Critical systems facing attacks from foreign powers
The frequency, scale and scope of cyber attacks by nation states are increasing at an alarming rate, according to a report commissioned by security firm McAfee.
More worryingly, McAfee says vulnerable software that controls critical infrastructure – from power supplies to communications – is a major target for attacks by nation states.
The study surveyed 600 IT security executives from critical infrastructure organisations around the world and found that 54% had already suffered large scale attacks or stealthy infiltrations from organised crime gangs, terrorists or foreign powers.
The report, In the Crossfire: Critical Infrastructure in the Age of Cyberwar, commissioned by McAfee and authored by the Center for Strategic and International Studies, says many of the world’s critical infrastructures were built for reliability and availability, not for security.
Traditionally, the study claims, these organisations have relied on guards, gates and guns rather than network security, but the connection of systems to corporate networks and the web changes the landscape.
According to the UK’s Centre for the Protection of National Infrastructure, almost all critical industrial infrastructures and processes are managed remotely from central control rooms using Supervisory Control And Data Acquisition (SCADA) technology.
These systems control the flow of gas and oil through pipes, the processing and distribution of water, the management of the electricity grid, the operation of chemical plants, and the signalling network for railways.
Yet globally, three quarters of survey respondents with SCADA responsibilities said their networks were connected to an IP network and that half of those connections represented an “unresolved security issue”.
“The original SCADA design generally didn’t assume that the control systems would be exposed on networks where untrusted people had at least some level of access to them,” the report quotes an industry veteran as saying.
He said much SCADA software was written “quite some time ago and has not been modified since” so the systems were “not on the newest platforms, so they have those vulnerabilities that have been discovered over time. Replacing them is hugely complex and expensive.”
Despite a growing body of legislation and regulation, more than a third of IT executives said the vulnerability of their sector had increased over the past 12 months and two-fifths expected a major security incident in their sector within the next year.