Most companies responsible for the world’s power, water and other critical functions recognize increasing cybersecurity threats but are not yet fully committed to preventing attacks, according to a survey released Thursday by information technology company Unisys and independent research group Ponemon Institute.
Cyberattacks target vulnerable computers in an attempt to make them malfunction and disrupt data flows in order to disable operations at businesses and governments. Alternatively, cyberattacks can target data, stealing important information while leaving no tracks or disabling any operations.
Cyberattacks have been around at least as long as computers, with one of the most famous perpetrated in 1982. That year, according to the website list25.com, "During the Cold War in 1982, the CIA found a way to disrupt the operation of a Siberian gas pipeline of Russia without using traditional explosive devices such as missiles or bombs. Instead, they caused the Siberian gas pipeline to explode using a portion of a code in the computer system that controls its operation in what they tagged as a “logic bomb.” The chaos that ensued was so monumental that the resulting fire was even seen from space."
In the latest survey, about 600 company executives in the utility, oil and gas, alternative energy and manufacturing industries and from 13 countries responded online.
Nearly 70 percent reported at least one cybersecurity breach in the past 12 months that led to the loss of confidential information or disruption of operations, and 78 percent said a successful attack is at least somewhat likely within the next two years. Only 28 percent ranked security as one of the top five strategic priorities for their organizations, and only 6 percent provide cybersecurity training for all employees.
"That's a pretty obvious mismatch," Dave Frymier, chief information security officer at Unisys, told IBTimes.
“The findings of the survey are startling, given that these industries form the backbone of the global economy and cannot afford a disruption,” Larry Ponemon, chairman and founder of the Ponemon Institute, said in an emailed statement.
Recent physical and cyberattacks on power grids and utility companies have prompted research groups to recommend that the U.S. federal government take steps to provide security beyond the utility industry’s limited efforts. Gunmen tried to knock out power from California’s Silicon Valley in April 2013, sparking federal-level discussions over electric grid security.
Recent cyberattacks employing a sophisticated Russian malware have targeted U.S. energy grid operators as well as major electricity providers in Spain, Italy, France, Germany and Poland, according to the U.S. Department of Homeland Security and cybersecurity company Symantec.
The report points out that many companies began moving IT infrastructure onto shared networks to save on costs after the financial crisis, which has allowed employees to operate such systems as power and water treatment facilities remotely but made these systems more vulnerable to attack.
Frymier recommends that companies separate their general IT infrastructure, like that used for emails, from their critical infrastructure, like that used for systems operations.
He said so far most cyberattacks have involved corporate espionage and attempts to steal companies' technological innovations, but hackers' motivations could soon turn to cash.
"We expect that at some point there will probably an extortion angle, where some of the bad guys will take over a piece of a power grid or water treatement plant or sewage system or something and basically hold it for ransom," Frymier said. "I know it sounds like a Batman and Robin situation, but it’s possible."