioterrorism: Actions Needed to Improve Security at Plum Island Animal Disease Center
- GAO-03-847, September 19, 2003
- Summary (HTML) Highlights Page (PDF) Full Report (PDF, 52 pages) Accessible Text Recommendations (HTML)