Cyber-attackers are increasingly targeting critical infrastructure, such as power and gas utilities, with sophisticated threats like Stuxnet. However, these organizations have so far failed to bolster their cyber-security defenses, according to a new report.
Critical infrastructure in
the United States, including power and gas utilities, remains vulnerable to
cyber-attack, and organizations are unprepared to handle major incidents, a
research report found.
A survey of 200 IT
executives in charge of security at power, oil, gas and water utilities in 14
countries showed that 80 percent of the respondents said their organization has
experienced large-scale denial-of-service threats. The study examined the cost
and impact of cyber-attacks on critical infrastructure, including power grids
and oil, gas and water lines.
The report, "In The Dark:
Crucial Industries Confront Cyberattacks," was released April 21. It was
commissioned by McAfee and written by the CSIS (Center for Strategic and
International Studies). The electronic survey was conducted during the last
quarter of 2010.
Cyber-security at utility
companies has been a great concern for decades, but the issue took on dramatic
importance after Stuxnet disabled nuclear reactors in Iran by sabotaging
specific Siemens SCADA (supervisory control and data acquisition) systems.
With Stuxnet, utilities
became aware that attackers were developing exploits directly targeting
physical infrastructure, Phyllis Schneck, vice president and chief technology
officer for public sector at McAfee, said at a Washington, D.C., event where
the results of the report were unveiled.
Nearly 70 percent of the
survey participants said they frequently found malware designed to sabotage
their systems within their environment. Even more worrisome, nearly half of the
IT executives in the electric industry sector said they had found Stuxnet on
While it was unclear whether
Stuxnet compromised those companies, nearly 60 percent of the organizations
reported launching special security audits after learning about Stuxnet.
Organizations have not made
much progress in securing their networks despite the growing awareness of
potential threats. Researchers asked IT executives to identify which security
measures and technology they have adopted in their organizations.
The energy industry sector
had indicated having adopted about half of the items on the list last year, and
only 51 percent of the list so far this year, McAfee said. The oil and gas
industries had increased the number of security technologies adopted by 3
percent, or 48 percent of the list.
companies] all acknowledged being more worried, but they didn't say they had
done a lot more," said Stewart Baker, a CSIS researcher who led the study.
While all sectors reported doing more, the change was incremental. "It's an
improvement, but it's not much," Baker said.
Nearly 80 percent of the
respondents said their firms had been targeted by at least one big
denial-of-service attack, and 85 percent reported at least one network
intrusion. About 25 percent claimed to see DoS attacks daily or weekly. This is
in stark contrast to the previous year's report, where nearly half claimed to
never having experienced a network intrusion or large-scale DoS attack.
Despite the increasing
frequency and severity of these attacks, at least a third of the respondents
said they are not prepared and more than 40 percent said they expect a major
assault on their infrastructure within the next year. The expected assault may
cause severe loss of services for at least 24 hours, loss of life or personal
injury, or cause the company to fail, the report found.
The report highlighted the
risk of attacks against electrical smart grids as they become increasingly
prevalent in the United States. "You go and you build it, and we're making some
of the same mistakes as when the Internet was first built-the -wow' factor and
the advantages outweighed the security. Apparently we didn't learn our lesson
the first time," Schneck said.
Baker was concerned that critical
infrastructure was not being adequately protected. "Our industrial-control
systems are very, very vulnerable to attack and the security we have installed
today is insufficient to protect us," Baker said.
The report parallels the
findings from a recent Ponemon Institute study looking at data breaches in the
energy sector. The Ponemon report found that only 29 percent of surveyed
executives at utility and energy companies fully understood and appreciated the
need for security. About 76 percent of energy companies and utilities had
experienced at least one data breach in the past 12 months and 69 percent expected
a data breach in the coming year, according to the report.
For most organizations,
minimizing downtime was the top security objective, followed by regulatory and
legal compliance, the Ponemon report found. Only 5 percent of respondents
reported that preventing or minimizing advanced persistent threats was a top
Preventing cyber-attacks was
not considered as important as negligent insiders, insecure applications and
system glitches that could cause systems to go offline, Tom Turner, senior
vice-president of marketing and channels at Q1 Labs, told eWEEK. Q1 Labs
commissioned the report.