The systems that run power plants, manage the distribution of hazardous chemicals and help monitor water treatment plants are in a dire need of stronger safeguards, according to a survey of more than 600 IT and security executives who work for many of the companies that run them.
Critical infrastructure facilities in the United States and other developed countries are connected to the Internet and their underlying management systems are threatened by a constant barrage of cyberattacks, according to a new report "In the Crossfire: Critical Infrastructure in the Age of Cyber War."
The report sums up the findings of a global survey of IT and security executives at more than 600 enterprises that own and operate critical infrastructure. It was released today by the Center for Strategic and International Studies (CSIS). The study was funded by security vendor McAfee Inc. and was released at the World Economic Forum in Davos, Switzerland.
The survey found that SCADA systems, the critical network and control systems that run dams, power plants, gas and oil refineries and other facilities are being attacked by a variety of methods, individuals and criminal gangs with various interests. Two-thirds of those surveyed (76%) said their SCADA systems were connected to an IP network or the Internet. About half of those said the connection created SCADA system security issues that aren't being addressed.
The kinds of attacks facing critical infrastructure facilities mirror those targeting government agencies and government contractors. It also reflects the wide variety of ongoing attacks targeting the private sector. The issues were highlighted recently in attacks that targeted employees at Google Inc., Adobe Systems Inc. and dozens of other firms exploiting a flaw in Microsoft Internet Explorer 6.
"I would describe the preparedness as quite spotty and in some cases quite lacking," said Stewart Baker, a former senior official at the Department of Homeland Security and the National Security Agency who led the CSIS survey team. "Basic key security measures are still not widely adopted."
At a press conference Thursday, Baker, a distinguished visiting fellow at CSIS, said the findings suggest the problem is getting worse. About 40% of those surveyed expected a major incident -- an attack resulting in major consequences -- within a year, and 80% said they expected a major incident within 5 years.
The types of attacks vary in sophistication. Nearly 90% of the IT executives surveyed by CSIS for the report said attacks using malware were the most frequent, but 70% reported a wide variety of other attacks, including low-level denial-of-service (DoS) attacks, phishing and pharming attacks, and data leakage caused by employees. About 57% of those surveyed said their organization had experienced DNS poisoning attacks, in which Web traffic is redirected and about half said they experienced one of the most common attacks – SQL injection, in which an attacker attempts to gain access to back end systems via the company's website.
"This is troubling but not very surprising," Adam Rice, chief security officer at India's largest telecommunications company and ISP, Tata Communications Ltd., said of the survey results. "Everyone's always shocked by the latest attack and we're always reacting to the latest known threat."
Large-scale DoS attacks, designed to shut down operations by taking out email, telephone systems and other systems that rely on network connectivity, were less frequent, but still posed a significant threat. About 29% of those surveyed said their facilities face multiple large-scale DDoS attacks each month. Two-thirds of those attacks had an impact on operations. The oil and gas sector had the highest number of incidents with one-third reporting multiple attacks a month.
"This represents a significant drag on the digital economy," Stewart said.
The financial costs associated with downtime are also mounting, according to the survey. The reported costs associated with major attacks exceed $6 million per day, but in some sectors such as oil and gas it can surpass $8 million per day.
In addition to foreign governments and corporate espionage, many operators of power plants and other critical facilities must defend against individual hackers attempting to create mischief and financially motivated organized cybercriminal gangs.
The report suggests that more cooperation between the private sector and government agencies responsible for cybersecurity could help clamp down on some of the holes. Tata Communications' Rice said his firm is willing to work more closely with the government (the company owns five U.S.-based entities, Rice said), but ongoing cybersecurity meetings with the FBI and the Department of Homeland Security fail to result in any progress. Rice said that most actionable data is classified by the federal government and unavailable.
"We have meetings and we all smile at each other, but I don't take anything away from those meetings that are useful for me to protect our infrastructure," Rice said. "We have a lot of intel that we can pick up off of our networks and we would be happy to share it with anybody who asks for it through the right channels, but in exchange we would also like to get tangible threat information on where we can take our limited resources and apply it more effectively to get in front of these threats."
Information sharing is critical to improving security, said Asha Mathew, senior council for the Senate Committee on Homeland Security and Governmental Affairs. Mathew said legislators are considering a more proactive regulatory approach with facilities in which a successful attack could be catastrophic, such as a dam or hazardous chemical refinery. There has been an ongoing discussion around creating a regulatory framework to detect and monitor whether vulnerabilities are being addressed in a timely manner.
"We know that 85% of our critical infrastructure is privately owned and without working in partnership with the private sector, it would be very difficult for the federal government to achieve very much of anything," Mathew said.