Experts fear cyber-attack on infrastructure
40% of 200 IT security experts polled say they expect a large-scale attack on the electricity, oil, gas or water sector soon
A report called ‘In the Dark: Crucial Industries Confront Cyber-attacks', produced by McAfee and the Center for Strategic and International Studies (CSIS) has revealed that 40% of 200 IT security executives polled believe a major cyber-attack on critical infrastructures will happen within a year.
Forty percent of the IT security executives, from critical electricity infrastructure enterprises in 14 countries, believed that the industry's vulnerability had increased almost 30% and believed that their company was not ready for cyber-attacks.
"We found that the adoption of security measures in important civilian industries badly trailed the increase in threats over the last year," said Stewart Baker, who led the study for CSIS.
Industry executives made some progress in further securing their networks, with the energy sector increasing adoption of security technology by 51% and the oil and gas industry increasing security technologies by 48%.
"Ninety to 95% of the people working on the smart grid are not concerned about security and only see it as a last box they have to check," said Jim Woolsey, former United States director of Central Intelligence.
The new study shows that the threat to critical infrastructures has increased exponentially, but the level of security and response has not kept up with threat levels. Only about 25% of those surveyed implemented tools to monitor network activity and 26% used tools to detect role anomalies.
One in four of the respondents to the survey have been victims of extortion through cyber-attacks or the threat of cyber-attacks and the number of companies exposed to such extortion has increased by 25% in the last 12 months.
Extortion cases were also found to be spread evenly through all sectors of critical infrastructure, with India and Mexico having the highest rates of extortion attempts. Sixty to 80% of executives surveyed in these countries reported extortion attempts.
Seventy-five percent of respondents had found malware; specifically designed to attack their corporate infrastructures and almost 50% of respondents in the electricity sector said they had found Stuxnet on their systems.
The threat to infrastructures has also spread to smart grids, whose adoption is accelerating and which are expected to account for $45bn in global spending in 2015.
"What we are learning is the smart grid is not so smart," said Phyllis Schneck, vice president and chief technology officer for public sector intelligence at McAfee. "In the past year, we've seen arguably one of the most sophisticated forms of malware in Stuxnet, which was specifically designed to sabotage IT systems of critical infrastructures. The fact is that most critical infrastructure systems are not designed with cyber-security in mind, and organisations need to implement stronger network controls, to avoid being vulnerable to cyber-attacks."
The report also found that 80% of respondents had faced a large-scale denial-of-service (DDoS) attack and 25% reported daily or weekly DDoS attacks.
Brazil, France and Mexico were found to have insufficient security measures for critical infrastructure, with half as many security measures as leading countries China, Italy and Japan. China and Japan reflected the highest confidence levels in the ability of current laws to prevent or deter attacks.
Both the US and Europe have fallen behind Asia in terms of government involvement, with respondents in China and Japan reporting high levels of both formal and informal interaction with their government on security topics, while the US, Spain and UK indicated little to no contact.
More than half of respondents say that they have already suffered from government attacks.