Security pundits have warned of the imminent hacking threat to critical infrastructure providers, but a new Ponemon Institute survey of infrastructure operators suggests the threat is already here.
The survey found 86 per cent of executives reporting they suffered at least one security breach, leading to a loss of confidential information or disruption of their operations, over the past 12 months.
The A/NZ figure was considerably higher than the nearly 70 per cent of executives globally reporting an attack, suggesting that this region has fallen behind the world in terms of data protection. Fully 24 per cent of respondents said the security breaches were due to an insider attack, or to negligent privileged IT users.
Despite such a high rate of security incidents, only 17 per cent of companies in the Critical Infrastructure: Security Preparedness and Maturity report – which was sponsored by Unisys and included 599 IT and IT security executives at infrastructure companies in 13 countries – had deployed most of their IT security program.
Half say they still have not defined their IT security activities, while 43 per cent said they had defined their activities but only partially deployed them. Some 55 per cent said they had just one person responsible for security of SCADA and industrial control systems.
Just 28 per cent of respondents named security as one of the top five strategic priorities for the enterprise – even though 64 per cent of respondents said they anticipate one or more serious attacks to networks or critical infrastructure each year.
“Top security objectives focus on immediate concerns rather than proactive measures to secure the infrastructure,” the report's authors warn. “Minimisation of downtime takes precedence over the prevention of cyber attacks and compliance....a very small percentage cite cyber-security training for all employees as a goal.”
Awareness of attacks against the industrial complex has stepped up in the wake of the Stuxnet worm, which was discovered in 2010 as a target attack against SCADA (Supervisory Control and Data Acquisition) systems in Iran, Indonesia and India.
Subsequent attacks have tested the vulnerability of a broader range of SCADA systems, with malware infiltration or just poor management already resulting in interruptions to utility services. One researcher claimed he discovered 23 vulnerabilities in SCADA software, while others slammed the industry's reliance on 'air gaps' – physically separating SCADA and operational networks in the belief that would keep them safe from attack. Security firm Kaspersky Labs is so worried about the SCADA vulnerabilities |potential risk to industrial control systems]] that it recently began building its own secure SCADA operating system.
“Organisations are not as prepared as they should be to deal with the sophistication and frequency of a cyber threat or the negligence of an employee or third party,” the report's authors warn.
“In fact, the majority of participants... do not believe their companies' IT security programs are 'mature' [defined as having most IT security program activities deployed]. Most companies have defined what their security initiatives are but deployment and execution are still in the early or middle stages.”
That inaction will surprise many given that 57 per cent of respondents to the survey agree that cyber threats are putting SCADA and industrial control systems at risk. A similar proportion (54 per cent) were not confident or unsure whether their organisation could upgrade legacy systems without sacrificing mission-critical security.
One in three respondents said their company did not get real-time alerts, threat analysis or threat prioritisation intelligence to help deal with a cyber attack. Some 22 per cent of those who did receive such information, said it was not effective, while just 15 per cent said threat intelligence is both effective and actionable.
This article is brought to you by Enex TestLab, content directors for CSO Australia.