Communications of the ACM
Report Reveals Critical Infrastructure nder Constant Cyber Attack
Credit: McAfee Inc.
The staggering cost and impact of cyber attacks on critical infrastructure such as electrical grids, oil and gas production, telecommunications and transportation networks is revealed in a report released Thursday (January 28) by McAfee Inc. A survey of 600 IT security executives from critical infrastructure enterprises worldwide shows that 54 percent have already suffered large scale attacks or stealthy infiltrations from organized crime gangs, terrorists or nation-states. The average estimated cost of downtime associated with a major incident is $6.3 million per day.
The report "In the Crossfire: Critical Infrastructure in the Age of Cyberwar," commissioned by McAfee and authored by the Center for Strategic and International Studies (CSIS), also found that the risk of cyber attack is rising. Despite a growing body of legislation and regulation, 37 percent of IT executives say the vulnerability of their sector had increased over the past 12 months and two-fifths expect a major security incident in their sector within the next year. Only 20 percent think their sector is safe from serious cyberattack over the next five years.
Many of the world's critical infrastructures were built for reliability and availability, not for security. Traditionally, these organizations have had little to no cyber protection, and have relied on guards, gates and guns. Today however, computer networks are interconnected with corporate IT networks and other infrastructure networks, which are accessible from anywhere in the world.
"In today's economic climate, it is imperative that organizations prepare for the instability that cyber attacks on critical infrastructure can cause," says Dave DeWalt, president and chief executive officer of McAfee. "From public transportation, to energy to telecommunications, these are the systems we depend on every day. An attack on any of these industries could cause widespread economic disruptions, environmental disasters, loss of property and even loss of life."
"The recently identified Operation Aurora was the largest and most sophisticated cyber attack targeted at specific corporations, but it could have just as easily targeted the world's critical infrastructure," says DeWalt. "The attack announced by Google and identified by McAfee was the most sophisticated threat seen in years making it a watershed moment in cyber security because of the targeted and coordinated nature of the attack."
Other key report findings:
- Low confidence in preparedness: More than a third of those surveyed believe their sector is unprepared to deal with major attacks or stealthy infiltrations by high-level adversaries. Saudi Arabia, India and Mexico emerge as the least confident.
- Recession-driven cuts raising the risk: Two thirds of IT executives surveyed claim that the current economic climate has caused cutbacks in the security resources available; one in four say resources had been reduced by 15 percent or more. Cuts are particularly evident in the energy and oil/gas sector.
- Government involvement in cyberattacks: 60 percent of those surveyed believe representatives of foreign governments have been involved in past infrastructure infiltrations. In terms of countries that pose the biggest threat to critical infrastructure security, the United States (36 percent) and China (33 percent) top the list.
- Laws ineffective in protecting against potential attacks: Fifty-five percent believe that the laws in their country are inadequate in deterring potential cyber attacks with those based in Russia, Mexico and Brazil the most sceptical; 45 percent don't believe that the authorities are capable of preventing or deterring attacks.
- Insurance firms bearing brunt of cyber attack costs: More than half of those surveyed expect insurance to pick up the cost of a cyber attack while nearly one in five say it would fall on rate-payers or customers. Just over a quarter expect a government bail-out.
"Governance issues are at the center of any discussion of security for critical infrastructure," says Stewart Baker distinguished visiting fellow at CSIS and a lawyer at Steptoe and Johnson. "The relationships between the governments and private sector organizations involved are complex but it is essential that each have faith in the others ability. The security industry will always strive to stay one step ahead, but in the absence of any technological silver bullet, regulation has a role to play in defending critical infrastructures around the world."
The McAfee "In the Crossfire: Critical Infrastructure in the Age of Cyberwar" report is available for download at newsroom.mcafee.com.
No entries found