Hacking Gets Physical: Utilities At Risk For Cyber Attacks
Imagine this: Your city has been out of electricity for a full day because the power grid is being held ransom by an international group of hackers, demanding money before electricity will be restored. While this might sound like the plot of a dystopian novel, Dr. Larry Ponemon, founder of the Ponemon Institute, says this kind of attack on an electrical grid or water system could be in our future if critical infrastructure sectors don’t improve their security systems.
“The worst case scenario is a critical infrastructure attack, and these organizations are ill prepared to deal with it,” Ponemon says. While the media focuses on security breaches in the private sector—especially retail—the vulnerability of critical infrastructure such as energy and utility receives less attention. “With the increased convergence of cyber and physical worlds, attacks are no longer limited to office computers and networks,” says Steve Durbin, Managing Director of Information Security Forum. “They can now have physical impact in the real world.”
The most well-known example of a cyber attack on a physical infrastructure is the Stuxnet malware, which was allegedly built by the U.S. and Israeli governments and deployed on the computer systems of Iranian nuclear facilities beginning in 2008, disrupting a fifth of Iranian facilities and setting back Iran’s nuclear plans by as much as two years.
Today, a striking disparity exists between awareness of cybersecurity risks and the implementation of security protocols in critical infrastructure sectors, according to a report released Thursday by Ponemon Institute and Unisys. Titled “Critical Infrastructure: Security Preparedness and Maturity,” the report draws on responses from 599 IT security executives in 13 countries from the utility, oil and gas, alternative energy, and manufacturing sectors. According to the study, 67% of companies say they “have had at least one security compromise that led to the loss of confidential information or disruption to operations” in the past year. Additionally, 64% of companies say that they want to prevent or anticipate attacks, but only 28% say security is one of their company’s top five priorities. While 47% of security breaches occur because of negligent employees, only 6% of companies are training their employees on cybersecurity. Only 17% of respondents said their company had achieved a mature level of cyber security—defined by having most IT security programs deployed.
This problem is not unique or particularly surprising, and Unisys CISO Dave Frymier says the study provides empirical evidence to a security problem he already suspected existed. Most of us are willing to take risks when it comes to security, only regretting it when we become the victims of an attack. The international focus of this study reveals that critical infrastructure security is a global problem. The countries surveyed, including the United States, Brazil, and the UK, all had relatively similar answers, according to Frymier and Ponemon, despite differing levels of security in other sectors.