updated 4/19/2011 10:18:31 PM ET 2011-04-20T02:18:31

Critical infrastructure firms such as power grids and oil refineries are facing “staggering” level of cyberattacks, and are not adequately prepared to defend themselves, finds a new report published today (April 19) by the security firm McAfee and the Center for Strategic and International Studies (CSIS).

The report, “ In the Dark: Crucial Industries Confront Cyberattacks,” found that “hostile government” online attacks targeting critical infrastructure networks — gas, oil, water and power — have “achieved staggering levels of success.”

“The problem is that all the infrastructure companies are connecting their systems to the Internet, because it never goes down and it's free,” Steve Santorelli, a security expert with Team Cymru in Burr Ridge, Ill., told SecurityNewsDaily.

“They save billions of dollars by switching over from proprietary and older systems,” said Santorelli, who was not involved with the survey. “It's not until something goes wrong and kills 100 people that you see the other side of that.”

Problems outpace solutions

When it comes to meeting the security demands posed by the new threats, the targeted companies are slow to respond, the McAfee/CSIS report found.

“We found that the adoption of security measures in important civilian industries badly trailed the increase in threats over the last year,” wrote Stewart Baker of the CSIS, who co-authored the study.

“What we found is that they [critical infrastructure companies] are not ready,” the report read. “The professionals charged with protecting these systems report that the threat has accelerated — but the response has not.”

The study polled 200 IT security executives for infrastructure firms in 14 countries: the U.S., Mexico, Brazil, India, Russia, China, Japan, the United Arab Emirates, Australia, Britain, France, Germany, Italy and Spain.

No good news

The report found that 40 percent of the IT executives at critical infrastructure firms believed their industry has become more vulnerable to cyberattack, and more than 40 percent expect a major cyberattack to occur within the next year.

Nearly 30 percent of respondents admitted that their company was not adequately prepared for such a catastrophic event.

Eighty percent of respondents said their company has faced a large-scale denial-of-service attack in 2010; 25 percent reported “daily or weekly denial-of-service attacks” and more than half said they’d suffered from cyberattacks led by foreign governments.

“Overall, we found little good news about cybersecurity in the electric grid and other crucial services that depend on information and industrial control systems … We can no longer pretend that is business as usual for cybersecurity,” the report concluded.

Stuxnet for everyone

In one stunning finding, the report said 46 percent of the respondents who worked for electrical-grid infrastructure firms reported that the Stuxnet worm had infiltrated their systems.

“It's not surprising that Stuxnet was found on that many systems,” Santorelli told SecurityNewsDaily. “Everyone's using Siemens nowadays.”

The Stuxnet worm, perhaps the work of the U.S. and Israeli governments, targeted and penetrated Siemens industrial controllers at the Natanz uranium-processing facility in Iran.

Methodology in the madness

The report drew criticism on Twitter from several security experts Monday evening after its contents were leaked online.

“So is the McAfee report first hand research, or second-hand rumors?” wondered Robert Graham, founder and CEO of Atlanta-based Errata Security.

Others questioned whether the study should have cited electrical blackouts in Brazil in 2005 and 2007 as the result of extortion attempts by infrastructure hackers, because the reports have never been verified.

But Santorelli told SecurityNewsDaily that it’s inherently difficult to quantify the number of attacks on and vulnerabilities in critical infrastructure systems.

“You can't just go into these SCADA [supervisory control and data acquisition] systems to examine them,” he said. “These are very crucial systems and no security company wants to be held responsible if something goes wrong while you're in there fiddling with them.”

The respondents were asked to fill out a questionnaire, consisting of about 40 questions (some multiple-choice, some fill-in-the-blank).

If that sounds an awful lot like an opinion poll, that’s because there’s no other way to get this information, explained Santorelli.

“It's best to just ask the opinions of the administrators, and you have to remember that these 200 people who were surveyed really know their stuff,” he said. “And if they're scared, then maybe we ought to be as well.”

© 2012 SecurityNewsDaily. All rights reserved


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments