Cyber-Threats Could Engulf National Infrastructures

Cyber-attacks are increasing but national infrastructures are ill-prepared to defend themselves. Urgent action, not endless planning, is required, argues Eric Doyle

Threats to major companies and national utilities have increased over the past year as cyber threats escalate into cyber wars.

A joint report by McAfee and the Center for Strategic and International Studies (CSIS) highlights the growing concerns in companies controlling critical national infrastructure. Following a similar report issued a year ago, the In the Dark: Critical Industries Confront Cyberattacks report shows that things are rapidly getting worse.

Extortion, DDoS And Stuxnet

In 2009, just over half of all the companies interviewed reported suffering large-scale distributed denial of service (DDoS) attacks but last year, the study shows, this had increased to over 80 percent. A quarter of the respondents also admitted that they had been targets of extortion attempts.

The survey, conducted by Vanson Bourne, covers responses from 200 IT security executives managing critical infrastructures in 14 countries, including the UK. Other major findings in the report found that 40 percent believed their vulnerability had increased and 30 percent felt that they were unprepared for a cyber-attack.

This is worrying during a time when “smart grid” infrastructures are being rolled out, especially in the light of 40 percent of the security managers saying that they expected a major attack during 2011.

Although DDoS attacks are a major fear, recent attacks have been spearheaded by socially engineered phishing exploits. By targeting minor employees within companies, the attackers are playing psychological tricks to fool them into downloading backdoors onto company systems.

These employees are more concerned about putting in their hours and keeping up with deadlines than they are about adhering to security policies. The “spear phishing” attackers single out these corporate weak links rather than casting a wider net which may attract unwanted attention.

Cyber-Sabotage Attempts Are Rife

The report refers to loosely-organised, cyber-terrorist groups and “hacktivists” as a major concern but notes that government-sponsored initiatives are beginning to become apparent.

These cyber-war incidents were spotlighted by the Stuxnet attack on Iran’s nuclear industry but there have been numerous reports over the last nine years of Chinese attempts to infiltrate or destabilise western government and business systems.

Almost 70 percent of the companies surveyed by Vanson Bourne claimed that they frequently found malware designed to sabotage their systems. and 46 percent of the electricity supply companies reported finding Stuxnet on their systems.

It is companies that depend heavily on industrial supervisory control and data acquisition (SCADA) systems that feel most threatened because these attacks can bring national infrastructures to a halt.

There was a massive power outage in New York State, Ohio and Western Canada in 2003 which was basically caused by a software bug. Similarly in 2006, a large area of Europe, from Germany down to Croatia and as far west as Spain, was blacked out when a line across a river was switched off to allow a ship to pass safely. These were not cyber-terrorist attacks but demonstrate the scale of disaster that could be triggered.

“In the past year, we’ve seen arguably one of the most sophisticated forms of malware in Stuxnet, which was specifically designed to sabotage IT systems of critical infrastructures,” commented Dr Phyllis Schneck, vice president and chief technology officer for the public sector at McAfee. “The fact is that most critical infrastructure systems are not designed with cyber-security in mind and organisations need to implement stronger network controls to avoid being vulnerable to cyber-attacks.”

All Talk And Too Little Action

The McAfee and CSIS report is highly critical of the UK and US governments’ attempts at cyber-securing their domains. Despite much bluster, action is slow and actually falls behind countries like Japan and China which have regular security audits of the public and private sectors – something that rarely, if ever, happens in the UK and the US.

The study should be recommended reading for the government’s IT mandarins and advisors. The threats are becoming more frequent and their means more subtle. Rather than white papers, parliamentary bills and promises, rapid action would be a better course of action to avoid seeing severely compromised systems or, at worst, national disasters.