Cyber attacks on critical infrastructure companies are on the rise, with a jump in extortion attempts and malware designed to sabotage systems, like Stuxnet, according to a new report.
While attacks are increasing, many companies aren't doing enough to protect their systems and are instead rushing to adopt new technologies--such as Smart Grid--without ensuring they adequately secure against cyber attacks, concludes "In the Dark: Crucial Industries Confront Cyberattacks."
The report, due to be released on Tuesday, was commissioned by McAfee and written by the Center for Strategic and International Studies (CSIS). It includes results from an electronic survey of 200 IT security executives from firms that provide oil, gas, electricity, water, and sewage services in 14 countries during the last quarter of 2010.
Security at power companies has been a concern for decades, but the issue rose to prominence with the emergence last year of the Stuxnet malware, which exploits holes in Windows systems and targets a specific Siemens SCADA (supervisory control and data acquisition) program with sabotage. After dissecting the malware,they believe it was written to target nuclear facilities in Iran.
"Stuxnet changed the game in our awareness," Phyllis Schneck, vice president and chief technology officer for public sector at McAfee, said in an interview. "Attacks are being developed directly for the capability of creating events on a physical infrastructure."
About 70 percent of the survey respondents said they frequently found malware designed to sabotage their systems during 2010, and nearly half of those in the electric industry said they found Stuxnet on their systems. It was unknown if any of the systems were impacted as a result of Stuxnet, but close to 60 percent said their firms had launched special security audits because of the malware.
The threat from sabotage includes electrical smart grids, which are being quickly adopted without adequate security measures in place,the U.S. Government Accountability Office and independent security experts. Fifty-six percent of the respondents whose companies are planning new smart grid systems also plan to connect to the consumer over the Internet. But only two-thirds have adopted special security measures for the smart grid controls, the report said.
"We could end up with a grid connected to peoples' homes that is not properly secured from a cyber attack," said Schneck. "If that system could be turned against itself, that is a disaster waiting to happen."
Another trend happening with critical infrastructure companies is extortion. One in four survey respondents said they had been victims of extortion through cyber attacks or threats of attack with the number of companies subject to extortion increasing by 25 percent over last year. India and Mexico had particularly high rates of extortion attempts, the report found.
"That could be an attempt to crash the network or it could be a denial-of-service attack," or threats to collapse the power grid, said Stewart Baker, a fellow at the CSIS.
Modest security improvements
In general, the report showed increasing levels of attacks and concern about attacks, but modest improvement in security. About 40 percent of the respondents said they believed that their industry's vulnerability had increased and nearly 30 percent said they did not think their company was prepared for a cyber attack.
"More than 40 percent of the executives we interviewed expect a major cyberattack within 12 months--an attack, that is, that causes severe loss of services for at least 24 hours, a loss of life or personal injury, or the failure of a company," the report said. That worry was most intense among executives from India, Mexico, and China.
Things have changed significantly from even one year ago. In 2009, nearly half of the respondents said they had never faced network intrusions or large-scale denial-of-service (DoS) attacks. Now, about 80 percent of respondents said their firms had been targeted by at least one big DoS attack and 85 percent had seen network intrusions. One-quarter reported daily or weekly DoS attacks and one-quarter said they had been victims of extortion through network attacks or the threat of such attacks.
Despite the increase in threats and the executives' concerns about them, companies aren't beefing up their security much. Energy firms, for instance, increased their adoption of security technologies by only a single percentage point, to 51 percent, and oil and gas companies by three percentage points, to 48 percent. Brazil, France, and Mexico are lagging in their security responses, adopting only half as many security measures as the leaders in security--China, Italy, and Japan, according to the report.
China and Japan, which both report high levels of formal and informal interaction with their government on security topics, are among the countries with the highest confidence levels that laws will prevent or deter attacks in their countries. Meanwhile, respondents in the U.S., Spain, and U.K. reported little to no contact with their government on security. While all of the Japanese respondents' firms had been audited by their government for security, only 6 percent of those in the U.K. had been.
Companies seem to have a relatively high degree of mistrust for foreign countries. About 60 percent blame nation states and other governments for being behind attacks. The United States was named as the country of most concern for 2009, followed by China, the country called out in the attacks on Google. China took the top spot last year, according to the survey, which was conducted before reports began surfacing late last year that linked the U.S. to Stuxnet.
Speculation that the U.S. was behind Stuxnet, with some help from Israel, is backed by reports in The New York Times, including one that says Siemens gave U.S. researchers the opportunity to identify holes in its software.
Summing up the report's conclusions, Baker of the CSIS said he was worried that the people tasked with making sure we have gas, water, and electricity in our homes and offices aren't doing enough to protect that critical infrastructure.
"The message is that our industrial control systems are very, very vulnerable to attack and the security we have installed today is insufficient to protect us," he said. "I'm concerned that (the industry) is not getting that message, despite having the evidence in front of us."