A Ponemon Institute report finds critical systems being taken offline by cyber-attacks, with security teams struggling to gain a clear picture of the IT systems they are trying to protect
Cyber-attacks on critical infrastructure are “relentless and continuous”, with successful attacks often taking systems offline, a new study has found.
The study by the Ponemon Institute, based on a survey of 701 security professionals in seven countries, including the UK, found that 90 percent of respondents said their systems had been affected by at least one successful attack in the past two years.
The study, commissioned by IT security firm Tenable, focused on companies in the utilities, energy, health and transport sectors using technology such as industrial control systems (ICS).
It found that the companies of more than half of respondents – 62 percent – had been hit by two or more attacks.
The study highlighted organisations’ difficulties in gaining a clear picture of the assets that needed to be protected, with the top concern cited being issues such as determining which systems are part of their IT environments.
Respondents also said inadequate staffing and a reliance on manual processes hampered their ability to head off threats, and said better communication with senior management was a key governance priority.
While organisations such as the National Cyber Security Centre (NCSC) have long warned of attacks on key infrastructure, the Ponemon study is a confirmation that the threat is “real, severe and ongoing”, Tenable said.
“The people who manage critical systems such as manufacturing plants and transportation almost unanimously state that they are fighting off cyberattacks on a regular basis,” said Tenable’s senior director of strategic initiatives, Eitan Goldstein.
He said organisations need better intelligence to determine where vulnerabilities exist and to prioritise which to focus on first.
“The converged IT/OT (operation technology) cyber problem is one that cybersecurity and critical infrastructure teams must face together,” he said.
The study quizzed professionals in the US, the UK, Germany, Australia, Mexico and Japan, and the pool of respondents was self-selecting, which in part accounts for the unexpectedly high rate of those reporting attacks, industry watchers said.
All the same, the figures are troubling, with half of organisations saying at least one cyber-attack had caused downtime over the two-year period, with 33 percent saying an attack had caused “significant downtime”.
Thirty-seven percent said “significant disruption” to business processes had been caused by malware, while 23 percent said they had been affected by nation-state attacks.
Paolo Emiliani, industry and SCADA research analyst at security firm Positive Technologies, noted that one vulnerable component can mean the compromise of an entire industrial network, which is why the study showed so many of the attacks resulting in downtime.
“Ultimately, the protection of critical infrastructure is a wholly different beast to traditional cyber security,” he said. “The stakes are far higher, and each component on the network has to be weighed up against the risks of exploitation.
“The desire to add smart devices, sensors and IoT to networks is understandable, but ultimately organisations have to acknowledge that hackers are out there and will try to undermine these devices to break in.”
Sylvain Gil, vice-president of products and co-founder of Exabeam, said in many cases industrial systems are ten to twenty years old and were not designed to fend off attacks from the global network.
“There is not necessarily a practical way to upgrade them due the criticality of their availability,” Gil said.
“We need more insight into the behaviours of these systems. They are rudimentary and were never thought to be vulnerable to people outside the operating facility – but they certainly are.”
Tony Atkins, regional director at Nozomi Networks, said the adoption of the NIS Directive – which became law in the UK last May – should help improve reporting of attacks on critical infrastructure, while the use of AI-based tools in areas such as intelligence-gathering may help address staffing issues.