Critical Infrastructure Challenges
Critical infrastructures (CI) are essential for managing the services and organizations we rely on. Their ability to function securely and without failure is imperative to the well-being of society at large. For cybercriminals, on the other hand, CI is often viewed as a prime target of malicious intent because of its broad reach and interconnectedness.
Despite the growing risks from an increasingly dangerous cyber threat landscape, many of today’s IT professionals in CI organizations believe they are more equipped than ever to face cybersecurity challenges.
A new report by Intel Security and The Aspen Institute, titled, Holding the Line Against Cyber Threats: Critical Infrastructure Readiness Report, supports this premise, while at the same time suggesting a disconnect between CI providers and the current threat landscape. It seems these executives are overconfident or have misplaced faith in their organizations’ abilities to actually be able to effectively respond to an attack.
The report surveyed executives from CI organizations in the U.S., UK, France and Germany and found that executives within these organizations believe that new public-private partnerships that facilitate cyber threat intelligence sharing will be critical to combatting cyber threats in the future. Additional findings from the report include:
- Perceived improvements: Respondents indicated their own vulnerability to cyberattacks has decreased over the last three years, with only 27% feeling “very or extremely vulnerable” — compared to 50% three years ago.
- Government involvement encouraged: 86% believe that cooperation between the public and private sectors on infrastructure protection is critical to successful cyber defence. Furthermore, 68% of respondents believe their own government can be a valuable and respectful partner in cybersecurity.
- Confidence in current solutions: 64% believe an attack resulting in fatalities has not happened yet because good IT security is already in place. Correspondingly, more than four in five are “satisfied or extremely satisfied” with the performance of their own security tools such as endpoint protection (84%), network firewalls (84%), and secure web gateways (85%).
- Disruptions increasing: CI providers are generally pleased with the results of their efforts to improve cybersecurity over the last three years, but at the same time many (70%) are convinced that the threat level of attacks is escalating. A clear majority (89%) of respondents experienced at least one attack on a system within their organization, which they deemed secure, over the past three years, with a median of close to 20 attacks per year. 59% indicated that at least one of these attacks resulted in physical damage.
- Loss of life: 48% of respondents believe it is likely that a cyberattack within the next three years will take down CI with potential loss of life, although there were no additional survey questions to determine the circumstances under which respondents believed the loss of life could occur.
- User error still the #1 issue: Respondents believe user error is the greatest cause of successful attacks on CI. According to the report, user errors from lack of awareness, use of unofficial online services, and use of social media websites at work were most often ranked as the top three causes. Organizations may strengthen their security postures, but individual employees can still fall victim to phishing emails, social engineering and drive-by browser downloads that successfully infect their organizations’ networks. As testament to this, according to a recent phishing quiz survey from Intel Security, Canada ranked 26th of the 144 countries that were surveyed in its ability to successfully detect phishing emails.
- Government response: 76% of respondents indicated they believe a national defence force should respond when a cyberattack damages a CI company within national borders.
- Different country perspectives: Significantly more U.S. respondents believe the likelihood of a catastrophic cyberattack on CI, which could result in loss of life, is more certain than do their European counterparts. While 18% of U.S. sources consider this scenario “extremely likely” to occur in the next three years, only 2% in Germany and 3% in the UK think it “extremely likely.”
“This data raises new and vital questions about how public and private interests can best join forces to mitigate and defend against cyberattacks,” says Clark Kent Ervin, Director, Homeland Security Program at the Aspen Institute. “This issue must be addressed by policymakers and corporate leaders alike.”
While Canadian companies were not included in this survey, the cyber threat risks to Canada’s CI organizations are similar. Regardless of which region an organization is located in, an attack can happen anywhere. The reasons for attacks may include espionage, opportunistic data or physical theft, product alteration or sabotage. Similarly, the motives behind these attacks often remain the same: financial gain, data theft, or shutting down facilities.
Over the years, there has been an increase in both the volume and sophistication of attacks, in addition to the number of groups that are spearheading them. As found in the McAfee Labs Threats Report of February 2015, there are 387 new threats every minute, or more than 6 every second. With no sign that threat activity will be slowing down, it is important for CI providers to be prepared to defend against the security risks and potential attacks of today and in the future.
One of the biggest challenges for any organization is being able to defend against every possible attack vector out there. All it takes is one weak point for a motivated hacker to enter any network and begin wreaking havoc. This is why it is important to build a solid security foundation and not rely solely on IT-based security.
What can organizations do?
- Implement a robust security plan: This includes integrated and intelligent security elements such as endpoint protection, secure Web gateways, data loss prevention, network firewalls, advanced threat detection, intrusion prevention systems and security information event management.
- Re-evaluate and make necessary changes to security management: To promote greater information sharing and insight on targeted threat intelligence as part of a shared IT strategy.
- Foster cooperation between government and industry: Closer relationships are imperative to improving the future of the security landscape.
- Ensure continued user education: On cyber threats, basic user awareness and foundational security practices. Education is key to helping to mitigate user error and risks behind many threats, and is an area where everyone has an opportunity to contribute.
In addition to implementing a security architecture that links protect, detect and correct functions in a continuously updated cycle, collaborating and sharing information and best practices that span organizations is equally paramount to improving the security posture of CI. Minimizing CI risk is a global challenge, so we must all remain vigilant when it comes to securing and protecting the systems and services on which we are so dependent.
Doug Cooke is the Director of Sales Engineering at Intel Security Canada.
The survey, conducted by Vanson Bourne, interviewed 625 IT decision makers with influence over their organization’s security solutions in France, Germany, the UK and the United States (250 interviews in the U.S. and 125 in each of the UK, France and Germany).
© FrontLine Security 2015