Cyber-Attacks Targeting Power, Gas Utilities on the Rise: Survey

Critical infrastructure in the United States, including power and gas utilities, remains vulnerable to cyber-attack, and organizations are unprepared to handle major incidents, a research report found.

A survey of 200 IT executives in charge of security at power, oil, gas and water utilities in 14 countries showed that 80 percent of the respondents said their organization has experienced large-scale denial-of-service threats. The study examined the cost and impact of cyber-attacks on critical infrastructure, including power grids and oil, gas and water lines.

The report, “In The Dark: Crucial Industries Confront Cyberattacks,” was released April 21. It was commissioned by McAfee and written by the CSIS (Center for Strategic and International Studies). The electronic survey was conducted during the last quarter of 2010.

Cyber-security at utility companies has been a great concern for decades, but the issue took on dramatic importance after Stuxnet disabled nuclear reactors in Iran by sabotaging specific Siemens SCADA (supervisory control and data acquisition) systems.

With Stuxnet, utilities became aware that attackers were developing exploits directly targeting physical infrastructure, Phyllis Schneck, vice president and chief technology officer for public sector at McAfee, said at a Washington, D.C., event where the results of the report were unveiled.

Nearly 70 percent of the survey participants said they frequently found malware designed to sabotage their systems within their environment. Even more worrisome, nearly half of the IT executives in the electric industry sector said they had found Stuxnet on their systems.

While it was unclear whether Stuxnet compromised those companies, nearly 60 percent of the organizations reported launching special security audits after learning about Stuxnet.

Organizations have not made much progress in securing their networks despite the growing awareness of potential threats. Researchers asked IT executives to identify which security measures and technology they have adopted in their organizations.

The energy industry sector had indicated having adopted about half of the items on the list last year, and only 51 percent of the list so far this year, McAfee said. The oil and gas industries had increased the number of security technologies adopted by 3 percent, or 48 percent of the list.

“[Critical infrastructure companies] all acknowledged being more worried, but they didn’t say they had done a lot more,” said Stewart Baker, a CSIS researcher who led the study. While all sectors reported doing more, the change was incremental. “It’s an improvement, but it’s not much,” Baker said.

Nearly 80 percent of the respondents said their firms had been targeted by at least one big denial-of-service attack, and 85 percent reported at least one network intrusion. About 25 percent claimed to see DoS attacks daily or weekly. This is in stark contrast to the previous year’s report, where nearly half claimed to never having experienced a network intrusion or large-scale DoS attack.

Despite the increasing frequency and severity of these attacks, at least a third of the respondents said they are not prepared and more than 40 percent said they expect a major assault on their infrastructure within the next year. The expected assault may cause severe loss of services for at least 24 hours, loss of life or personal injury, or cause the company to fail, the report found.

The report highlighted the risk of attacks against electrical smart grids as they become increasingly prevalent in the United States. “You go and you build it, and we're making some of the same mistakes as when the Internet was first built—the ‘wow’ factor and the advantages outweighed the security. Apparently we didn’t learn our lesson the first time,” Schneck said.

Baker was concerned that critical infrastructure was not being adequately protected. "Our industrial-control systems are very, very vulnerable to attack and the security we have installed today is insufficient to protect us," Baker said.

The report parallels the findings from a recent Ponemon Institute study looking at data breaches in the energy sector. The Ponemon report found that only 29 percent of surveyed executives at utility and energy companies fully understood and appreciated the need for security. About 76 percent of energy companies and utilities had experienced at least one data breach in the past 12 months and 69 percent expected a data breach in the coming year, according to the report.

For most organizations, minimizing downtime was the top security objective, followed by regulatory and legal compliance, the Ponemon report found. Only 5 percent of respondents reported that preventing or minimizing advanced persistent threats was a top security goal.

Preventing cyber-attacks was not considered as important as negligent insiders, insecure applications and system glitches that could cause systems to go offline, Tom Turner, senior vice-president of marketing and channels at Q1 Labs, told eWEEK. Q1 Labs commissioned the report.