Mission-Critical Systems Still Vulnerable to Attacks

The nation's electrical power grids, dams, nuclear power plants and other critical infrastructure systems remain vulnerable to cyber attacks (search), and members of Congress say the apparent lack of organization within the Department of Homeland Security may be to blame.

The so-called Supervisory Control and Data Acquisition network (SCADA) that controls facilities such as nuclear power plants are electronic, which means it can be turned against itself by hackers and used to not only damage the economy but hurt and kill citizens, as well, some security experts told a joint meeting of two House Homeland Security subcommittees this week.

And the Sept. 11, 2001, attacks hit home the message even more that the computer-based controls to such vital systems must be carefully protected.

"It's four years later and we are no further down the line," Rep. Bill Pascrell, D-N.J., said Tuesday while questioning Andy Purdy Jr., acting director of the Homeland Security Department's National Cyber Security Division, during the hearing. "We're not prepared. You know it; I know it."

Alan Paller, the research director for the SANS Institute in Bethesda, Md., which specializes in cyber-security training, told FOXNews.com on Wednesday that protecting SCADA is a major concern. Systems are not only vulnerable to attacks through their non-Internet-based control systems, he said, but other, outdated control systems, as well.

"They're designed to be managed remotely and the remote management is not authenticated, meaning you don't know who's managing it," Paller said.

Lawmakers are criticizing the Bush administration for missing deadlines and assigning only two full-time officials to the task of protecting the remote systems.

Some committee members said efforts to protect against cyber attacks are progressing too slowly and said the apparent lack of continuity inside DHS (search), which was formed in 2003, is compounding the problem.

"So we are in complete disarray?" asked Rep. Sheila Jackson Lee, D-Texas.

Not quite, according to Purdy, but, "We're in a little bit of a transition period."

Pascrell compared the cyber-security preparedness to that of DHS for Hurricane Katrina (search) after Purdy said his office had only two full-time government employees and 35 contract workers dedicated to working on the SCADA problem.

Attacking a number of missed deadlines for one plan that has yet to be released, Pascrell said, "the plan remains incomplete today. ... This is unconscionable. ... I don't think you have the experts to meet deadlines."

Purdy told the committee the National Infrastructure Protection Plan (search) — which Pascrell was questioning — that has been due for nearly two years to protect the mission-critical systems will finally be presented after the first of the year.

He also said his small office is getting on its feet and is holding workshops and coordinating with national security labs, businesses and universities to make sure "malicious actors" can't easily get hold of good tools on the Internet with which they would be able to attack control systems.

"We are proud of the progress we have made," Purdy said.

Purdy has been in charge of the office since October 2004 but is scheduled to be replaced by a yet-unknown person under a plan outlined by Homeland Security Secretary Michael Chertoff (search) earlier this year. The organizational structure of the National Cyber Security Division may be affected by the plan, he said.

In July, Chertoff said an Assistant Secretary for Cyber and Telecommunications position would be created to coordinate efforts to protect technological infrastructure.

Jackson Lee said that was no excuse.

"It is almost incomprehensible what you said. ... We are in disarray and we are dangerously in disarray in an important area," she said.

Samuel Varnado, a top scientist at Sandia National Laboratories in New Mexico, said his group has proved that major Internet-based and older systems are vulnerable to attacks by terrorists and recommended continued public-private partnerships; an increase in funding for cyber-security technology research and development; focusing more work to defend against attacks; and continued funneling of federal money to follow up on key national plans.

Paller, who also testified Tuesday, told FOXNews.com that the biggest problem facing the nation lies in who is in charge of deciding what is secure and what is not.

The companies creating the protection software are in charge of deciding what's "safe," but Paller argued that it should instead be the product users who decide how effective those safety nets are. And no plan can work until that happens, he added.

"It doesn't matter what the government says it's going to do because the government can't do anything as long as the vendors are driving the dialogue."

The Associated Press contributed to this report.