A new report commissioned by McAfee reveals IT security at critical infrastructure companies is not always as high as some may suspect.
report from the Center for Strategic and International Studies highlights the
financial damage of cyber-attacks on critical infrastructure, but also paints a
picture of IT security that is in turns good and bad.
the Crossfire: Critical Infrastructure in the Age of Cyberwar
" (PDF), was
commissioned by McAfee and includes information from a survey of 600 IT
security executives from critical infrastructure companies across the world.
study's findings is that the financial impact of downtime caused by attacks can
be devastating, averaging $6.3 million per day. That number goes up to $8.4
million per day for the oil and gas industry.
despite the costs, IT
security isn't always
what one might expect. Some key security technologies
are not widely adopted. For example, application whitelisting was only
implemented by 19 percent of organizations on both SCADA/ICS (Supervisory
Control and Data Acquisition/Industrial Control Systems) and IT networks.
percent of executives overall said their organization patched and updated
software on a regular schedule, with Russia and Australia leading the way with
77 and 73 percent, respectively.
at the bottom with 37 percent. In addition, only one-third of executives
reported their organization
restricting or prohibiting the use of USB sticks or removable media, which
has become a popular attack vector for malware.
widely adopted security measure overall was the use of firewalls between
private and public networks, which 77 percent reported using (65 percent for
SCADA or ICS systems). Technologies such as security information event
management (SIEM) and role and anomaly detection tools were deployed by 43 and
40 percent, respectively.
virtually all cases,
the way in adoption of security technologies. When IT and security executives
were asked about 27 dif??Ãferent security measures in the survey,
found to have the highest security adoption rate, standing at 62 percent. That
figure is roughly 10 percent higher than what was reported by the United States,
security technologies may not be a panacea. Though
a lower victimization rate than countries at the bottom of the security
adoption scale, its overall security record "is not noticeably better than the
record of many other countries with much lower security adoption rates," the
is not notably
free from high-level attacks, nor do Chinese respondents
rate themselves as being much better prepared than other nations," the report
"We don't know for sure (why that is)," Stewart
Baker, distinguished visiting fellow with the Center for Strategic and
International Studies, told eWEEK. "There are several possible answers.
would be much lower in rankings if not for security measures. ... Maybe
improving security 10 percent isn't enough to prevent attacks measurably."
54 percent of respondents said they have already suffered a large-scale denial-of-service attack
crime gangs, terrorists or nation-states
. In addition, 37 percent of IT
executives said the vulnerability of their sector had increased over the past
"In today's economic
climate, it is imperative that organizations prepare for the instability that
cyber attacks on critical infrastructure can cause," said Dave DeWalt,
of McAfee, in a statement. "From public transportation to energy
to telecommunications, these are the systems we depend on every day. An attack
on any of these industries could cause widespread economic disruptions,
environmental disasters, loss of property and even loss of life."