Critical Infrastructure Companies Face Mounting Threat From Cyber Attacks: Report

In light of mounting cyber attacks on civil infrastructure and increasingly sophisticated threats such as the Stuxnet virus, 80 percent of IT executives survyed for a new study said they have experienced large-scale denial-of-service threats, but at least a third of all respondents say they are unprepared for a major assault.

These and other findings were revealed in a joint study, titled, "In The Dark: Crucial Industries Confront Cyberattacks," commissioned by McAfee and produced by the Center for Strategic and International Studies, a Washington, D.C.-based non-profit organization.

The study surveyed 200 IT executives information technology executives charged with security at power, oil, gas and water facilities in 14 countries in order to examine the cost and impact of cyber attacks on critical infrastructure, including power grids, and oil, gas and water lines.

Despite the increasing frequency and severity of cyber infrastructure attacks, at least a third of companies report that they are not prepared for such an incident, while more than 40 percent of company executives say that their vulnerability has increased. In addition, 40 percent of those surveyed expect a major cyber attack within the next year.

Altogether, the study revealed that response to the accelerating threat level to civil infrastructures was severely lacking, despite the fact that nearly 70 percent of respondents frequently found malware designed to sabotage their systems, and nearly half of respondents in the electric industry sector reported that they found Stuxnet virus on their systems.

The threat to infrastructures also includes electrical smart grids, which are growing in adoption and expected to have exceeded $45 billion in global spending in 2015, according to McAfee.

’With smart grids, you get incredible convenience,’ said Phyllis Schneck, vice president and chief technology officer for public sector for McAfee. ’All of a sudden, you go and you build it, and we're making some of the same mistakes as when the Internet was first built--the ’wow’ factor and the advantages outweighed the security. Apparently we didn’t' learn our lesson the first time. This report helps create that dialogue.’

In addition, the study indicated that organizations made only incremental progress over the last 12 months to secure their networks. The energy sector increased its adoption of security technologies from a single percentage point to 51 percent, while the oil and gas industries increased their security adoption by three percentage points to 48 percent.

One of the study's researchers said that one of the most surprising findings was the growing concern regarding a critical infrastructure attack but the failure to take necessary steps in order to prevent it.

’(Critical infrastructure companies) all acknowledged being more worried, but they didn’t say they had done a lot more,’ said Stewart Baker, a CSIS researcher who led the study. ’Everybody went up in security, but folks in the energy sector went from 50 percent to 51. It’s an improvement but it’s not much.’

In fact, researchers found that sophisticated security measures placed upon offsite users were in the minority -- a quarter of those surveyed implemented tools to monitor network activity, and about 36 percent installed tools to detect role anomalies.

Officials said that this under-preparedness stems from general lack of awareness and dismissive attitudes regarding security.

’Ninety to 95 percent of the people working on the smart grid are not concerned about security and only see it as a last box they have to check,’ said Jim Woolsey, former U. S. Central Intelligence director, in a statement.

Next: Solution Provider Ponders Customer Resistance To Security Upgrades

Meanwhile, security solution providers said there is a huge gap between the growing threat of civil infrastructure attacks and customer awareness.

Roy Miehe, president of AAAntivirus, based in Campbell, Calif., said that overwhelmingly the reason for the resistance to beefing up security is often because customers balk at spending more money.

"Customers are so concerned about money, they're so concerned about the government," he said. "They're just not getting it -- until they go down."

"They're just afraid of making a mistake," he added.

However, the lack of awareness flies in the face of the rapid escalation of cyber threats. The study also found that one in four respondents were victims of extortion either through cyber attacks or threatened cyber attacks -- a statistic that has increased by 25 percent over the past year. Extortion was most pervasive in critical infrastructure sectors, the study found.

However, Miehe said that the gaping holes in awareness provided ample opportunities for the reseller community to "pick up the phone," and become more aggressive about educating their customer base -- whether or not their customers think they need it.

"This is a golden opportunity for the channel to get their act together and go to their clientele base," he said. "They've got to stand up for themselves, if they're really truly value added resellers and tell their clients, and don't take no for an answer."