Skip to main content

Lights out? Cyber Threats to DOD Utilities

Posted on October 14, 2015

Nobody likes being in the dark. Some people invest in a generator or at least some candles for the occasional outage. But what if you’re the Department of Defense, and instead of bad weather knocking out the water or power, it’s a hack? For Cybersecurity Awareness Month, read on for what DOD is doing to protect its utilities from cyberattacks.

Power up

DOD has more than 500 major installations at home and abroad. These bases and other installations need reliable supplies of electricity, water, natural gas, and other utilities.
Industrial control systems help provide utilities when and where they’re needed. These are computer-controlled electromechanical systems that can, for example, open and close electrical switches and valves to operate heating and cooling systems.

According to DOD, these systems have become increasingly networked and interconnected with other DOD networks. While efficient, this puts them at risk of cyber intrusion or attack.

GAO-15-749 fig. 7(Excerpted from GAO-15-749)

Shut down

Given the breadth of DOD’s utility systems, cyberattacks can do more than turn off the lights. According to officials from U.S. Cyber Command, a cyberattack on an industrial control system could destroy infrastructure.

How? Check out this video of a staged cyberattack conducted by the Department of Homeland Security and Idaho National Laboratory in 2007. It shows how a hack into the industrial control system of a diesel generator could cause it to self-destruct.

Power Outages on Military Bases

Description

Utility systems on military bases could be vulnerable to cyber threats. Footage beginning at :54 and onward provided by DHS and DOE.

While the video shows a staged attack, these cyber threats are real. For example, energy, and water and wastewater sectors have reported multiple cyber incidents on their industrial control systems.

GAO-15-749 fig. 1 (Excerpted from GAO-15-749)

Keep out

DOD has updated its guidance to help keep cyber threats to its industrial control systems at bay, and the military services have taken steps to implement that guidance.
However, the services face 3 challenges as they work toward implementation:

  1. Having a complete inventory of DOD industrial control systems. As of February 2015, none of the military services had such an inventory.
  2. Finding personnel with experience in both operating and maintaining industrial control systems and cybersecurity.
  3. Identifying funding to update current systems to the new cybersecurity standards and provide training, among other things. Officials from the Navy estimated the service would need “billions of dollars” for this over the next 10 to 20 years.

To help DOD avoid risks from delaying implementation of the guidance, we made multiple recommendations that DOD agreed with.


GAO Contacts

BL
Brian Lepore

Related Products

About Watchblog

GAO's mission is to provide Congress with fact-based, nonpartisan information that can help improve federal government performance and ensure accountability for the benefit of the American people. GAO launched its WatchBlog in January, 2014, as part of its continuing effort to reach its audiences—Congress and the American people—where they are currently looking for information.

The blog format allows GAO to provide a little more context about its work than it can offer on its other social media platforms. Posts will tie GAO work to current events and the news; show how GAO’s work is affecting agencies or legislation; highlight reports, testimonies, and issue areas where GAO does work; and provide information about GAO itself, among other things.

Please send any feedback on GAO's WatchBlog to blog@gao.gov.