Industries crucial to the functioning of society – such as water treatment systems, power plants, and oil and gas facilities – use computer-controlled systems that are under fast-growing cyberattack by hackers, often affiliated with government and organized crime groups, says a new report. These key industries, it adds, often are not boosting security to deal with the threat.
For decades, industrial control systems that operate the power grid and other vital infrastructure enjoyed "security by obscurity." Cybercriminal gangs saw better places to make money. That's changed in a flash.
A drumbeat of reports in recent years has warned of the corporate trend to connect previously isolated vital systems to the Internet, making them more vulnerable to criminal and government hackers seeking to infiltrate infrastructure networks.
Against this backdrop, “In the Dark: Crucial Industries Confront Cyberattacks,” a global survey of 200 computer security professionals working in critical infrastructure industries, sends up another warning flare.
Cyberexploits and cyberattacks on vital infrastructure are now widespread, and perpetrators range from cybercriminals engaged in theft or extortion to foreign governments preparing sophisticated attacks, the report says. The Stuxnet worm was last year's key example – a cyberweapon that targeted Iran's nuclear program and damaged it, and that experts say could be modified to damage other systems.
According to the global survey, Stuxnet wormed its way into computer networks at companies of about 40 percent of respondents. Within the electric utility industry, the penetration was higher: Nearly half of the professionals surveyed said they had found Stuxnet on their systems.
Despite such evidence that cyberattackers are targeting critical infrastructure providers, many operators are not ramping up security and others are moving too slowly, the report says.
"What we found is that they are not ready," says the report commissioned by McAfee, the cybersecurity company, and conducted by the Center for Strategic and International Studies (CSIS), a Washington think tank. "The professionals charged with protecting these systems report that the threat has accelerated – but the response has not."
The report says 40 percent of cybersecurity professionals surveyed believe their industry has become more vulnerable in the past year. Some 30 percent say their company is not prepared for a cyberattack, and more than 40 percent expect a major cyberattack within the next year.
“We found that the adoption of security measures in important civilian industries badly trailed the increase in threats over the last year,” said Stewart Baker, who led the study for CSIS, in a statement.
Limited progress has been made securing vital networks. Fifty-one percent of respondents at utilities say deployment of security technologies increased (compared with 50 percent the year before). Within the oil and gas industries, 48 percent boosted security technology in the past year, up from 45 percent a year earlier, the report said. Among the other findings:
• Massive numbers of attacks. Eighty percent of those surveyed have faced a large-scale denial of service attack (DDoS), in which computers bombard an Internet-connected system and overload it, making access impossible. One-quarter of respondents say their systems were hit daily or weekly by DDoS attacks or received extortion demands during the attacks.
• More extortion attempts. Among critical infrastructure providers, 1 in 4 professionals reports that the provider was an extortion target: Pay us or we'll cyberattack you. Extortion attempts grew 25 percent over the previous year, and the cases were distributed evenly among the different infrastructure sectors. Some 60 percent of professionals in India and 80 percent in Mexico reported cyberextortion attempts.
Despite this, most companies did not adopt additional security or clamp down on offsite users. Only one-quarter of the executives say they use systems that monitor network activity, and 36 percent use tools to detect changes in user authority.
• Cybersecurity laws lag. Brazil, France, and Mexico lag other nations in implementing security steps. Those nations adopted half as many measures as leaders China, Italy, Japan, which had the most confidence in laws to deter attacks.
• The US and Europe lag Asia in government involvement. While the security professionals in China and Japan report a lot of interaction with their governments on cybersecurity, those in the United States, Britain, and Spain reported little, if any, contact.
• More than half of respondents say they believe their organization has already been attacked by hackers working for governments.
"The level of sophistication of these attacks – many of them attributed to governments – was already fairly high a few years ago, and it's kind of leveled off now," says Alan Paller, research director for the SANS Institute, a cybersecurity education organization. "What we're seeing are sophisticated attacks increasingly deployed in a targeted way at these critical infrastructure industries."
While computer firewalls block viruses and other generic threats, spear-phishing that targets individuals with convincing e-mail, infected thumb drives, and other techniques are being used to infiltrate vital systems. So-called "zero-day" attacks that use never-before-seen attack software code – which antivirus companies have not yet developed a defense against – are one example of a potent growing threat, experts say.
Today, “if you can’t deal with a zero-day attack coming from a thumb drive,” says James Woolsey, former director of Central Intelligence, quoted in the report, “you have nothing.”