Critical Infrastructure Security a Mixed Bag, Report Finds

A new report commissioned by McAfee reveals IT security at critical infrastructure companies is not always as high as some may suspect.

A new report from the Center for Strategic and International Studies highlights the financial damage of cyber-attacks on critical infrastructure, but also paints a picture of IT security that is in turns good and bad.

The report, "In the Crossfire: Critical Infrastructure in the Age of Cyberwar" (PDF), was commissioned by McAfee and includes information from a survey of 600 IT security executives from critical infrastructure companies across the world.

Among the study's findings is that the financial impact of downtime caused by attacks can be devastating, averaging $6.3 million per day. That number goes up to $8.4 million per day for the oil and gas industry.

But despite the costs, IT security isn't always what one might expect. Some key security technologies are not widely adopted. For example, application whitelisting was only implemented by 19 percent of organizations on both SCADA/ICS (Supervisory Control and Data Acquisition/Industrial Control Systems) and IT networks.

Only 57 percent of executives overall said their organization patched and updated software on a regular schedule, with Russia and Australia leading the way with 77 and 73 percent, respectively. Brazil was at the bottom with 37 percent. In addition, only one-third of executives reported their organization had policies restricting or prohibiting the use of USB sticks or removable media, which has become a popular attack vector for malware.

The most widely adopted security measure overall was the use of firewalls between private and public networks, which 77 percent reported using (65 percent for SCADA or ICS systems). Technologies such as security information event management (SIEM) and role and anomaly detection tools were deployed by 43 and 40 percent, respectively.

In virtually all cases, China led the way in adoption of security technologies. When IT and security executives were asked about 27 dif??íferent security measures in the survey, China was found to have the highest security adoption rate, standing at 62 percent. That figure is roughly 10 percent higher than what was reported by the United States, Australia and the United Kingdom.

However, security technologies may not be a panacea. Though China had a lower victimization rate than countries at the bottom of the security adoption scale, its overall security record "is not noticeably better than the record of many other countries with much lower security adoption rates," the report notes.

"China is not notably free from high-level attacks, nor do Chinese respondents rate themselves as being much better prepared than other nations," the report states.

"We don't know for sure (why that is)," Stewart Baker, distinguished visiting fellow with the Center for Strategic and International Studies, told eWEEK. "There are several possible answers. Maybe China would be much lower in rankings if not for security measures. ... Maybe improving security 10 percent isn't enough to prevent attacks measurably."

Overall, 54 percent of respondents said they have already suffered a large-scale denial-of-service attack by organized crime gangs, terrorists or nation-states. In addition, 37 percent of IT executives said the vulnerability of their sector had increased over the past 12 months.

"In today's economic climate, it is imperative that organizations prepare for the instability that cyber attacks on critical infrastructure can cause," said Dave DeWalt, CEO of McAfee, in a statement. "From public transportation to energy to telecommunications, these are the systems we depend on every day. An attack on any of these industries could cause widespread economic disruptions, environmental disasters, loss of property and even loss of life."