Power Grid, Utilities Seen as Most Vulnerable to Cyber Attack
Our trip to the 2012 ISSA International Conference in Anaheim, California has us thinking even more about cyber terrorism. We surveyed more than 100 security professionals while we were there and they told us, among other things, that 79% of them are expecting a major cyber terrorism event within the year.
If so many of the world’s top IT security pros are expecting a major strike to happen so soon, who is at risk? When asked what the most likely targets were for cyber terrorism, 48% of respondents said it is the nation’s power grid and utilities. The security professionals commented on the lack of protection for those targets and their connectivity with the Internet.
More and more, we are realizing that the front lines of the fight against cyber terrorism are not with the CIA or in some military bunker. They’re in the IT departments of countless electricity companies, water providers, natural gas companies and various other utilities. And wow, do we have some work to do.
According to Bloomberg, Internet-based terrorists would be capable of causing blackouts “on the order of nine to 18 months” by attacking critical systems such as transformers. Consider the consequences of an attack like this knowing there are only three major power grids for the entire US. The damage to a water utility or oil and gas provider could be just as catastrophic. Financially, the cost of such an attack would be “incalculable,” according to one person interviewed by Bloomberg.
The central vulnerability lies in the computer-based, supervisory control systems (SCADA) that are used to monitor and control our oil and gas pipelines, our water distribution systems and our electrical grid. These systems have been in use since the early 1970’s and began getting connected to the Internet in the early 2000s. These are real-time control systems that are set up much like corporate IT networks – but in many cases they lack a level of protection proportionate to their national importance.
How much would it cost to bring them up to where they need to be? According to Bloomberg, utilities would have to increase their investment in computer security more than seven-fold to reach an ideal level of protection. The article went on to say that it would take an average annual budget of $345 million per company to stop 95% of the threats.
Even with this investment, some say it is impossible to defend the current system as it stands. In a talk earlier this year, security expert Eugene Kaspersky said a complete redesign of all utilities around a secure operating system was the only solution.
What are the other targets?
Aside from the power grid and utilities targets indicated in the ISSA survey, finance was next in the lineup of potential targets with 22%. Many respondents selected the finance industry due to the obvious potential for impeding a nation’s financial stability. While they acknowledged that financial institutions do invest in security technologies, many people doubted the effectiveness of those investments against cyber terrorism.
In addition, several people interviewed asked for the Select All button across the targets we suggested. The only category that garnered no votes was High Tech.
While the data we collected during our ISSA survey was not exactly reassuring, it was encouraging to see the attendees – many of whom are on the front lines of this fight – recognize the risk they’re facing and are discussing ways to solve it.
These pros understand that absent the kind of overhaul Kaspersky called for, one of the most important things they can do is maintain a proactive, vigilant watch of their networks. Virtually all respondents agreed that network visibility was important in not just recognizing, but more importantly, preventing damage from malicious attacks. There seemed to be a sense that levels of infiltration have already occurred, and the focus needs to be in preventing damage to key assets.
As a provider of technology that optimizes security monitoring for IT networks – including those in use by utility companies – we’re proud to play our role in this fight. Just like with physical terrorism, preventing cyber terrorism requires all to pitch in and keep ourselves safe.