Symantec has released their latest report on the state of critical infrastructure network security, an index of participation in government supported security efforts by private sector companies engaged in administering systems that govern assets considered essential to national security.
The report, titled 2011 Critical Infrastructure Protection (CIP) Survey, shows that participation in government CIP programs this year has declined to 37% compared to 56% last year, and decrease of in spite of an overall increase in the the number and seriousness of threats to industrial control systems.
“The findings of this survey are somewhat alarming, given recent attacks like Nitro and Duqu that have targeted critical infrastructure providers,” said Dean Turner, director, Global Intelligence Network for Symantec.
Lack of funding and expertise are the primary factors identified in the report as leading to the dramatic decline in CIP participation, according to the authors.
“Having said that, limitations on manpower and resources as mentioned by respondents help explain why critical infrastructure providers have had to prioritize and focus their efforts on more day-to-day cyber threats. However, we think that targeted attacks against critical infrastructure providers in the form of Stuxnet, Nitro and Duqu will continue," Turner continued.
- Lower awareness and engagement in government CIP programs. This year, companies are generally less aware of their government’s CIP programs. Thirty-six percent of respondents were somewhat or completely aware of the government critical infrastructure plans being discussed in their country compared to 55 percent last year. In 2011, 37 percent of companies are completely or significantly engaged, versus 56 percent in 2010.
- Slightly more ambivalence about government CIP programs. The survey also revealed that companies are more ambivalent in 2011 than they were in 2010 about government CIP programs. For example, when asked to voice their opinion about government CIP programs, 42 percent had no opinion or were neutral. Also, companies are now slightly less willing to cooperate with CIP programs than they were one year ago (57 versus 66 percent).
- Global Organizations feel less prepared. It is not surprising that as an organization’s assessment of the threat drops, their readiness drops as well. Overall readiness on a global scale fell an average of eight points (from 60 to 63 percent in 2011 compared with 68 to 70 percent in 2010).
Recommendations to ensure resiliency against critical infrastructure cyber attacks:
- Develop and enforce IT policies and automate compliance processes. By prioritizing risks and defining policies that span across all locations, organizations can enforce policies through built-in automation and workflow and not only identify threats but remediate incidents as they occur or anticipate them before they happen.
- Protect information proactively by taking an information-centric approach to protect both information and interactions. Taking a content-aware approach to protecting information is key in knowing who owns the information, where sensitive information resides, who has access, and how it is coming in or leaving your organization.
- Manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status.
- Protect the infrastructure by securing endpoints, messaging and Web environments. In addition, defending critical internal servers and implementing the ability to back up and recover data should be priorities. Organizations also need the visibility and security intelligence to respond to threats rapidly.
- Ensure 24x7 availability. Organizations should implement testing methods that are non-disruptive and they can reduce complexity by automating failover. Virtual environments should be treated the same as a physical environment, showing the need for organizations to adopt more cross-platform and cross-environment tools, or standardize on fewer platforms.
- Develop an information management strategy that includes an information retention plan and policies. Organizations need to stop using backup for archiving and legal holds, implement deduplication everywhere to free resources, use a full-featured archive system and deploy data loss prevention technologies.
"Businesses and governments around the world should be very aggressive in their efforts to promote and coordinate protection of critical industry cyber networks. These latest attacks are likely just the beginning of more targeted attacks directed at critical infrastructure,” Turner said.