Massive denial-of-service attacks and “stealthy infiltration” of corporate networks by attackers is a common experience for companies in critical infrastructure sectors, including financial services, energy, water, transportation and telecom, according to a new survey.
Extortion schemes related to distributed DoS attacks are also rampant, especially in some parts of the world, according to the survey. The report, titled “In the Crossfire – Critical Infrastructure in the Age of Cyber-War,” was prepared by the Washington, D.C. policy think tank Center for Strategic and International Studies (CSIS). CSIS asked 600 IT and security professionals across seven industry sectors in 14 countries about their practices, attitudes about security, and the security measures they employ.
A little more than half of the respondents (54%) said they had experienced “large-scale denial of service attacks by high-level adversary like organized crime, terrorists or nation-state (for example, like in Estonia and Georgia).” The same proportion, according to the report, also said their networks had been subject to “stealthy infiltration,” such as by a spy ring using targeted malware attacks to allow hackers “to infiltrate, control and download large amounts of data from computer networks belonging to non-profits, government departments and international organizations in dozens of countries.”
In addition, 59% of the respondents expressed the belief that “representatives of foreign governments” had been involved previously in such attacks and infiltrations in their countries.
When it comes to massive distributed DoS attacks, 29% of those surveyed reported they had seen multiple distributed DoS attacks each month and 64% of those said these attacks “impacted operations in some way.” One in five of these critical infrastructure entities, according to the CSIS report, were subject to extortion schemes related to distributed DoS attacks. Extortion was said to be the most common in India, Saudi Arabia/Middle East, China and France, and rarest in the United Kingdom and the United States.
Other types of security incidents are also widely recorded.
More than half of the IT executives (57%) reported DNS poisoning, where Web traffic is redirected, and half said it was a monthly occurrence. Roughly the same number also reported monthly SQL injection attacks against their online resources. In addition, 60% reported “theft-of-service cyberattacks,” with nearly one in three reporting multiple attacks every month.
The oil and gas sector faces the highest rates of victimization, according to the CSIS survey.
Overall, 71% of respondents in the oil-and-gas industry reported stealthy-infiltration, compared with 54% of respondents in other sectors. The CSIS survey also found distributed DoS attacks were “particularly severe” in the energy/power and water/sewage sectors, where attacks were usually aimed at computer-based operational control systems, like SCADA.
When it comes to cyberattacks overall, the CSIS report indicates that “national factors are more significant than sector or industry-specific ones in determining attack rates.” Specifically, the countries where the highest rates of cyberattacks were reported include India, France, Spain and Brazil.
Respondents said that 24 hours of downtime from a major attack would cost about $6 million per day and in some sectors, such as oil and gas, exceed $8 million per day. Two-thirds of the respondents said the resources they had to protect their organizations networks was either “completely” or “mostly adequate,” but one-third indicated resources were “inadequate” or just “somewhat adequate.”
One-third of the respondents expressed the view that their own sector was either “not at all prepared” or “not very prepared” to deal with attacks or infiltration by high-level adversaries. Response varied a lot by country; 90% of executives in Saudi Arabia said their sector wasn't prepared, though 78% of the respondents in Germany were the most confident about preparedness.
The survey determined that China had the highest security adoption rate at 62%, ahead of the United States, United Kingdom and Australia, with 50% to 53%. Italy, Spain and India had the lowest security adoption rate at fewer than 40%. Security adoption was defined as a wide range of practices and technologies, from regular patching to use of encryption to security information and event management systems.
Chinese executives also showed the highest level of cooperation and support for their government's cybersecurity stance in terms of regulation and defensive posture. The study also reveals some trepidation about the United States in terms of the potential for government-sponsored cyberattacks; executives from many nations, including many U.S. allies, rank the United States as the country “of greatest concern” in terms of foreign cyberattacks, just ahead of China.
In total, 45% of the respondents believe their governments are either “not very” or “not at all” capable of preventing and deterring attacks.
The CSIS study also asked which countries appear most vulnerable, and 80% of respondents in China cited the United States as one of the three most vulnerable nations because it is very dependent on computer networks. The United States and China were also seen by the survey's respondents as the “likely attackers in a cyber war.” The United States was viewed as the “most worrisome potential aggressor” by majorities of executives in some countries, including China, Brazil, Spain, Mexico and Russia.
The CSIS survey was conducted in September 2009 and carried out by U.K.-based market research firm Vanson Bourne and sponsored by McAfee.