Critical infrastructure security grim, study finds |
 |
By Marcia Savage, Features Editor, Information Security magazine
10 Nov 2008 | SearchSecurity.com |
|
|
A recent study by Secure Computing Corp. paints a gloomy picture of cybersecurity readiness in critical infrastructure industries.
|
|
|
|
|
As a community, we've come to look at cybersecurity as not just viruses or worms, but securing the communication fabric that protects the physical infrastructure we need to live and breathe.
Phyllis Schneck,
vice president of research integration, Secure Computing
|
|
|
|
|
|
|
|
|
|
According to the study, which surveyed 199 security experts and industry representatives, most industries that make up the critical infrastructure are not prepared for cyberattacks. More than half of the respondents said that utilities, oil and gas, transportation, telecommunications, chemical, emergency services and postal/shipping sectors were not prepared.
Thirty-three percent of survey respondents identified the energy industry as the biggest target for a cyberattack. They also pointed to energy as the most vulnerable and the industry that would have the worst consequences if breached. The financial services industry was the only sector survey most participants considered prepared.
More than 50% of North American participants said cyberattacks on critical infrastructure have already begun, while 14% expect a major exploit to occur in the next year.
Earlier this year, a CIA senior analyst said at a SANS Institute conference that cyberattacks disrupted power equipment in several regions outside the U.S., including one that caused a multi-city power outage. The SANS Institute reported the disclosure in a Jan. 18 newsletter.
|
| Audio download: Critical infrastructure security: |
Securing the nation's critical infrastructure systems: Senior Technology Editor Neil Roiter interviews Brian Ahern, president and CEO of Industrial Defender, which specializes in the security of critical infrastructure systems. The nation's critical infrastructure providers have been called onto the carpet. Recently, a house subcommittee delivered a blistering appraisal of the deficiencies in power companies security posture. Coming on the heels of a GAO report that Tennessee Valley Authority power plants are vulnerable to cyber attack, the congressional tongue-lashing raised questions about what power, oil and gas, chemical, water and transportation companies are doing to secure their systems. In this podcast, we ask Brian Ahern, president and CEO of Industrial Defender, which specializes in the security of critical infrastructure systems, about the state of security in these vital sectors and the special challenges these companies face.
|
|
|
|
|
Survey respondents cited cost and apathy as the top obstacles to improving cybersecurity in vital industries.
The study surveyed security and network operators in industries that make up the critical infrastructure, along with security experts in law enforcement and other fields. The research, released Monday, was conducted in August and September in the U.S., Canada and Europe.
The problems highlighted in the survey stem from the fact that the Supervisory Control and Data Acquisition (SCADA) systems used in industries, such as energy, evolved -- like the Internet -- with the focus on availability and speed rather than security, said Phyllis Schneck, vice president of research integration at San Jose-based Secure Computing. They also weren't intended to be remotely accessed, which introduces vulnerabilities, she said.
"As a community, we've come to look at cybersecurity as not just viruses or worms, but securing the communication fabric that protects the physical infrastructure we need to live and breathe," she said.
Addressing the problem will first require an understanding of how industrial control systems interface with IT systems and the Internet, Schneck said. Then, it will require understanding the impact of upgrading legacy control systems and something the industry is actively working on -- designing traditional IT systems so they can protect critical infrastructure.
Secure Computing, which McAfee Inc. is in the process of acquiring, recently announced three new signature file types for SCADA-specific protocols into its Secure Firewall. Other vendors offering security tailored for industrial control environments include Foxborough, Mass.-based Industrial Defender Inc., which specializes in SCADA systems security.
In September, the U.S. House Energy and Commerce Subcommittee on Energy and Air Quality held a hearing to discuss draft legislation to help secure the nation's electric grid from cyberthreats. Published reports indicate the legislation would broaden the authority of the Federal Energy Regulatory Commission (FERC).
"I believe America is disturbingly vulnerable to a cyberattack against the electric grid that could cause significant consequences to our nation's critical infrastructure," Rep. Jim Langevin (D-R.I.), chairman of the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, said in a prepared statement released in September. "Virtually every expert that I've discussed these matters with -- across government and throughout the private sector -- shares this assessment."
Legislators have criticized the energy industry's response to the Aurora hacking test conducted at the Idaho National Laboratories in 2007, which caused a generator to self-destruct. Despite a federal advisory to mitigate the vulnerability exploited in the test, a FERC audit of 30 utilities found that "the vast majority had not complied," according to Rep. John Dingell (D-Mich.), chairman on the Committee on Energy and Commerce.
|
|
|
|
