Critical infrastructure networks around the world are subject to repeated cyberattacks from foreign governments and other high-level adversaries that can be damaging and costly, according to a report McAfee released Thursday.
Attacks that lead to down time can cost more than $6 million per day, and more than $8 million at oil and gas companies, the report, "In the Crossfire--Critical Infrastructure in the Age of Cyberwar," found.
Meanwhile, respondents said they worry about attacks on critical infrastructure in their countries coming from the U.S. and China more than any other potential aggressors.
For the report, which was commissioned by security firm McAfee and researched and written by the Center for Strategic and International Studies, 600 IT and security executives from critical infrastructure enterprises in 14 countries were surveyed last September. The survey was not designed to be a statistically valid opinion poll, but serves as a "rough measure of executive opinion, a snapshot of the views of a significant group of decision makers."
Attacks range from distributed denial-of-service (DDOS) attacks designed to shut down systems and stealth network intrusions to extortion and theft of service, according to the survey. The most widely reported form of attack was infection with a virus or malware, which nearly 90 percent of respondents said their company experienced.
More than half of the executives surveyed said they had experienced large-scale DDOS attacks by organized crime, terrorists, or nation-state actors. The same proportion said their companies had been targeted with stealthy infiltration attacks, and nearly 60 percent said they believed foreign governments are behind attacks on critical infrastructure in their countries.
"There are absolutely foreign entities that would definitely conduct [cyber] reconnaissance of our power infrastructure," Michael Assante, chief security officer of the North American Electric Reliability Corp., is quoted as saying in the report. "They would be looking to learn, preposition themselves to get a foothold and try to maintain sustained access to computer networks."
Executives say that not only are they in general not prepared to deal with cyberattacks, but that they foresee more attacks, and major ones, in the not so distant future.
More than a third of the respondents think the cyberthreat is growing and two-fifths of IT executives expect a major cybersecurity incident to hit their sector within the next year, while a third of the respondents said operators in their area are not prepared for an attack by high-level adversaries.
The reports on security practices were interesting given that many executives said they didn't feel prepared for cyberattacks. Only 57 percent said their organization installed security patches and updated software on a regular schedule. And only one-third said they had policies to restrict or ban the use of USB sticks or other removable media that can be used to spread viruses and other malware and steal sensitive data.
Those findings back up conclusions of a recent Deloitte study that found that many organizations are not adequately prepared to deal with cyberattacks, and that they neglect basic security precautions like patching vulnerable software.
Firms running SCADA (Supervisory Control and Data Acquisition) or Industrial Control Systems for monitoring and controlling critical infrastructure face a particular conundrum with regard to security. Connecting the systems to IP networks like the Internet can improve efficiency, but it exposes what used to be private and secured systems to attack, experts say.
Of those responsible for using industrial control systems, 80 percent said the systems were connected to the Internet or some other IP network and more than half with systems connected that way said that created an "unresolved security issue."
Best and worst countries
Reports of cybersecurity adoption and victimization rates varied widely from country to country. Executives in China reported by far the highest rates of adoption of security measures, including encryption and strong user authentication, followed by the U.S., Australia, and the U.K. The lowest security adoption rates were found in Italy, Spain, and India.
However, China's overall security record is not noticeably better than that of countries that aren't as diligent about securing their critical infrastructure, according to the report.
"Chinese executives report a uniquely close level of cooperation with government, as well as high levels of regulation by, and confidence in government," the report said.
Although executives in India reported the highest levels of government regulation, China and Germany were close behind, while the U.S. respondents reported the lowest regulation levels. Most respondents said that regulation leads to improved security.
India, France, Spain, and Brazil were reported to have high victimization rates. Extortion was most common in India, Saudi Arabia/Middle East, China, and France and rare in the U.K. and U.S.
About 90 percent of respondents from Saudi Arabia said their sector was unprepared, while the most confident executives were from Germany, the U.K., U.S., and Australia.
A majority of executives believe that foreign governments are involved in network attacks against their country's critical infrastructure, and listed the United States and China as the most worrisome potential aggressors, followed by Russia in a distant third position.
"IT and security executives across the world show great ambivalence toward the United States," the report said. "It is the nation most often cited as a model in dealing with cybersecurity. At the same time, executives from many nations, including many U.S. allies, rank the United States as the country 'of greatest concern' in the context of foreign cyberattacks, just ahead of China."
The report comes at an interesting time for executives and officials in the U.S. who are trying to figure out how to respond to recent attacks on Google and more than 30 other companies that Google says originated in China. As a result of the attack, which led to theft of unidentified intellectual property at Google, and separate attacks on Gmail users who are human rights activists, the search giant is threatening to stop censoring search results there and even exit the country if the Chinese government balks. Chinese officials have denied any involvement.
About "85 percent the critical infrastructure worldwide is run by commercial enterprises," said Phyllis Schneck, a vice president of threat intelligence for McAfee in the Americas and contributor to the report, in an interview. "This global event that surrounds the initial cyberattack we heard about from Google is a warning to how vulnerable our cybernetworks are."
The Christian Science Monitor also disclosed this week that three U.S. oil firms were targeted in attacks in 2008, including one that involved a computer in China. But the publication did not directly say that China was behind the attacks.
Tracing attacks back to their origin is extremely difficult if not impossible, the McAfee report says. This allows for plausible deniability for any entities fingered in attacks.
The report explores the role the government and regulation have on security. Many governments sponsor cybersecurity cooperation among critical infrastructure operators, participation in such initiatives is generally low, the report concluded.