Cyber Infrastructure Protection

"Our nation's critical infrastructure includes the public and private systems and assets vital to national security, economic stability, and public health and safety. Federal policy identifies 16 critical infrastructure sectors, including the financial services, energy, transportation, and communications sectors. To better address cyberrelated risks to critical infrastructure, in 2014, NIST [National Institute of Standards and Technology] developed, as called for by federal law and policy, 'the Framework for Improving Critical Infrastructure Cybersecurity', a voluntary framework of cybersecurity standards and procedures for industry to adopt. The Cybersecurity Enhancement Act of 2014 included provisions for GAO to review aspects of the cybersecurity standards and procedures in the framework developed by NIST. GAO's [Government Accountability Office] objective was to assess what is known about the extent to which critical infrastructure sectors have adopted the framework. To do so, GAO analyzed documentation, such as sector-specific guidance and tools to facilitate implementation, and interviewed relevant federal and nonfederal officials from the 16 critical infrastructure sectors."

"Critical infrastructure is defined in the USA PATRIOT Act (P.L. 107-56, §1016(e)) as 'systems and assets, physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.' Presidential Decision Directive 63, or PDD-63, identified activities whose critical infrastructures should be protected: information and communications; banking and finance; water supply; aviation, highways, mass transit, pipelines, rail, and waterborne commerce; emergency and law enforcement services; emergency, fire, and continuity of government services; public health services; electric power, oil and gas production; and storage. In addition, the PDD identified four activities in which the federal government controls the critical infrastructure: (1) internal security and federal law enforcement; (2) foreign intelligence; (3) foreign affairs; and (4) national defense. In February 2013, the Obama Administration issued PPD-21, Critical Infrastructure Security and Resilience, which superseded HSPD-7 issued during the George W. Bush Administration. PPD-21 made no major changes in policy, roles and responsibilities, or programs, but did order an evaluation of the existing public-private partnership model, the identification of baseline data and system requirements for efficient information exchange, and the development of a situational awareness capability. PPD-21 also called for an update of the National Infrastructure Protection Plan, and a new Research and Development Plan for Critical Infrastructure, to be updated every four years. This report serves as a starting point for congressional staff assigned to cover cybersecurity issues as they relate to critical infrastructure."

"In the United States, it is generally taken for granted that the electricity needed to power the U.S. economy is available on demand and will always be available to power our machines and devices. However, in recent years, new threats have materialized as new vulnerabilities have come to light, and a number of major concerns have emerged about the resilience and security of the nation's electric power system. In particular, the cybersecurity of the electricity grid has been a focus of recent efforts to protect the integrity of the electric power system. The increasing frequency of cyber intrusions on industrial control (IC) systems of critical infrastructure continues to be a concern to the electric power sector. Power production and flows on the nation's electricity grid are controlled remotely by a number of IC technologies. The National Security Agency (NSA) reported that it has seen intrusions into IC systems by entities with the apparent technical capability 'to take down control systems that operate U.S. power grids, water systems and other critical infrastructure.' […] This report highlights several areas for congressional consideration to improve grid cybersecurity. One issue is whether electric utilities have the resources to make the financial investment and recruit staff to reduce vulnerabilities. Another issue is that NERC CIP standards do not apply to all points of grid connection to the distribution system, and these connections still may represent cyber vulnerabilities. The adequacy of current standards where they do apply is also an issue."

"Cybersecurity vulnerabilities challenge governments, businesses, and individuals worldwide. Attacks have been initiated against individuals, corporations, and countries. Targets have included government networks, companies, and political organizations, depending upon whether the attacker was seeking military intelligence, conducting diplomatic or industrial espionage, engaging in cybercrime, or intimidating political activists. In addition, national borders mean little or nothing to cyberattackers, and attributing an attack to a specific location can be difficult, which may make responding problematic. Despite many recommendations made over the past decade, most major legislative provisions relating to cybersecurity had been enacted prior to 2002. However, on December 18, 2014, in the last days of the 113th Congress, five cybersecurity bills were signed by the President."

"This book provides an integrated view and a comprehensive framework of the various issues relating to cyber infrastructure protection. It provides the foundation for long-term policy development, a roadmap for cyber security, and an analysis of technology challenges that impede cyber infrastructure protection. The book is divided into three main parts. Part I deals with strategy and policy issues related to cyber security. It provides a theory of cyber power, a discussion of Internet survivability as well as large scale data breaches and the role of cyber power in humanitarian assistance. Part II covers social and legal aspects of cyber infrastructure protection and it provides discussions concernsing the attack dynamics of politically and religiously motivated hackers. Part III discusses the technical aspects of cyber infrastructure protection including the resilience of data centers, intrusion detection, and a strong focus on IP-networks."

"This book is a follow-on to our earlier book published in 2011 and represents a detailed look at various aspects of cyber security. The chapters in this book are the result of invited presentations in a 2-day conference on cyber security held at the City University of New York, City College, June 8-9, 2011. Our increased reliance on the Internet, information, and networked systems has also raised the risks of cyber attacks that could harm our nation's cyber infrastructure. The cyber infrastructure encompasses a number of sectors including the nation's mass transit and other transportation systems, railroads, airlines, the banking and financial systems, factories, energy systems and the electric power grid, and telecommunications, which increasingly rely on a complex array of computer networks. Many of these infrastructures' networks also connect to the public Internet. Unfortunately, many information systems, computer systems, and networks were not built and designed with security in mind. As a consequence, our cyber infrastructure contains many holes, risks, and vulnerabilities that potentially may enable an attacker to cause damage or disrupt the operations of this cyber infrastructure. Threats to the safety and security of the cyber infrastructure come from many directions: hackers, terrorists, criminal groups, and sophisticated organized crime groups; even nation-states and foreign intelligence services conduct cyber warfare. Costs to the economy from these threats are huge and increasing. Cyber infrastructure protection refers to the defense against attacks on such infrastructure and is a major concern of both the government and the private sector."

"The United States is committed to an open, secure, interoperable, and reliable Internet that enables prosperity, public safety, and the free flow of commerce and ideas. These qualities of the Internet reflect core American values -- of freedom of expression and privacy, creativity, opportunity, and innovation. And these qualities have allowed the Internet to provide social and economic value to billions of people. Within the U.S. economy alone, anywhere from three to 13 percent of business sector value-added is derived from Internet-related businesses. Over the last ten years Internet access increased by over two billion people across the globe.. Yet these same qualities of openness and dynamism that led to the Internet's rapid expansion now provide dangerous state and non-state actors with a means to undermine U.S. interests. […] This strategy recognizes that effective cybersecurity will require close collaboration within DoD and across the federal government, with industry, with international allies and partners, and with state and local governments. The pursuit of security in cyberspace requires a whole-of-government and international approach due to the number and variety of stakeholders in the domain, the flow of information across international borders, and the distribution of responsibilities, authorities, and capabilities across governments and the private sector. For each of DoD's missions, DoD must continue to develop routine relationships and processes for coordinating its cyber operations."

"Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation's critical infrastructure in the face of such threats. It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards."

"In February 2013, the President signed Executive Order (EO) 13636, 'Improving Critical Infrastructure Cybersecurity,' and Presidential Policy Directive (PPD)-21, 'Critical Infrastructure Security and Resilience.' That same day, President Obama warned in his State of the Union Address: America must also face the rapidly growing threat from cyber-attacks. We know hackers steal people's identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy. The policies set forth in these directives are intended to strengthen the security and resilience of critical infrastructure against evolving threats and hazards, while incorporating strong privacy and civil liberties protections into every cybersecurity initiative. These documents call for an updated and overarching national Framework that reflects the increasing role of cybersecurity in securing physical assets. […] EO 13636 and PPD-21 are intended to strengthen the security and resilience of critical infrastructure through an updated and overarching national Framework that acknowledges the increased role of cybersecurity in securing physical assets. The government and the private sector have a mutually shared interest in ensuring the viability of critical infrastructure, and the provision of essential services, under all conditions. Critical infrastructure owners and operators are often the greatest beneficiary of investing in their own security, and they have a social responsibility to adopt best practices for cybersecurity. However, the private sector may be justifiably concerned about the return on security investments that may not yield immediately measureable benefits. Effective incentives can help the private sector justify the costs of improved cybersecurity by balancing the short-term costs of additional investment with similarly near-term benefits."

"[I]n order to enhance cybersecurity awareness and protections at all levels of Government, business, and society, to protect privacy, to ensure public safety and economic and national security, and to empower Americans to take better control of their digital security, it is hereby ordered as follows: Section 1. Establishment. There is established within the Department of Commerce the Commission on Enhancing National Cybersecurity (Commission). Sec. 2. Membership. (a) The Commission shall be composed of not more than 12 members appointed by the President. The members of the Commission may include those with knowledge about or experience in cybersecurity, the digital economy, national security and law enforcement, corporate governance, risk management, information technology (IT), privacy, identity management, Internet governance and standards, government administration, digital and social media, communications, or any other area determined by the President to be of value to the Commission. […] Sec. 3. Mission and Work. The Commission will make detailed recommendations to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions, and bolstering partnerships between Federal, State, and local government and the private sector in the development, promotion, and use of cybersecurity technologies, policies, and best practices. The Commission's recommendations should address actions that can be taken over the next decade to accomplish these goals."

"The Nation's critical infrastructure provides the essential services that underpin American society. Proactive and coordinated efforts are necessary to strengthen and maintain secure, functioning, and resilient critical infrastructure -- including assets, networks, and systems -- that are vital to public confidence and the Nation's safety, prosperity, and well-being. The Nation's critical infrastructure is diverse and complex. It includes distributed networks, varied organizational structures and operating models (including multinational ownership), interdependent functions and systems in both the physical space and cyberspace, and governance constructs that involve multi-level authorities, responsibilities, and regulations. Critical infrastructure owners and operators are uniquely positioned to manage risks to their individual operations and assets, and to determine effective strategies to make them more secure and resilient. Critical infrastructure must be secure and able to withstand and rapidly recover from all hazards. Achieving this will require integration with the national preparedness system across prevention, protection, mitigation, response, and recovery. This directive establishes national policy on critical infrastructure security and resilience. This endeavor is a shared responsibility among the Federal, state, local, tribal, and territorial (SLTT) entities, and public and private owners and operators of critical infrastructure (herein referred to as 'critical infrastructure owners and operators'). This directive also refines and clarifies the critical infrastructure-related functions, roles, and responsibilities across the Federal Government, as well as enhances overall coordination and collaboration. The Federal Government also has a responsibility to strengthen the security and resilience of its own critical infrastructure, for the continuity of national essential functions, and to organize itself to partner effectively with and add value to the security and resilience efforts of critical infrastructure owners and operators."

"Cyber Storm was designed to exercise communication, incident response policies, and operational procedures in response to various cyber incidents, and to identify future planning and process improvements. The exercise challenged players to identify policies and procedures required for sharing information with groups internal and external to their organizations, such as across Federal and State departments, private organizations, and across international borders. This required players to determine what information should be shared with which organization and at what time. The exercise also highlighted the collaboration capabilities among international and government communities and their respective capacity to maximize communications and enhance response and recovery efforts. The findings from the exercise showed many areas where intra-sector, cross-sector and public/private partnerships worked effectively to communicate and resolve issues but also highlighted areas where communications and planning could be improved. Future focus on correlation of multiple incidents; and communication, coordination, and collaboration across the cyber incident response community were emphasized by both public and private stakeholders."

"The National Cyber Exercise: Cyber Storm II successfully executed on March 10 -- 14, 2008 at player locations across the United States, as well as in international partner locations in Australia, Canada, New Zealand, and the United Kingdom. The Department of Homeland Security -- National Cyber Security Division (DHS -- NCSD) sponsored the exercise to improve the capabilities of the cyber incident response community, encourage the advancement of public-private partnerships within the critical infrastructure sectors, and strengthen the relationship between the federal government and its government partners at the state, local, and international levels. The primary goal of planning and executing Cyber Storm II was to provide the arena to examine the processes, procedures, tools, and organizations of the cyber response community in response to a multi-sector coordinated attack through, and on, the global cyber infrastructure. The exercise incorporated a wide spectrum of players representing 18 federal agencies, nine states, five countries, interagency coordination bodies, and over 40 private sector companies. The coordinated cyber attacks facilitated incident response from the technical, operational, and strategic perspectives. Cyber Storm simulated cyber attacks that were focused on critical infrastructure in the Information Technology (IT), Communications, Chemical, and Transportation (specifically Rail and Pipe) sectors and required action from foreign and domestic partners in the cyber response community. [...]. This Final Report is a consolidation of findings, observations, and participant inputs gathered throughout the planning and execution phases of Cyber Storm II. It represents the informational foundation for continuing efforts to assess how those findings translate into steps that DHS and the wider player community might take to improve national cyber security in the future."

"The National Cyber Exercise: Cyber Storm (CS) is the Department of Homeland Security's (DHS) capstone national-level cybersecurity exercise and represents the Nation's most extensive cybersecurity exercise effort of its kind. Cyber Storm is a Homeland Security Exercise and Evaluation Program (HSEEP) Tier II exercise focusing on federal strategy and policy. The Department's National Cyber Security Division (NCSD) sponsors the exercise to improve the capabilities of the cyber incident response community; encouraging the advancement of public--private partnerships within the critical infrastructure sectors and strengthening relationships between the Federal Government and partners at the state, local, and international levels. CS III included participation from 8 Cabinet-level departments, 13 states, 12 international partners, and approximately 60 private-sector companies and coordination bodies. Participation focused on the information technology (IT), communications, energy (electric), chemical, and transportation critical infrastructure sectors and incorporated various levels of play from other critical infrastructure sectors. Together, these entities participated in the design, execution, and post-exercise analysis of the largest, most comprehensive Government-led, full-scale cyber exercise to date. Participants exercised their ability to prepare for, protect from, and respond to cyber attacks and execute current national cybersecurity plans and capabilities. Players responded to simulated attacks according to established policies and procedures. No actual networks were targeted or affected during the exercise. Participants successfully executed CS III between September 27 and October 1, 2010, at player locations across the United States and internationally, with the main Exercise Control (ExCon) cell located at U.S. Secret Service (USSS) Headquarters in Washington, D.C."

"This report seeks to inform the development of Cyber Storm V (CS V) and to share lessons learned from Cyber Storm IV (CS IV). This report aggregates the After Action Reports (AAR) from each of the exercises conducted as part of the Department of Homeland Security's (DHS) CS IV Exercise Series. The report also provides a general overview of the series and a discussion of trends observed across the exercises. DHS is using the high-level findings and lessons learned from the series to inform the objectives and direction of CS V."

This is the April 14, 2016 hearing before the Subcommittee on Economic Development, Public Buildings, and Emergency Management of the Committee on Transportation and Infrastructure titled, "Blackout! Are We Prepared to Manage the Aftermath of a Cyber or Other Failure of the Electrical Grid?" From the background: "The electric grid is one of the Nation's most critical infrastructures. The bulk power system is a large, complex, and robust system of networked generation facilities, transmission and distribution lines, transformers and substations, and control and communication technologies which together, bring power to American homes and businesses […] Any of the grid elements can be damaged by natural events, such as severe storms or geomagnetic disturbances, as well as intentional, malicious events, such as cyber and physical security attacks. Incidents may disrupt the flow of power or reduce the reliability of the system. Several, if not all, of the other critical infrastructure sectors, are dependent on electric power. Simply put, a massive power outage could interfere with the everyday lives of millions of Americans." Statements, letters, and materials submitted for the record include those of the following: Craig Fugate, Patricia A. Hoffman, Caitlin A. Durkovich, Richard Campbell, Gerry W. Caulry, William H. Spence, and Bobbi J. Kilmer.

This is a testimony compilation of the October 21, 2015 hearing "Cybersecurity for Power Systems," held before the House Committee on Science, Space, and Technology. From the statement of Chairman Lamar Smith: "Today we will examine the ongoing efforts by federal agencies, the Department of Energy national labs and the private sector to protect Americans from cybersecurity threats to our power supply. This hearing also will explore solutions to combat the cyber threats identified in a Science Committee hearing held last month, which focused on the broader vulnerabilities of the American power supply. Cyber-attacks are a threat to our country and our citizens. Many Americans think the primary risks from cyber-attacks are only attempts to steal information, such as with the Office of Personnel Management attack earlier this year. However, the threat to America's power supply from these attacks increases every day. As we will hear from one of today's witnesses, a compromised electric grid is not a question of 'if' but 'when.' As cyber attackers become more sophisticated, it becomes more difficult for those who are vulnerable to protect themselves. Electric utilities must operate complex systems of power plants, transmission lines and distribution facilities, all interconnected through analogue and digital control systems." Statements, letters, and materials submitted for the record include those of the following: Brent Stacey, Bennett Gaines, Annabelle Lee, and Greg Wilshusen.

"In the past few years, we have seen significant breaches in cybersecurity which could affect critical U.S. infrastructure. Data on the nation's weakest dams, including those which could kill Americans if they failed, were stolen by a malicious intruder. Nuclear plants' confidential cybersecurity plans have been left unprotected. Blueprints for the technology undergirding the New York Stock Exchange were exposed to hackers. Examples like those underscore for many the importance of increased federal involvement in protecting the nation's privately-owned critical infrastructure. But for one thing: Those failures aren't due to poor practices by the private sector."

"The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation's security, economy, and public safety and health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company's bottom line. It can drive up costs and impact revenue. It can harm an organization's ability to innovate and to gain and maintain customers. […] The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will continue to have unique risks -- different threats, different vulnerabilities, different risk tolerances -- and how they implement the practices in the Framework will vary. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize the impact of each dollar spent. Ultimately, the Framework is aimed at reducing and better managing cybersecurity risks. The Framework is a living document and will continue to be updated and improved as industry provides feedback on implementation. As the Framework is put into practice, lessons learned will be integrated into future versions. This will ensure it is meeting the needs of critical infrastructure owners and operators in a dynamic and challenging environment of new threats, risks, and solutions. Use of this voluntary Framework is the next step to improve the cybersecurity of our Nation's critical infrastructure -- providing guidance for individual organizations, while increasing the cybersecurity posture of the Nation's critical infrastructure as a whole."

"Version 1.1 of this Cybersecurity Framework refines, clarifies, and enhances Version 1.0, which was issued in February 2014. It incorporates comments received on the two drafts of Version 1.1. [...] The United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation's security, economy, and public safety and health at risk. Similar to financial and reputational risks, cybersecurity risk affects a company's bottom line. It can drive up costs and affect revenue. It can harm an organization's ability to innovate and to gain and maintain customers. Cybersecurity can be an important and amplifying component of an organization's overall risk management. [...] The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization's risk management processes. The Framework consists of three parts: the Framework Core, the Implementation Tiers, and the Framework Profiles."

"The purpose of this 'National Critical Infrastructure Security and Resilience Research and Development Plan' (hereafter referred to as the National CISR R&D Plan or the Plan) is to identify National R&D Priority Areas that inform R&D investments, promote innovation, and guide research activities across the critical infrastructure community. The critical infrastructure community includes public and private critical infrastructure owners and operators; Federal departments and agencies, including SSAs [Sector-Specific Agencies]; State, local, tribal, and territorial (SLTT) governments and regional entities; and other organizations from the private and non-profit sectors, including research and educational institutions and, in some cases, international partners and organizations. Future CISR R&D activities should be driven by continued collaborative efforts aimed at strengthening the security and resilience of critical infrastructure. Considering the essential connections that exist between the goods and services provided by critical infrastructure and the competitiveness and vitality of the national economy, this Plan highlights the need to consider the dynamic linkages among the interdependent infrastructure systems that underpin American society. This Plan recognizes the Nation's reliance on critical infrastructure, especially in urban areas, and promotes action to develop and deploy technologies and solutions to manage critical infrastructure risk at the local, regional, and national levels. By employing more localized, "place-based" strategies in addition to broader-scale programs at the regional and national levels, the critical infrastructure community can leverage redundancies in managing risk and improve the Nation's adaptability and resilience."

"Since the release of the last edition of the 'NIST [National Institute of Standards and Technology] Smart Grid Framework and Roadmap for Interoperability Standards (Release 2.0),' in February 2012, significant technological advances in smart grid infrastructure have been implemented, supported by standards development across the entire smart grid arena. Examples include widespread deployment of wireless-communication power meters, availability of customer energy usage data through the Green Button initiative, remote sensing for determining real-time transmission and distribution status, and protocols for electric vehicle charging. The first release of the 'NIST Framework and Roadmap for Smart Grid Interoperability Standards (Release 1.0)' was published in January 2010. Release 3.0 updates NIST's ongoing efforts to facilitate and coordinate smart grid interoperability standards development and smart grid-related measurement science and technology, including the evolving and continuing NIST relationship with the Smart Grid Interoperability Panel (SGIP) public-private partnership. Over the last decade, Congress and the Administration have outlined a vision for the smart grid and have laid the policy foundation upon which it is being built. The Energy Independence and Security Act of 2007 (EISA) codified the policy of the United States to modernize the nation's electricity transmission and distribution system to create a smart electric grid." Release 1.0 is available in the HSDL database: https://www.hsdl.org/?abstract&did=30051. Release 2.0 is available in the HSDL database: https://www.hsdl.org/?abstract&did=701565.

"Cyberattacks and intrusions targeting U.S. electric utilities have been reported, though no lasting damage--physical, cyber-physical, or otherwise--has been observed. Without precedent, it is very difficult to predict the impacts to the country of a prolonged power outage from a significant cyber incident, which remains a significant gap for the intelligence community, industry, and subject matter experts. Mitigating this gap will require detailed knowledge of the capabilities of the adversary, the real-time technical conditions of the grid and electricity markets, the behavioral responses of the operators of multiple systems and their customers, as well as tens if not hundreds of additional variables. In both government and private industry, U.S. electricity subsector stakeholders perform regular assessments, exercises, and information sharing and coordination plans of general and specific responses to significant cyber incidents. As part of this overall coordinated effort, Executive Order 13800 on 'Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure' called for an Assessment of Electricity Disruption Incident Response Capabilities. The terms 'electric grid', 'the grid', and 'electricity system' are used interchangeably throughout this report. Presidential Policy Directive 41 defines a significant cyber incident as a cyber incident that is (or group of related cyber incidents) likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people."

"Supervisory Control and Data Acquisition (SCADA) systems collect information from sensors and actuators about some physical environment and provide an operator interface which allows control and reporting. The physical environment could be a power plant, power-distribution network, water-treatment plant, manufacturing floor, petroleum refinery, or any other physical environment that requires control and data acquisition. As early as 1999 the European Organization for Nuclear Research was looking into using a SCADA system to control a laboratory environment. As late as 2009 Aydogmus and Aydogmus discussed the use of a SCADA system to allow students to remotely interact with a laboratory supporting distance learning. The data acquired may be operationally oriented and used to better run the system, or it could be strategic in nature and used to better run the company. SCADA systems play a critical role in the foundation of modern society, and there is a large body of work dedicated to defending these systems from cyber attack. The purpose of this report is to survey and summerize that work. In Section 2, this report reviews the basic components of a SCADA architecture. In Section 3, it reviews the impacts of some famous failures in SCADA systems. In Section 4, this report discusses the shared and unique vulnerabilities of SCADA systems. In Section 5, it reviews the countermeasures that are currently in place to protect SCADA systems. In Section 6, the report provides some concluding insight into the current research being done to defend SCADA systems."

From the thesis abstract: "Following the 9/11 terror attacks, the Department of Homeland Security (DHS) was mandated to ensure the security of the nation's cyber-supported critical infrastructure, which is predominantly privately owned and outside of the control of the U.S. government. This thesis examines the development of the government's cyber-security policies and primary operational entities through their lawful authorities and capabilities. The thesis also examines and contrasts the effectiveness of DHS's technology-centric, cyber-security approach, the deterrent effect realized through law enforcement cyber operations, and the suitability and effectiveness of the utilization of military or intelligence agencies, specifically the FBI, National Security Agency or Department of Defense, to fulfill the nation's domestic cyber-security mission. Evidence suggests that DHS has consistently chosen to devote disproportionate budgetary resources to develop defensive technologies of questionable effectiveness, initiate redundant information-sharing programs, and develop cyber incidence response teams while not fully utilizing the U.S. Secret Service's legal authorities and capabilities in furtherance of the department's mission. Recommendations are offered to develop a whole-of-government cyber-security policy for an effective, integrated, cyber-security operation through the utilization of agency-specific authorities and capabilities, while protecting our nation's critical infrastructure and our citizens' civil liberties."

From the thesis abstract: "In June 2012, the worldwide cyber security landscape changed when the presence of a new and sophisticated malware, later dubbed 'Stuxnet,' was discovered in the computers of an Iranian nuclear facility. The malware was a cyber weapon, programmed to destroy the industrial machinery utilized for uranium enrichment. Stuxnet was soon dissected and diagnosed as a pioneering and politically motivated cyber attack that successfully infiltrated a high-security, government-run critical infrastructure and destroyed its physical property with computer code. The potential consequences of a similar attack on vulnerable U.S. critical infrastructures could be devastating. This thesis begins with a review of the evolution of U.S. policy related to the cyber defense of critical infrastructures. It then examines the critical infrastructure sectors within the United States, its dependency on computer technology, and the potential consequences of cyber attacks. A detailed case study of the Stuxnet attack follows, along with an analysis of the lessons learned from Stuxnet. The thesis concludes with specific policy improvement recommendations for the United States under three major themes: enhancing national unity of effort, expansion of cyber security coordination between the private and government sectors, and incentivizing private-sector compliance with best practices in cyber security."

"The Office of Cybersecurity and Communications (CS&C), within the National Protection and Programs Directorate, is responsible for enhancing the security, resilience, and reliability of the Nation's cyber and communications infrastructure. CS&C works to prevent or minimize disruptions to critical information infrastructure in order to protect the public, the economy, and government services. CS&C leads efforts to protect the federal '.gov' domain of civilian government networks and to collaborate with the private sector--the '.com' domain--to increase the security of critical networks. In addition, the National Cybersecurity and Communications Integration Center (NCCIC) serves as a 24/7 cyber monitoring, incident response, and management center and as a national point of cyber and communications incident integration. As the Sector-Specific Agency for the Communications and Information Technology (IT) sectors, CS&C coordinates national-level reporting that is consistent with the National Response Framework (NRF). Congress created the Office of the Assistant Secretary for Cybersecurity and Communications in 2006. CS&C carries out its mission through its five divisions: The Office of Emergency Communications (OEC); The National Cybersecurity and Communications Integration Center (NCCIC); Stakeholder Engagement and Cyber Infrastructure Resilience (SECIR); Federal Network Resilience (FNR); and Network Security Deployment (NSD). In addition, CS&C operates the Enterprise Performance Management Office, which ensures that the Assistant Secretary's strategic goals and priorities are reflected across all CS&C programs; measures the effectiveness of initiatives, programs, and projects that support those goals and priorities; and facilitates cross-functional mission coordination and implementation between CS&C components, within DHS, and among the interagency."

"The United States Computer Emergency Readiness Team (US-CERT) is a partnership between the Department of Homeland Security and the public and private sectors. Established in 2003 to protect the nation's Internet infrastructure, US-CERT coordinates defense against and responses to cyber attacks across the nation. US-CERT is charged with protecting our nation's Internet infrastructure by coordinating defense against and response to cyber attacks. US-CERT is responsible for: analyzing and reducing cyber threats and vulnerabilities; disseminating cyber threat warning information; and coordinating incident response activities. US-CERT interacts with federal agencies, industry, the research community, state and local governments, and others to disseminate reasoned and actionable cyber security information to the public. US-CERT also provides a way for citizens, businesses, and other institutions to communicate and coordinate directly with the United States government about cyber security."