McAfee, Inc. today revealed the staggering cost and impact of cyberattacks on critical infrastructure such as electrical grids, oil and gas production, telecommunications and transportation networks.
A survey of 600 IT security executives from critical infrastructure enterprises worldwide showed that more than half (54 per cent) have already suffered large-scale attacks or stealthy infiltrations from organised crime gangs, terrorists or nation-states. The average estimated cost of downtime associated with a major incident is $6.3 million per day.
The report “In the Crossfire: Critical Infrastructure in the Age of Cyberwar”, commissioned by McAfee and authored by the Center for Strategic and International Studies (CSIS), also found that the risk of cyber attack is rising. Despite a growing body of legislation and regulation, about 64 per cent of the Indian respondents believe that the current law in their country is inadequate against tackling cyber attackers.
India – richest hunting ground for hackers
India, Spain and Italy reported lowest security adoption rates – all under 40 per cent. Worldwide, only 20 per cent think their sect or is safe from serious cyberattack over the next five years.
McAfee global threat intelligence data suggests that India has recently replaced China (and Russia and Romania) as the richest hunting ground for hackers bent on recruiting infected computers for botnets, another possible result of the disparity between the two countries’ security adoption rates.
Many of the world’s critical infrastructures were built for reliability and availability, not for security. Traditionally, these organisations have had little to no cyber protection, and have relied on guards, gates and guns. Today however, computer networks are interconnected with corporate IT networks and other infrastructure networks, which are accessible from anywhere in the world.
“In today’s economic climate, it is imperative that organisations prepare for the instability that cyber attacks on critical infrastructure can cause,” said Dave DeWalt, president and chief executive officer of McAfee. “From public transportation, to energy to telecommunications, these are the systems we depend on every day. An attack on any of these industries could cause widespread economic disruptions, environmental disasters, loss of property and even loss of life.
“The recently identified Operation Aurora was the largest and most sophisticated cyberattack targeted at specific corporations, but it could have just as easily targeted the world’s critical infrastructure,” continued DeWalt. “The attack announced by Google and identified by McAfee was the most sophisticated threat seen in years making it a watershed moment in cybersecurity because of the targeted and coordinated nature of the attack.”
Key findings from McAfee’s Critical Infrastructure Protection report:
– Low confidence in preparedness: Over a third of those surveyed believe their sector is unprepared to deal with major attacks or stealthy infiltrations by high-level adversaries. Saudi Arabia, India and Mexico emerge as the least confident.
– Recession-driven cuts raising the risk: Two thirds of IT executives surveyed claimed that the current economic climate has caused cutbacks in the security resources available; one in four said resources had been reduced by 15 per cent or more. Cuts are particularly evident in the energy and oil/gas sector. Cuts were most widespread in India, Spain, France and Mexico; and least widespread in Australia
– Government involvement in cyberattacks: 60 per cent of those surveyed believe representatives of foreign governments have been involved in past infrastructure infiltrations. In terms of countries that posed the biggest threat to critical infrastructure security, the United States (36 per cent) and China (33 per cent) topped the list. In India, about 60 per cent of the respondents believe involvement of foreign governments in cyber attacks against critical infrastructure in the country.
– Laws ineffective in protecting against potential attacks: More than half (55 per cent) believe that the laws in their country are inadequate in deterring potential cyberattacks with those based in Russia, Mexico and Brazil the most sceptical; 45 per cent don’t believe that the authorities are capable of preventing or deterring attacks.
Ninety seven per cent of the executives in India reported that their cybersecurity was subject to law or regulation, while China was the second most regulated country, tied with Germany at 92 percent. However, in China, 91 per cent of those regulated said they had changed company procedures as a result, whereas in India, only 66 per cent said they had made changes. 64 per cent of the Indian respondents believe that the current law in their country is inadequate against tackling cyberattackers.
– Insurance firms bearing brunt of cyberattack costs: More than half of those surveyed expected insurance to pick up the cost of a cyberattack while nearly one in five said it would fall on ratepayers or customers. Just over a quarter expected a government bailout.
– Countries report large-scale DDOS attacks: Nearly 80% of the respondents in India reported large-scale DDOS attacks. Nearly two-thirds of the respondents experiencing large-scale DDOS attacks reported that these had affected their operations in some way. They affected email connectivity, Internet-based telephone sys-tems, and other operationally significant functions.
– Extortion most common in India: One-in-five critical infrastructure entities reported being the victim of extortion through cyberattack or threatened cyberattack within the past two years. Extortion was most common in India with 40 per cent respondents reporting the same followed by Saudi Arabia/Middle East, China and France.
“Governance issues are at the center of any discussion of security for critical infrastructure,” said Stewart Baker distinguished visiting fellow at CSIS and Lawyer at Steptoe and Johnson. “The relationships between the governments and private sect or organisations involved are complex but it is essential that each have faith in the others ability. The security industry will always strive to stay one step ahead, but in the absence of any technological silver bullet, regulation has a role to play in defending critical infrastructures around the world.”
The McAfee ‘In the Crossfire: Critical Infrastructure in the Age of Cyberwar’ report is available f or download at www.mcafee.com. To learn more about the research findings and opinions, please visit the McAfee Security Insights blogsiblog.mcafee.com.
McAfee commissioned Vanson Bourne, a specialist research-based technology marketing consultancy, to survey more than 600 people responsible for IT or security in critical infrastructure enterprises across seven sectors in 14 countries across the globe (US, UK, Japan, China, Germany, France, Italy, Russia, Spain, Brazil, Mexico, Australia and Saudi Arabia).
The Centre for Strategic and International Studies (CSIS) then analyzed the quantitative results, conducted additional qualitative research and authored the report.
