Critical infrastructure systems around the world are the targets of repeated cyberattacks, according to a new global survey of technology executives in these industries. They believe some of the attacks are
coming not just from individual cybercriminals but terrorists and
foreign nation states.

The United States and China are believed to be the most likely countries to conduct a cyberattack against the critical infrastructure of another nation, according to the respondents.

Companies and agencies operating in the banking and finance sectors, energy and natural resources, telecommunications and internet service providers, transportation and mass transit, chemical production and
storage, food distribution and government services are considered
critical infrastructure companies.

The attacks that are occurring include massive denial of service attacks, stealthy efforts to penetrate networks undetected, DNS poisoning, SQL injection attacks and malware infections. The aims of
the attacks vary from shutting down services or operations to theft of
services and data or extortion attempts.

Among the more serious findings in the report is that some of the most sensitive critical infrastructure entities around the world, such as those for energy and natural-resource industries (such as water and
sewage plants), are some of the least secure.

For example, 80 percent of executives working for entities that use SCADA (supervisory control and data acquisition) or Industrial Control Systems say their systems are connected to the internet or some other
IP network, putting them at possible risk of intrusion. Executives at
water and sewage facilities also reported having the lowest level of
security measures in place.

About 55 percent of respondents in the energy and power and the oil and gas sectors reported that the attackers most often targeted the SCADA or other operational control systems, although the survey offers
no indication of how successful these attacks were.

Only 57 percent of respondents across all sectors said their organization installed security patches and updated software on a regular schedule.

The report, “In the Crossfire: Critical Infrastructure in the Age of Cyberwar,” was commissioned by anti-virus firm McAfee and coordinated by the Center for Strategic and International Studies in Washington, DC. It
was led by Stewart Baker, a visiting fellow with CSIS and former
assistant secretary for policy at the Department of Security during the
last Bush administration. Baker was also general counsel for the
National Security Agency in 1992 to 1994.

The survey involved 600 IT and security executives in critical infrastructure industries in 14 countries, including financial, transportation and mass transit, energy and natural resources, telecoms
and ISPs. The executives surveyed have responsibilities in information
technology, security and operational control systems.

The release of the report was timed to coincide with the World Economic Forum being held through the end of January in Davos, Switzerland, and follows on the heels of a serious and coordinated cyberattack conducted against Google, Adobe and other U.S. companies in the finance, technology and defense industries.

The report is believed to be the first of its kind to examine the security of critical infrastructures around the world, although it has a number of shortcomings that the coordinators don’t address. Many of
the findings, for example, are provided without elaboration, making it
difficult to know what the survey participants meant in their responses.

For example, the report indicates that large-scale DDoS attacks had a particularly severe effect in the energy and power and water and sewage sectors, but doesn’t elaborate on what consequences were
suffered as a result of these attacks.

Also, the report states that attacks are “often from high-level adversaries like foreign nation-states” but doesn’t indicate how this is known when attribution in cyberspace is often impossible to
determine.

About 75 percent of executives in China believe foreign governments have been involved in cyberattacks against critical infrastructure in that country, while 60 percent in the U.S. believe this is the case.

In a conference call, the organizers of the survey acknowledged that respondents who indicated that foreign-nation states were behind attacks were not asked how they knew attacks against them came from
nation states. The organizers said the respondents were likely basing
their responses simply on perceptions gained from news reports rather
than firsthand knowledge of the source of attacks.

More than half of executives surveyed (54 percent) said they suffered large-scale DDoS attacks and stealthy infiltration attacks by high level adversaries, such as organized crime, terrorists or
nation-state actors.

Nearly 30 percent of those surveyed reported suffering large-scale DDoS attacks multiple times each month, with about 64 percent saying the attacks impacted their operations in some way, such as interfering
with website operations, e-mail servers or phone systems.

Of those that suffered sensitive data leaks and loss from network intrusions, 15 percent said the impact was serious, while 4 percent said it was critical.

The most common target in such attacks was financial information, with a little more than half reporting that this was the aim of intruders. The least common target was password and login information,
which was targeted in only 21 percent of attacks. Although the report
doesn’t note this, in order to get to financial data, intruders often
obtain password and login credentials at some point in their intrusion.
So while the password and login may not be the final target, it is
often a means to the target.

One in five respondents said they were the victim of extortion through a cyberattack or threatened cyberattack within the last two years. Extortion was most common in India, the Middle East, China and
France and rarest in the U.S. and U.K.

Again, the survey provides little elaboration other than to point to now disputed media reports attributing power outages in Brazil in 2005 and 2007 to hackers.

These incidents were reported last year by 60 Minutes. The 60 Minutes story, however, has been harshly criticized privately by a number of the show’s own sources, who say it was based on rumor, and has been denied
by the Brazilian government. Brazil released a report attributing the outage in 2007 to soot-covered insulators.

The 60 Minutes story was based in part by information from CSIS’ own James Lewis, a senior fellow in its technology and public policy program. So, citing disputed media reports to support extortion
claims when those media reports were in part the result of disputed
information provided by CSIS is a curious move.

With regard to securing against attack, critical infrastructure entities in China have the highest rate of adopting strong security measures such as encryption, user authentication and strict security
polices. About 62 percent of Chinese executives said such measures were
in place, while only 53 percent in the U.S. indicated this.

The adoption of strong security measures, however, didn’t necessarily translate to better protection from high-level attacks. For example, although China has a high adoption rate for security
technologies and policies, it “is not notably free from high-level
attacks,” says the report.

Among the 600 respondents to the survey, 100 are based in the United States; there are 50 respondents each in Japan, China, Germany, France, the U.K. and Italy; another 30 each are in Russia, Spain, Australia,
Brazil, Mexico and India; and 20 are in Saudi Arabia. The sectors most
represented in the survey are the banking and finance sector and
government services. Each of these sectors had 145 respondents. The oil
and gas, energy and power, transportation and mass-transit, and
telecommunications sectors had representatives ranging from 59 to 82
respondents. Only 23 respondents come from the water and sewage sector.