Security teams at critical infrastructure firms have little trouble understanding that their networks are vulnerable. But the companies themselves have failed to make security a priority, according to a survey of nearly 600 security executives by the Ponemon Institute published on July 10.
External attackers and malicious or negligent employees managed to compromise two-thirds of the companies' networks in the past 12 months, leading to the loss of data or a disruption in operations, according to the report, Critical Infrastructure: Security Preparedness and Maturity, which was funded by technology firm Unisys. About 57 percent of respondents believe that their industrial control systems are at risk from cyber-attacks.
Despite the recognition of cyber-attacks as a threat, most critical-infrastructure firms are not focused on security, according to the survey. Only 28 percent of security practitioners stated that their firms considered security a top-five priority, the study found.
"It paints a picture of organizations that feel like they are at risk, yet they are not doing anything about it," Dave Frymier, chief information security officer for Unisys, told eWEEK. "They are almost asleep at the switch, [and] they don't seem to be taking the problem seriously."
In the survey of 599 information technology and IT security executives, most companies were aware of the dangers of cyber-attacks: Nearly two-thirds of organizations are committed to preventing or detecting the most sophisticated attackers, known as advanced persistent threats or APTs, according to respondents. The same number of respondents agreed that one or more serious cyber-attacks would infiltrate their infrastructure in the next year.
Over the past two years, for example, a group of online hackers, whose actions bear the hallmarks of nation-state operatives, compromised hundreds of energy firms and industrial control system makers, according to the Industrial Control Systems Cyber Emergency Readiness Team (ICS-CERT) and security firms. Alternatively called "Dragonfly" and "Energetic Bear" by security firms, the attack campaign installed Remote Access Trojans (RATs) inside the networks of companies, organizations and government agencies located in Spain, the United States, Japan, France, Italy and Germany.
Because control systems and monitoring networks are designed to be reliable and last for decades, dealing with legacy systems that may have significant vulnerabilities has become a major issue for utilities. Yet, most lack confidence that their organization could upgrade such systems without causing problems.
More than half of security professionals interviewed by the Ponemon Institute stated that patching industrial systems with up-to-date security software either would not be cost-effective or would sacrifice mission-critical security, according to the report.
Until a major event shakes critical-infrastructure firms from their malaise, the gap between security professionals understanding the theoretical threat of cyber-attacks and companies focusing on making their networks and infrastructure more secure in practice will likely remain for the foreseeable future, Frymier said.
"We pretty much feel that there will have to be some precipitating event," he said. "Something will have to happen, and unfortunately, it will probably be a bad thing that has to happen to galvanize people to understand the magnitude of the problem so they do something about it."