Ensuring Critical Infrastructure Protection

What Needs to Be Done | Key Reports

Figure 6: Examples of Critical Infrastructures (clockwise from upper left: chemical plants, nuclear power plants, hydroelectric dams, and railroads)

Examples of Critical Infrastructures

Sources (clockwise from upper left): © Corbis, PhotoDisc, © Corbis, Digital Vision.

DHS faces challenges in meeting its responsibilities to protect the nation’s vast critical infrastructure—18 broad ranging sectors including banking and finance, chemicals, communications, energy, public health and health care, transportation, and defense. Given that these sectors are largely owned and operated by the private sector or state and local governments, numerous parties have responsibility for securing and maintaining these networks. Key challenges include the following:

  • Sectors vary considerably in their maturity and ability to develop their own protection plans, and face challenges in organizing and developing protection plans, such as a lack of full sector representation, the lack of an effective relationship with DHS, and a hesitancy by the private sector to share information with the government or within the sector.
    Highlights of GAO-07-626T (PDF), Highlights of GAO-07-706R (PDF), Highlights of GAO-08-113 (PDF), and Highlights of GAO-08-1075T (PDF)
  • Some sectors must depend on other sectors to function and provide assistance when responding to and recovering from an attack or disaster. However, it is unclear how much progress sectors have made in identifying these interdependencies, which may make it difficult for sectors to ensure that they can access needed technologies, energy sources, and other sector assets during recovery.
    Highlights of GAO-08-113 (PDF), Highlights of GAO-07-706R (PDF)
  • DHS must continue to allay private-sector concerns regarding sharing information on vulnerabilities and gaps in protection with the federal government, fearing that the information will not be protected.
    GAO-07-626T (PDF), Highlights of GAO-07-706R (PDF)
  • Representatives from the private sector coordinating councils and the Homeland Security Advisory Committee are concerned that DHS's emphasis on protective measures—such as adding guards and gates to protect assets—may not be the optimal approach for securing the national critical systems. They indicate that DHS should emphasize infrastructure resiliency in addition to protection.
    Homeland Security Advisory Council, Top Ten Challenges Facing The Next Secretary of Homeland Security
  • There are serious security vulnerabilities at the Plum Island Animal Disease Center, the national laboratory responsible for diagnosing and researching exotic livestock diseases, such as foot-and-mouth disease. The accidental or deliberate release of pathogens from this facility, or the new facility replacing Plum Island, could be devastating to our nation's economy.
    Full Report of GAO-08-306R (PDF, 10 pages), Highlights of GAO-03-847 (PDF)

^ Back to topWhat Needs to Be Done

  • While DHS has developed a national infrastructure protection plan, and facilitated the development of sector specific plans, DHS needs to continue to oversee the implementation of these plans, measure sectors’ success at fulfilling the responsibilities identified within those plans, and systematically assess sectors’ planning to determine whether plans are adequate or if further steps are needed to secure these sectors.
    Highlights of GAO-07-626T (PDF), Highlights of GAO-07-706R (PDF), Highlights of GAO-08-113 (PDF), Highlights of GAO-08-212T and Highlights of GAO-08-1157T (PDF)
  • For computer-reliant critical infrastructure, DHS needs to improve its coordination with stakeholders when planning for incident response and recovery, conducting exercises, completing continuity plans for federal systems, and planning for the recovery of Internet functions.
    Highlights of GAO-08-588 (PDF), Highlights of GAO-08-825 (PDF), Highlights of GAO-08-113 (PDF), and Highlights of GAO-08-1075T (PDF)
  • Although DHS has made risk management a cornerstone of departmental policy, and some components have successfully applied it to certain functions, the department needs to refine its methodologies for measuring vulnerabilities across sectors and allocate resources accordingly.
    Highlights of GAO-06-91 (PDF), Highlights of GAO-08-852 (PDF)
  • Although DHS is sponsoring efforts to better secure control systems—such as computer systems used by industries to monitor and control sensitive processes and functions—it needs to better coordinate these efforts and share information with public- and private-sector entities, as appropriate.
    Highlights of GAO-07-1036 (PDF)
  • DHS needs to fully address its key cyber analysis and warning responsibilities related to monitoring networks, analyzing anomalies, providing timely warnings, and responding to threats.
    Highlights of GAO-08-212 (PDF), Highlights of GAO-08-588 (PDF), Highlights of GAO-08-825 (PDF), and Highlights of GAO-08-1157T (PDF)
  • DHS needs to continue to work with stakeholders to identify asset interdependencies within and across sectors so that it can use this information to plan future protective measures for assets that may be critical to the function of multiple sectors.
    Highlights of GAO-08-113 (PDF), Full Report of GAO-07-706R (PDF, 18 pages)

^ Back to topKey Reports

Critical Infrastructure Protection: DHS Needs to Better Address Its Cybersecurity Responsibilities
GAO-08-1157T, September 16, 2008
Summary (HTML)   Highlights Page (PDF)   Full Report (PDF, 19 pages)   Accessible Text
Critical Infrastructure Protection: DHS Needs to Fully Address Lessons Learned from Its First Cyber Storm Exercise
GAO-08-825, September 9, 2008
Summary (HTML)   Highlights Page (PDF)   Full Report (PDF, 39 pages)   Accessible Text   Recommendations (HTML)
Cyber Analysis and Warning: DHS Faces Challenges in Establishing a Comprehensive National Capability
GAO-08-588, July 31, 2008
Summary (HTML)   Highlights Page (PDF)   Full Report (PDF, 67 pages)   Accessible Text   Recommendations (HTML)
Plum Island Animal Disease Center: DHS Has Made Significant Progress Implementing Security Recommendations, but Several Recommendations Remain Open
GAO-08-306R, December 17, 2007
Summary (HTML)   Full Report (PDF, 15 pages)   Accessible Text
Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain
GAO-08-119T, October 17, 2007
Summary (HTML)   Highlights Page (PDF)   Full Report (PDF, 15 pages)   Accessible Text
Critical Infrastructure: Sector Plans Complete and Sector Councils Evolving
GAO-07-1075T, July 12, 2007
Summary (HTML)   Highlights Page (PDF)   Full Report (PDF, 27 pages)   Accessible Text
Critical Infrastructure: Challenges Remain in Protecting Key Sectors
GAO-07-626T, March 20, 2007
Summary (HTML)   Highlights Page (PDF)   Full Report (PDF, 30 pages)   Accessible Text
Critical Infrastructure Protection: Progress Coordinating Government and Private Sector Efforts Varies by Sectors' Characteristics
GAO-07-39, October 16, 2006
Summary (HTML)   Highlights Page (PDF)   Full Report (PDF, 68 pages)   Accessible Text
Combating Bioterrorism: Actions Needed to Improve Security at Plum Island Animal Disease Center
GAO-03-847, September 19, 2003
Summary (HTML)   Highlights Page (PDF)   Full Report (PDF, 52 pages)   Accessible Text   Recommendations (HTML)
More Reports More Results Toggle
GAO Contact
portrait of Stephen Caldwell

Stephen Caldwell

Director, Homeland Security and Justice

caldwells@gao.gov

(202) 512-9610

portrait of David Powner

David Powner

Director, Information Technology

pownerd@gao.gov

(202) 512-9286