The survey of 1,580 private, critical infrastructure businesses from 15 countries worldwide, released Wednesday by Symantec, also found that 48 percent of respondents suspect they will suffer politically motivated attacks in the future. Of those that already have been hit, companies typically reported sustaining about 10 attacks in the past five years, according to the report.
The Stuxnet worm is an example that politically motivated attacks, while uncommon, are real and can be effective, Cris Paden, a Symantec spokesman, told SCMagazineUS.com on Thursday.
Politically motivated cyberattacks against critical infrastructure networks do not aim to steal money, but rather to manipulate physical equipment, disable services or gather information that can be used in conjunction with a physical attack.
“Their goal is to use the cyberattack as another means to attack an opponent if they can't get to you with a bomb or a gun,” Paden said.
One IT director of a midsize energy company, who was quoted in the report, said, “We've had people attempt to break in and retrieve documentation, especially the shared material between oil companies in our library. We had to take some dramatic actions to be able to cut them off.”
The report focused on critical infrastructure companies across energy, banking and finance, communications, IT and health care.
Banking and finance were most likely to report being attacked, while IT was the least likely. The statistics in the survey have not been proven, but represent the opinions of critical infrastructure owners and operators, Paden said.
“I think it's good that they are aware about it, and conscious of it, and take the threat seriously,” Paden said. “The last thing you want is for businesses to be lackadaisical about this kind of stuff.”
Jose Nazario, senior security researcher at Arbor Networks, told SCMagazineUS.com in an email Thursday that the biggest takeaway of the report is that critical infrastructure owners seem to be recognizing that information security is a key priority in their ability to deliver service.This is important, because many of the attacks were successful and costly, according to the report. Respondents in North America estimated that 74 to 77 percent of attacks were “somewhat to extremely” effective and the average cost of an attack was $850,000.
On a positive note, private critical infrastructure companies are willing to partner with their governments to improve protection, the survey found. Ninety percent of those surveyed are already allying with the government on critical infrastructure protection programs, and most have positive attitudes about such efforts.
“What this survey says, by the admission of the critical infrastructure providers themselves, is that there is a ready audience that wants to cooperate with the government on critical infrastructure protection efforts and looks to the government to provide leadership on it,” Paden said.
However, despite the collaboration with government, the survey found that there is more work to be done to improve readiness. Only one-third of respondents felt “extremely prepared” against attacks that attempt to steal or alter electronic information, shut down networks or manipulate physical equipment.
“Major holes exist in our electric web across the United States, and it wouldn't take much for hackers to get in and shut it down,” an IT director for a midsize banking and finance company said in the report.
The danger of politically motivated cyberattacks is real, and the United States needs both defensive and offensive responses to such threats, Pat Clawson, CEO of vulnerability management and endpoint security software provider Lumension, told SCMagazineUS.com in an email on Thursday.
“We need to be prepared,” Clawson said. “The risks of our critical infrastructure being affected are too great to ignore.”