Skip to main content

Defense Infrastructure: Improvements in DOD Reporting and Cybersecurity Implementation Needed to Enhance Utility Resilience Planning

GAO-15-749 Published: Jul 23, 2015. Publicly Released: Jul 23, 2015.
Jump To:
Skip to Highlights

Highlights

What GAO Found

Department of Defense (DOD) installations have experienced utility disruptions resulting in operational and fiscal impacts due to hazards such as mechanical failure and extreme weather. Threats, such as cyber attacks, also have the potential to cause disruptions. In its June 2014 Annual Energy Management Report (Energy Report) to Congress, DOD reported 180 utility disruptions lasting 8 hours or longer, with an average financial impact of about $220,000 per day, for fiscal year 2013. Installation officials provided specific examples to GAO, such as at Naval Weapons Station Earle, New Jersey, where in 2012, Hurricane Sandy's storm surge destroyed utility infrastructure, disrupting potable and wastewater service and resulting in almost $26 million in estimated repair costs. DOD officials also cited examples of physical and cyber threats, such as the “Stuxnet” computer virus that attacked the Iranian nuclear program in 2010 by destroying centrifuges, noting that similar threats could affect DOD installations.

DOD's collection and reporting of utility disruption data is not comprehensive and contains inaccuracies, because not all types and instances of utility disruptions have been reported and there are inaccuracies in reporting of disruptions' duration and cost. Specifically, in the data call for the Energy Reports, officials stated that DOD installations are not reporting all disruptions that meet the DOD criteria of commercial utility service disruptions lasting 8 hours or longer. This is likely due, in part, to military service guidance that differs from instructions for DOD's data collection template. In its Energy Reports, DOD is also not including information on disruptions to DOD-owned utility infrastructure. There also were inaccuracies in the reported data. For instance, $4.63 million of the $7 million in costs reported by DOD in its June 2013 Energy Report were indirect costs, such as lost productivity, although DOD has directed that such costs not be reported. Officials responsible for compiling the Energy Report noted that utility disruption data constitutes a small part of the report and they have limited time to validate data. However, without collecting and reporting complete and accurate data, decision makers in DOD may be hindered in their ability to plan effectively for mitigating against utility disruptions and enhance utility resilience, and Congress may have limited oversight of the challenges these disruptions pose.

Military services have taken actions to mitigate risks posed by utility disruptions and are generally taking steps in response to DOD guidance related to utility resilience. For example, installations have backup generators and have conducted vulnerability assessments of their utility systems. Also, DOD is in the planning stages of implementing new cybersecurity guidance, by March 2018, to protect its industrial control systems (ICS), which are computer-controlled systems that monitor or operate physical utility infrastructure. Each of the military services has working groups in place to plan for implementing this guidance. However, the services face three implementation challenges: inventorying their installations' ICS, ensuring personnel with expertise in both ICS and cybersecurity are trained and in place, and programming and identifying funding for implementation. For example, as of February 2015, none of the services had a complete inventory of ICS on their installations. Without overcoming these challenges, DOD's ICS may be vulnerable to cyber incidents that could degrade operations and negatively impact missions.

Why GAO Did This Study

Continuity of operations at DOD installations is vital to supporting the department's missions, and the disruption of utility services—such as electricity and potable water, among others—can threaten this support. House Report 113-446 included a provision that GAO review DOD's and the military services' actions to ensure mission capability in the event of disruptions to utility services. This report addresses (1) whether threats and hazards have caused utility disruptions on DOD installations and, if so, what impacts they have had; (2) the extent to which DOD's collection and reporting on utility disruptions is comprehensive and accurate; and (3) the extent to which DOD has taken actions and developed and implemented guidance to mitigate risks to operations at its installations in the event of utility disruption. For this review, GAO evaluated DOD guidance and policies, interviewed appropriate officials, and visited or contacted 20 installations within and outside the continental United States, selected based on criteria to include those experiencing multiple disruptions, disruptions of more than one type of utility, and each military service.

Recommendations

GAO recommends that DOD work with the services to clarify utility disruption reporting guidance, improve data validation steps, and address challenges to addressing cybersecurity ICS guidance. DOD concurred or partially concurred with all but one recommendation and disagreed with some of GAO's analysis. GAO believes the recommendations and analysis are valid as discussed in the report.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Defense In order to provide DOD and Congress with more comprehensive and accurate information on all types of utility disruptions, the Secretary of Defense should direct the Secretaries of the Army, Navy, and Air Force; the Commandant of the Marine Corps; and the Assistant Secretary of Defense for Energy, Installations and Environment to provide more consistent guidance to the installations. The military services should clearly state that all disruptions lasting 8 hours or longer should be reported, regardless of the disruptions' impact or mitigation. In addition, the military services and the Office of the Secretary of Defense (OSD) should work together to revise the data collection template's instructions, clarifying that disruptions in all four categories of utility service--electrical, potable water, wastewater, and natural gas--should be reported.
Closed – Implemented
DOD concurred with our first recommendation to provide more consistent guidance regarding utility disruption reporting to the installations for the Annual Energy Management Report. In August 2015, DOD issued revised guidance which states that the military services should report utility outages from external, commercial utility sources and that last or exceed 8 hours duration on the installation, regardless of the disruptions' impact or installation mitigation efforts. Further, DOD revised its data collection template to specifically include the 4 types of utilities, electrical, potable water, wastewater, and natural gas, in a dropdown menu so that users can use it to select the category of utility service that was disrupted. As a result, DOD implemented the GAO recommendation.
Department of Defense In order to provide DOD and Congress with more comprehensive and accurate information on all types of utility disruptions, the Secretary of Defense should direct the Secretaries of the Army, Navy, and Air Force; the Commandant of the Marine Corps; and the Assistant Secretary of Defense for Energy, Installations and Environment to provide more consistent guidance to the installations. The military services and OSD should revise the data collection template's instructions to include reporting of disruptions caused by DOD-owned utility infrastructure.
Closed – Implemented
DOD stated that it did not concur with our recommendation to revise the data collection template's instructions to include reporting of disruptions caused by DOD-owned infrastructure. On November 25, 2015, the fiscal year 2015 National Defense Authorization Act was signed into law and it included an amendment to the reporting requirement for DOD's Annual Energy Management Report. The amendment clarified reporting requirements and added a reporting requirement to include non-commercial utility outages involving DOD-owned infrastructure. As a result of Congressional Action, the intent of the recommendation has been met.
Department of Defense In order to improve the comprehensiveness and accuracy of certain data submitted by the military services to OSD and reported in the Energy Reports--such as potentially underreported data on mitigation costs and inaccurate data on both disruptions' duration and cost--the Secretary of Defense should direct the Secretaries of Army, Navy, and Air Force, the Commandant of the Marine Corps, and the Assistant Secretary of Defense for Energy, Installations and Environment to work together to improve the effectiveness of data validation steps in DOD's process for collecting and reporting utilities disruption data. For example, the military services and OSD could determine whether more time in the 5-month process should be devoted to data validation and whether equal priority should be given to validating all types of data included in the Energy Reports.
Closed – Implemented
In July 2019, OSD noted that minimizing data input errors from users was the most effective way to improve data quality. To help facilitate improved data quality, OSD made changes to both the utility disruption data collection template and the reporting guidance. Specifically, OSD made modifications to standardize multiple input cells in the fiscal year 2015 data collection template because OSD and the services determined that focusing on the minimization of data input errors at the military installation level was the most effective strategy to improve the effectiveness of data validation. For example, OSD's revised data collection template for utility disruptions specifies how to enter in the start and end times to disruptions and then calculates the duration based on those entries. OSD reported an increase in the quality of the utility disruptions data in the Services' submissions. As a result, the revised data template serves as a data validation step to help improve the comprehensiveness and accuracy of data submitted by the military services. Furthermore, after submissions are received from the DOD components, the Office of the Deputy Assistant Secretary of Defense for Energy reviews the submissions during a quality review process. This process involves identifying areas of concern with the submission and following up with the DOD Component to address them.
Department of Defense In order to minimize the risk of delays in their efforts to implement DOD Instruction 8510.01, the Secretary of Defense should direct the Secretaries of the Army, Navy, and Air Force; and the Commandant of the Marine Corps to address challenges related to inventorying existing ICS, identifying personnel with the appropriate expertise, and programming and identifying funding, as necessary.
Closed – Implemented
DOD concurred with our recommendation to address challenges related to inventorying existing ICS, identifying personnel with the appropriate expertise, and programming and identifying funding, as necessary. In March 2016, the Office of the Assistant Secretary of Defense for Energy, Installations and Environment issued a memo directing the services and other defense agencies to develop plans identifying the goals, milestones and resources needed to identify, register and implement cybersecurity controls on DOD facility related ICS. Concurrently, the office issued additional guidance accompanying this memo, which is intended to assist the services and other defense agencies in developing an implementation plan to meet the requirements in the memo. As a result of the memo and guidance, DOD has implemented our recommendation to direct the Services to take steps in addressing challenges related to implementing DOD's cybersecurity guidance.

Full Report

GAO Contacts

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

CybersecurityData collectionCyberspace threatsRepair costsOverhead costsControl systemsDefense capabilitiesInventoryWastewaterIndustrial productivity