Insufficiently prepared infrastructure firms increasingly under attack
A new study written jointly by McAfee and the Center for Strategic International Studies (CSIS) concludes that utility companies are increasingly under threat from targeted attacks and yet many are simply not taking the proper precautions to protect their systems. The report, to be published later today (Tuesday 19 April) and entitled "In the Dark - Crucial Industries Confront Cyberattacks", is based on a survey of 200 IT executives in 14 countries. The executives all work in companies involved with "critical infrastructure that depends most heavily on industrial control systems".
The problem of targeted attacks against infrastructure control systems was highlighted last year with the emergence of the Stuxnet worm which was targeted against specific equipment in the Iranian Natanz nuclear facility. Regardless of the origin or target, the worm demonstrated the principle of such an attack, and its code has reportedly been traded on the black market. Stuxnet is considered to have caused real damage at the Natanz facility, and the implication is that similar damage could possibly be caused to infrastructure companies such as those involved in electricity, gas, water, transport, and so forth.
Of the executives surveyed, 80 per cent reported attacks in the last year, although most of these were not of the Stuxnet kind, but rather distributed denial of service attacks (DDoS). However, 70 per cent reported as having in the same time-frame discovered on their systems malware targeted to cause damage. 25 per cent reported that either actual attacks or threats of attack had been used in attempts to extort payment, most notably in Mexico and India.
A CSIS spokesman was quoted as saying that "The message is that our industrial control systems are very, very vulnerable to attack and the security we have installed today is insufficient to protect us ... I'm concerned that (the industry) is not getting that message, despite having the evidence in front of us."
- Major New Report From McAfee and CSIS on Cyber-Security for Critical Infrastructure Worldwide, press release from McAfee.