Lawmakers reproached the Bush administration on Tuesday for missing deadlines and putting just two full-time officials on measures to protect remote controls for dams, electricity grids and power and chemical plants.
Guarding the computer-based controls from terrorists gained attention after the attacks of Sept. 11, 2001.
"It's four years later and we are no further down the line," Rep. Bill Pascrell, D-N.J., said while questioning Andy Purdy Jr., acting director of the Homeland Security Department's National Cyber Security Division. "We're not prepared. You know it, I know it."
Missed deadlines for developing a National Infrastructure Protection plan, determining vulnerabilities and identifying resources to address them are "a real frustration on this committee," said Rep. Dan Lungren, R-Calif., who chairs the House Appropriations Committee's economic security subcommittee.
Purdy told Lungren's panel and members of another subcommittee holding a joint hearing that only two people on his staff are working full-time on improving computerized Supervisory Control and Data Acquisition networks for critical infrastructure facilities. However, he said, 35 contract workers are devoted to the project, explaining that he was limited on how many federal employees he could hire.
"Control systems represent an attractive target for malicious actors," Purdy said, adding that "relatively mature attacking tools" are available on the Internet and novices can use them. He said his agency is sharing ways of fixing the problem through a Web site, holding workshops and coordinating with national security labs, businesses and universities.
"We are proud of the progress we have made," Purdy said.
House members also expressed frustration upon learning that the Interior Department's Bureau of Reclamation has no contact with the National Cyber Security Division.
The bureau's security director, Larry Todd, said his agency doesn't connect its SCADA networks to the Internet and he believes the risk is low that a terrorist could gain control.
Todd said the bureau uses the remote controls to run water release gates and valves at dams, hydroelectric generators, circuit breakers, switches and transformers at power plants, and pumps and gates on waterways and canals.
"We recognize that cybersecurity ... requires continuous monitoring and diligence," he said.