Critical Infrastructure Unprepared for Attacks
I had the opportunity to spend some time last week with Tom Kellermann, a member of the Commission on Cyber Security for the 44th Presidency and a colleague of mine at my full-time employer.
In a series of interviews with members of the print media about President-elect Obama's potential policies around cyber-security, Tom repeatedly brought up the issue of protection for critical infrastructure assets, and the need for the government to improve defense of its own operations in addition to pushing private-sector companies to do the same.
One of the biggest issues to consider would be the potential for attacks that are carried out as part of a multipronged campaign that employs cyber-tactics that target critical infrastructure and follows with attacks in the physical world.
As in, turn out the lights and invade under the cover of darkness.
Think that sounds far-fetched? Talk to Tom for a while and you might change your mind. And the people he works with on the Commission represent some of the most influential minds looking at IT security in the federal government and private sectors today.
To further reinforce the point, Secure Computing has released the results of a new study on cyber-security and its relation to critical infrastructure, and the results are pretty scary.
According to the survey of roughly 200 security experts, including leaders from the utilities, oil and gas, financial services, government, telecommunications, and transportation sectors, over 50 percent of the officials reported that most critical infrastructure remains vulnerable to cyber-attack.
An overwhelming majority of the respondents also said they believe that "major attacks" of that type have already begun or will begin within the next year.
Many of the organizations controlling critical infrastructure have moved to comply with existing security standards, but the majority are still woefully vulnerable to threats, said Rick Nicholson, vice president of research for IDC's Energy Insights, who authored a white paper based on the survey results.
"Most utility CIOs believe that their companies will be compliant with relevant standards, but still have a long way to go before being adequately prepared for all cyber-attacks," Nicholson said.
Participants in the survey (40 percent) indicated that the financial services sector is likely the best prepared for an attack of all the verticals cited in the research, with the experts expressing their belief that the energy segment remains the biggest target (33 percent).
Scarily, the energy market was also cited as likely to be the least prepared (30 percent), and at the same time named as the sector where a successful attack would cause the most collateral damage (42 percent), comparatively speaking.
When asked to highlight the most significant hurdle to improving cyber-security, 29 percent of the experts cited the cost of making new investments. Apathy ranked as the second-most likely reason for a lack of activity, with government bureaucracy and internal issues neck-and-neck for third.
Among some of the other findings in the Secure Computing report:
-Some 14 percent of respondents said they believe a major attack will occur in the next year, while only 2 percent said such an exploit would never occur.
-Roughly 62 percent of North American respondents said their control systems were directly connected to an IP-based network or the Internet. A full 98 percent of respondents believed this makes them more vulnerable.
-As companies deploy new technologies such as smart meters, sensors and advanced communications networks, they run the risk of increasing their vulnerability unless they include security as an integral part of the projects.
-During times of economic hardship, organizations are expected to increase their use of "standard" IT platforms, further increasing their vulnerability to attack.
The accompanying IDC white paper makes four recommendations for critical infrastructure asset owners and operators regarding cyber-security:
â¢ Perform ongoing vulnerability assessments â¢ Monitor network automation and control systems â¢ Review both IT and operations technology environments â¢ Think beyond regulatory compliance
Whether these companies decide to undertake this work on their own, or the new administration forces them to do so, we'll all be better off when a serious change in thinking and strategy among all the involved interests occurs.
Let's hope it's not (another) a major attack on U.S. soil that forces these parties to move forward.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.