Cyberattacks and infiltration of computer networks at critical utilities worldwide have soared in the past year, according to a survey of 200 executives at such facilities. But adoption of security measures has barely budged.
While a year ago slightly less than half of respondents said they had never been subjected to either an intrusion or an important attempt to shut down some of their operations electronically, the proportions jumped to 85 per cent and 80 per cent in the new tally. Nearly two thirds said they found malicious software designed for sabotage every month.
The study, by security provider McAfee and the not-for-profit Center for Strategic and International Studies, strongly supports concerns about vulnerability of the electricity grid raised by last year’s discovery of Stuxnet, a targeted cyberweapon that used hacking techniques to disable centrifuges in Iran’s uranium processing operation.
Senior western military and intelligence officials have complained for years that other countries were probing critical electricity systems, but the sophistication and success of Stuxnet attracted the attention of utilities, legislative bodies and the general public.
The poll found that those charged with defending infrastructure were fighting off more attacks and were increasingly worried about foreign governments and criminals, but they were doing little to improve procedures, and might be even more exposed by the deployment of “smart grid” technology.
Many companies still use pre-set passwords on specialised devices to control aspects of their operation.
A minority has security programs that monitor networks for unusual behaviour.
A majority of executives surveyed said smart-grid investments, which allow two-way communication between electricity consumers and producers, will give the hackers more opportunities.
“The smart grid is galloping forward and security is being left behind”, said Stewart Baker, a CSIS co-author and former general counsel of the National Security Agency.
“We should probably be going a little slower.”
China and Japan are demonstrably more aggressive in protecting facilities, with those countries auditing technology security at 70 per cent or more of the sites polled. The UK, US and Spain all audited fewer than 20 per cent.
At least in the US, enforcement of security policies is hampered by a regulatory structure that leaves most decision-making to private companies, though proposed cyber-security laws would modify that structure.