Some 40pc of IT security executives in charge of critical electricity infrastructure around the world, such as power grids, oil, gas and water, expect a major cyber attack within the next year.
The survey of 200 IT security executives in 14 countries by McAfee and the Centre for Strategic and International Studies (CSIS) found that 40pc of them believe their industry’s vulnerability has increased and 30pc believe their company was not prepared for a cyber attack.
“We found that the adoption of security measures in important civilian industries badly trailed the increase in threats over the last year,” said Stewart Baker, who led the study for CSIS. Industry executives made modest progress over the past year in securing their networks, as the energy sector increased its adoption of security technologies by only a single percentage point (51pc), and oil and gas industries increased only by three percentage points (48pc).
“Ninety to 95pc of the people working on the smart grid are not concerned about security and only see it as a last box they have to check,” said Jim Woolsey, former United States director of Central Intelligence.
In the shadow of Stuxnet
The study reveals that while the threat level to these infrastructures has accelerated, the response level has not, even after the majority of respondents frequently found malware designed to sabotage their systems (nearly 70pc), and nearly half of respondents in the electric industry sector reported that they found Stuxnet on their systems.
This threat to infrastructures also includes electrical smart grids, which are growing in adoption and expected to have exceeded US$45bn in global spending in 2015.
“What we are learning is the smart grid is not so smart,” said Dr Phyllis Schneck, vice-president and chief technology officer for public sector, McAfee.
“In the past year, we’ve seen arguably one of the most sophisticated forms of malware in Stuxnet, which was specifically designed to sabotage IT systems of critical infrastructures. The fact is that most critical infrastructure systems are not designed with cyber security in mind, and organisations need to implement stronger network controls, to avoid being vulnerable to cyber attacks.”
Eighty per cent of respondents have faced a large-scale denial of service attack (DDoS), and a quarter reported daily or weekly DDoS attacks and/or were victims of extortion through network attacks.
One in four survey respondents have been victims of extortion through cyber attacks or threatened cyber attacks.
The number of companies subject to extortion increased by 25pc in the past year, and extortion cases were equally distributed among the different sectors of critical infrastructure.
The countries of India and Mexico have a high rate of extortion attempts; 60-80pc of executives surveyed in these countries reported extortion attempts.