A recent study by Secure Computing Corp. paints a gloomy picture of cybersecurity readiness in critical infrastructure industries.
According to the study, which surveyed 199 security experts and industry representatives, most industries that make up the critical infrastructure are not prepared for cyberattacks. More than half of the respondents said that utilities, oil and gas, transportation, telecommunications, chemical, emergency services and postal/shipping sectors were not prepared.
Thirty-three percent of survey respondents identified the energy industry as the biggest target for a cyberattack. They also pointed to energy as the most vulnerable and the industry that would have the worst consequences if breached. The financial services industry was the only sector survey most participants considered prepared.
More than 50% of North American participants said cyberattacks on critical infrastructure have already begun, while 14% expect a major exploit to occur in the next year.
Earlier this year, a CIA senior analyst said at a SANS Institute conference that cyberattacks disrupted power equipment in several regions outside the U.S., including one that caused a multi-city power outage. The SANS Institute reported the disclosure in a Jan. 18 newsletter.
Audio download: Critical infrastructure security:
Survey respondents cited cost and apathy as the top obstacles to improving cybersecurity in vital industries.
The study surveyed security and network operators in industries that make up the critical infrastructure, along with security experts in law enforcement and other fields. The research, released Monday, was conducted in August and September in the U.S., Canada and Europe.
The problems highlighted in the survey stem from the fact that the Supervisory Control and Data Acquisition (SCADA) systems used in industries, such as energy, evolved -- like the Internet -- with the focus on availability and speed rather than security, said Phyllis Schneck, vice president of research integration at San Jose-based Secure Computing. They also weren't intended to be remotely accessed, which introduces vulnerabilities, she said.
"As a community, we've come to look at cybersecurity as not just viruses or worms, but securing the communication fabric that protects the physical infrastructure we need to live and breathe," she said.
Addressing the problem will first require an understanding of how industrial control systems interface with IT systems and the Internet, Schneck said. Then, it will require understanding the impact of upgrading legacy control systems and something the industry is actively working on -- designing traditional IT systems so they can protect critical infrastructure.
Secure Computing, which McAfee Inc. is in the process of acquiring, recently announced three new signature file types for SCADA-specific protocols into its Secure Firewall. Other vendors offering security tailored for industrial control environments include Foxborough, Mass.-based Industrial Defender Inc., which specializes in SCADA systems security.
In September, the U.S. House Energy and Commerce Subcommittee on Energy and Air Quality held a hearing to discuss draft legislation to help secure the nation's electric grid from cyberthreats. Published reports indicate the legislation would broaden the authority of the Federal Energy Regulatory Commission (FERC).
"I believe America is disturbingly vulnerable to a cyberattack against the electric grid that could cause significant consequences to our nation's critical infrastructure," Rep. Jim Langevin (D-R.I.), chairman of the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, said in a prepared statement released in September. "Virtually every expert that I've discussed these matters with -- across government and throughout the private sector -- shares this assessment."
Legislators have criticized the energy industry's response to the Aurora hacking test conducted at the Idaho National Laboratories in 2007, which caused a generator to self-destruct. Despite a federal advisory to mitigate the vulnerability exploited in the test, a FERC audit of 30 utilities found that "the vast majority had not complied," according to Rep. John Dingell (D-Mich.), chairman on the Committee on Energy and Commerce.