recommended reading

Watchdog: Water, Power on Pentagon Installations Need Better Protection Planning

Flickr user Michael Baird

The Pentagon's current planning system doesn't adequately protect its water and electrical infrastructure from attack, a new report says. 

The Government Accountability Office's examination of the Defense Department's utility disruptions -- when its water, power and other resources were affected for eight hours more -- suggest the organization must rethink its outage reporting, the watchdog said

In GAO's examination of 20 installations, 18 reported experiencing such disruptions. But many made incomplete or inaccurate reports, GAO said. 

For instance, in the 2012 and 2013 fiscal years, the Army did not report at least four disruptions to its utilities systems, including a water main break at Camp Darby, Italy, which affected potable water for about one week. In 2012, the Navy and Marine Corps did not report at least eight incidents, including electrical disruptions caused by the Derecho storm. 

Utilities disruptions could cost DOD significant resources, the report said. Hurricane Sandy in 2012 damaged the potable and wastewater infrastructure at a pier in New Jersey for about a month, until a temporary contract for utility service was issued for about $2.8 million. The storm damage required about $26 million in repair costs, the report said.

Better reporting on utilities disruptions could help DOD defend against cyberthreats and climate events such as storms, GAO said. These might affect the opening and closing of electrical switches, valves for water pipes, and heating for building, among other functions. 

But in its investigation, the watchdog found that even the submitted reports contained inaccuracies. Many of those lacked start times or end times, so decision-makers weren't always sure how long the incident lasted. 

Improving incident reporting is especially important as cyberthreats increase, the report said.

According to the report, Cyber Command officials told GAO cyberthreats could include removing data from a utility system, inserting data that could "corrupt the monitoring and control of utility infrastructure," (the report pointed to water chiller controllers as potential targets), or using cyberattacks to physically destroying the systems -- such as the 2010 Stuxnet virus dispatched to attack Iranian centrifuges, the report said. 

DOD also currently has a five-month process for collecting data and reporting on the disruptions, the report said. 

The report noted the current "time and rigor" employees can "commit to reviewing the disruption data are limited, which could affect their comprehensiveness and accuracy."

Without accurate data, "decision-makers in DOD may be hindered in their ability to plan effectively" for utility disruptions, GAO said. "Congress may have limited oversight of the challenges these disruptions pose," the report stated. 

Specifically, such analysis might help decision-makers decide which type of backup infrastructure to buy -- if the average disruption for a system lasts a couple of days, individual generators might be a better option than natural gas powered plants, which might be set up on installations where disruptions could last seven days or more. 

GAO recommended DOD clarify the reporting guidelines it gives to officials at installations.

For instance, "headquarters officials from both the Marine Corps and Air Force stated that they provided verbal guidance to their installations to submit disruptions only if the disruptions met service-specific criteria different than those stipulated in DOD’s data collection template," GAO found. 

The watchdog recommended military services should "clearly state that all disruptions lasting 8 hours or longer should be reported, regardless of the disruptions’ impact or mitigation," and clarify that electrical, natural gas, potable water and wastewater disruptions be reported, as well as all disruptions caused by DOD-owned utility infrastructure.

According to comments provided in the report, DOD partially concurred with the first two recommendations, but disagreed with the third, referring to reporting on all these incidents as "onerous" and a "low-value proposition."

Threatwatch Alert

Misplaced data

More Than 30 Million South Africans’ Personal Info Published to Public Internet

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov