Last month's blackout in parts of the United States and Canada proved that the nation's critical infrastructures are interdependent, but just how connected they are and what ripple effects could occur after wide-scale damage to any one of them is uncertain, panelists told a House Homeland Security Subcommittee on Thursday.
"Understanding that the number of critical infrastructure targets is so vast and facilities spread so widely that no system can be perfect, the structure of private and government entities acting in coordination will also provide an effective response in the unfortunate event an attack occurs," FBI Executive Assistant Director Larry Mefford told the Cybersecurity, Science, and Research and Development Subcommittee.
But other panelists said the information that the government needs to achieve such coordination is not available.
Neither Mefford nor Cofer Black, the counter-terrorism coordinator at the State Department, could identify how great the threat is for remote computer attacks against the power grid, water-treatment plants or nuclear facilities. Committee Chairman Christopher Cox, R-Calif., asked whether upgraded systems are more vulnerable because their computer codes are more easily hacked than past systems, but neither official knew the answer.
Paul Gilbert, former chairman of a National Research Council panel that studied the safety of energy systems, is concerned about upgraded systems in the energy sector. To reduce operating costs and create efficiency, many companies have installed cyber controllers to do jobs previously done by people, he said.
"These open-architecture cyber units are an invitation for those who would seek to use computer technology to attack the grid," Gilbert said.
While studies of the electrical grid have been done, much less is known about other critical infrastructures, such as telecommunications, panelists said, and that is one of the most critical.
All sectors of the economy put telecommunications as first or second on the list of sectors upon which they depend most, said Kenneth Watson, president and chairman of the Partnership for Critical Infrastructure Security. But the necessary modeling and simulation work to assess vulnerabilities and how to address problems simply has not been done, he said, and it will take years and billions of dollars to do so.
For example, it would cost $270 million to $360 million and up to two years to model the telecommunications sector alone, he said. "Multiply that by 12 sectors, and then you can start on the cross-sector interdependency modeling," Gilbert added.
Strong coordination among industry, national laboratories and government agencies is necessary to understand the problem, Gilbert said, but much of the information needed to create the models may be proprietary and that problem also must be addressed, he added.