r systems involved in this infrastructure are specific points
of vulnerability, as cyber-security for these systems has not been perceived as a high
priority. Industries potentially affected by a cyber-attack on industrial control
systems include the electrical, telephone, water, chemical and energy sectors.
The federal government has issued a warning regarding an increase in terrorist
interest in the cyber-security of industrial control systems, citing both interest by
international terrorist organizations in critical infrastructure and increases in cyber-
attack on critical infrastructure computer systems. The potential consequences of a
successful cyber-attack on critical infrastructure industrial control systems could be
high, ranging from a temporary loss of service to catastrophic infrastructure failure
affecting multiple states for an extended duration.
The National Strategy for Securing Cyberspace was released and contained a
number of suggestions regarding security measures for control systems. A focus on
the further integration of public/private partnerships and information sharing is
described, along with suggestions that standards for securing control systems be
developed and implemented.
Possible policy options for congressional consideration include further
development of uniform standards for infrastructure cyber-protection, growth in
research into encryption methods for industrial control systems, assessing the
effectiveness of the new exemptions to the Freedom of Information Act and the
integration of previous offices in the new Department of Homeland Security. Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Current Industrial Control System Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . 2
The Magnitude of the Terrorist Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Potential Consequences of a Terrorist Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Current Initiatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Policy Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
This report was prepared under the general supervision of Glenn McLoughlin,
Specialist, Resources, Science and Industry Division, Congressional Research
Service. 1
Presidential Commission on Critical Infrastructure Protection, Critical Foundations:
Protecting Americas Infrastructures, October, 1997.
2
National Research Council, Making the Nation Safer: The Role of Science and Technology
in Countering Terrorism, June, 2002.
3
United and Strengthening America by Providing Appropriate Tools Required to Intercept
and Obstruct Terrorism (USA PATRIOT) Act, P.L. 107-56, Title X, Section 1016.
Critical Infrastructure: Control Systems and
the Terrorist Threat
Introduction
This report addresses the cyber-vulnerability of critical infrastructure industries
which regularly use industrial control systems. Industrial control systems may be
vulnerable to infiltration by different routes, including wireless transmission, direct
access to control system computers, exploitation of dial-up modems used for
maintenance, or through the Internet. This report will specifically discuss the
potential for access to industrial control systems through the Internet.
The vulnerability of U.S. critical infrastructure to cyber-attack and catastrophic
failure was brought to light in 1997 in the report of the Presidents Commission on
Critical Infrastructure Protection.
1
Among other concerns, the computer systems
used to remotely control process equipment were highlighted as specific points of
vulnerability. These systems were updated during the Y2K crisis, but these systems
cyber-security has not generally been a high priority. The events of September 11,
2001 have heightened the public awareness of the nations vulnerability to terrorist
attack, and a recent National Research Council report has identified the potential for
attack on control systems as requiring urgent attention.
2

Critical infrastructure is defined in the USA PATRIOT Act as those systems
and assets, whether physical or virtual, so vital to the United States that the
incapacity or destruction of such systems and assets would have a debilitating impact
on security, national economic security, national public health or safety, or any
combination of those matters.
3
Several industry sectors considered to be critical
infrastructures use industrial control systems in their daily activities. These
industries could be significantly affected by a cyber-attack targeting industrial control
systems such as supervisory control and data acquisition (SCADA) systems,
distributed control systems, and others. The Presidents Commission on Critical
Infrastructure Protection report stated,
From the cyber perspective, SCADA systems offer some of the most attractive
targets to disgruntled insiders and saboteurs intent on triggering a catastrophic
event. With the exponential growth of information system networks that
interconnect the business, administrative, and operational systems, significant CRS-2
4
Presidential Commission on Critical Infrastructure Protection, Critical Foundations:
Protecting Americas Infrastructures, October, 1997.
disruption would result if an intruder were able to access a SCADA system and
modify the data used for operational decisions, or modify programs that control
critical industry equipment or the data reported to control centers.
4
Current Industrial Control System Vulnerability
Industrial control systems can include supervisory control and data acquisition
systems, distributed control systems (DCS), and programmable logic controllers
(PLC). SCADA systems are primarily software toolkits for building industrial
control systems. These systems are often used for remote monitoring and sending
commands to valves and switches. For example, they can be found in water utilities
and oil pipelines, where they monitor flow rates and pressures. Based on the data
that these systems provide, computer programs or operators at a central control center
balance the flow of material using industrial control systems to activate valves and
regulators. Generally, SCADA systems process little data internally, instead
performing analysis in a more central location, but are the primary conduits for raw
data in and commands out of a control center. They are vulnerable to implantation
of faulty data and to remote access through dial-up modems used for maintenance.
Distributed control systems are process control systems where hardware and
software components are often provided by a single vendor. These process control
systems are commonly deployed in a single manufacturing or production complex,
and perform a higher level of internal data processing. DCS generally provide
processed information to or a series of commands from a control center. An example
might occur within a chemical plant, where a DCS might simultaneously monitor the
temperature of a series of reactors and control the rate at which reactants were mixed
together, while performing real time process optimization and reporting the progress
of the reaction. An attack targeting DCS might cause extensive damage at a single
facility, but would be unlikely to affect more than a single site.
Programmable logic controllers are devices used to automate monitoring and
control of industrial plants, and are generally used within a manufacturing facility.
They tend to provide little external information, and do the majority of their data
processing internally. Programmable logic controllers can control as little as a single
machine to as much as an entire manufacturing facility. An automated assembly line
can be comprised of a series of PLCs, with each machine on the assembly line
performing a distinct job. An attack targeting PLCs might cause significant turmoil
at a single location, but the extent of the damage would depend on both the PLCs
size and connectivity.
These process control systems can be interconnected within a single industry as
well. As an example, the oil and gas infrastructures contain both processing and
refining sites, as well as holding facilities and distribution systems. Refining and
processing sites may utilize DCS, controlling the different refining steps via PLCs.
The distribution and holding facilities might be managed by a SCADA system which CRS-3
5
This example was taken from IT Security for Industrial Control Systems by Joe Falco,
Keith Stouffer, Albert Wavering and Frederick Proctor, Intelligent Systems Division,
National Institute of Standards and Technology.
6
Scott Berinato, The Truth about Cyberterrorism,CIO Magazine, Vol. 15, No. 11, March
15, 2002.
collected data from and issued commands to the different sites from a single
location.
5
Industrial control system technologies are often employed in critical
infrastructure industries to allow a single control center to manage multiple sites.
Industrial control systems were originally implemented as isolated, separate
networks. They were viewed as secure systems which protected remote locations
from being physically broken into and mistreated. For example, the establishment
of remote control systems in dams were believed to protect against unlawful release
of the dammed water, as no hand-operable valves and switches were accessible.
6
Networking industrial control systems on a greater scale has led to i