A new report commissioned by McAfee reveals IT security at critical infrastructure companies is not always as high as some may suspect.
A new
report from the Center for Strategic and International Studies highlights the
financial damage of cyber-attacks on critical infrastructure, but also paints a
picture of IT security that is in turns good and bad.
The
report, "
In
the Crossfire: Critical Infrastructure in the Age of Cyberwar" (PDF), was
commissioned by McAfee and includes information from a survey of 600 IT
security executives from critical infrastructure companies across the world.
Among the
study's findings is that the financial impact of downtime caused by attacks can
be devastating, averaging $6.3 million per day. That number goes up to $8.4
million per day for the oil and gas industry.
But
despite the costs,
IT
security isn't always what one might expect. Some key security technologies
are not widely adopted. For example, application whitelisting was only
implemented by 19 percent of organizations on both SCADA/ICS (Supervisory
Control and Data Acquisition/Industrial Control Systems) and IT networks.
Only 57
percent of executives overall said their organization patched and updated
software on a regular schedule, with Russia and Australia leading the way with
77 and 73 percent, respectively.
Brazil
was
at the bottom with 37 percent. In addition, only one-third of executives
reported their
organization
had policies restricting or prohibiting the use of USB sticks or removable media, which
has become a popular attack vector for malware.
The most
widely adopted security measure overall was the use of firewalls between
private and public networks, which 77 percent reported using (65 percent for
SCADA or ICS systems). Technologies such as security information event
management (SIEM) and role and anomaly detection tools were deployed by 43 and
40 percent, respectively.
In
virtually all cases,
China
led
the way in adoption of security technologies. When IT and security executives
were asked about 27 dif??Ãferent security measures in the survey,
China
was
found to have the highest security adoption rate, standing at 62 percent. That
figure is roughly 10 percent higher than what was reported by the United States,
Australia
and
the
United Kingdom.
However,
security technologies may not be a panacea. Though
China
had
a lower victimization rate than countries at the bottom of the security
adoption scale, its overall security record "is not noticeably better than the
record of many other countries with much lower security adoption rates," the
report notes.
"China
is not notably free from high-level attacks, nor do Chinese respondents
rate themselves as being much better prepared than other nations," the report
states.
"We don't know for sure (why that is)," Stewart
Baker, distinguished visiting fellow with the Center for Strategic and
International Studies, told eWEEK. "There are several possible answers.
Maybe China
would be much lower in rankings if not for security measures. ... Maybe
improving security 10 percent isn't enough to prevent attacks measurably."
Overall,
54 percent of respondents said they have already suffered a large-scale denial-of-service attack
by
organized
crime gangs, terrorists or nation-states. In addition, 37 percent of IT
executives said the vulnerability of their sector had increased over the past
12 months.
"In today's economic
climate, it is imperative that organizations prepare for the instability that
cyber attacks on critical infrastructure can cause," said Dave DeWalt,
CEO
of McAfee, in a statement. "From public transportation to energy
to telecommunications, these are the systems we depend on every day. An attack
on any of these industries could cause widespread economic disruptions,
environmental disasters, loss of property and even loss of life."
Email
Print
