Cyber Security Lacking for Critical Infrastructure Systems

Tuesday, April 19, 2011



A new study due to be released today titled "In the Dark: Crucial Industries Confront Cyberattacks" examines the state of information system security at companies that maintain critical infrastructure services.

The study was commissioned by McAfee and conducted by the Center for Strategic and International Studies (CSIS), and surveyed 200 security executives from 14 companies that focus on electricity, oil water, gas, and sewage services.

According to a report by CNet's Elinor Mills, the report is expected to conclude that the majority of companies do not put enough emphasis and resources behind information security efforts, and that the problem will continue to get more serious as these industries move on to adopt new technologies.

"The message is that our industrial control systems are very, very vulnerable to attack and the security we have installed today is insufficient to protect us. I'm concerned that (the industry) is not getting that message, despite having the evidence in front of us," said CSIS Fellow Stewart Baker.

The lack of preparation in regards to defending against a cyber attack is apparently not due to a lack of awareness on the part of company leadership of the potential threats, as the report notes that nearly half of the executives surveyed believe that a major cyber-based attack is imminent.

"More than 40 percent of the executives we interviewed expect a major cyberattack within 12 months--an attack, that is, that causes severe loss of services for at least 24 hours, a loss of life or personal injury, or the failure of a company," according to the report.

Last year's emergence of the Stuxnet virus has shifted a great deal of attention to the protection of Supervisory Control and Data Acquisition (SCADA) systems which are used to control production and critical infrastructure operations.

The Stuxnet virus attacks are thought to have caused severe damage to Iranian uranium enrichment facilities and reportedly set back the nation's nuclear program by as much as several years.

"Stuxnet changed the game in our awareness. Attacks are being developed directly for the capability of creating events on a physical infrastructure," Phyllis Schneck, vice president and chief technology officer for public sector at McAfee.

The McAfee/CSIS report basically echos findings released in a recent report by Q1 Labs and the Poneman Institute, titled "The State of IT Security: A Study of Utilities and Energy Companies", the majority of companies in the energy sector are not prepared to defend against threats to cyber security.

“One of the big surprises in this survey was that despite increasing cyber attacks on networks, the strategic importance of IT security among C-level executives hasn’t increased. It seems that the industry is very reactive in terms of IT security investment," said Tom Turner of Q1 Labs.

Again, translating information and network security issues into the language of the boardroom is the one of the biggest challenges security professionals face.

Possibly Related Articles:
SCADA McAfee Cyber Security Stuxnet Headlines report Infrastructure CSIS
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.