In the Crossfire: Critical Infrastructure in the Age of Cyber War

In an ever more networked world, the cyber vulnerabilities of critical infrastructure pose challenges to governments and owners and operators in every sector and across the globe. With the global economy still fragile after last year’s financial crisis, assuring the integrity and availability of key national industries may fall out of focus as a government priority, but will remain a key determinant of strategic vulnerability.

Six hundred IT and security executives from critical infrastructure enterprises across seven sectors in 14 countries all over the world anonymously answered an extensive series of detailed questions about their practices, attitudes and policies on security—the impact of regulation, their relationship with govern­ment, specific security measures employed on their networks, and the kinds of attacks they face.

Critical infrastructure owners and operators report that their IT networks are under repeated cyberattack, often by high-level adversaries. The impact of such attacks is often severe, and their cost is high and borne widely. Although executives generally report satisfac­tion with the resources they have for security, recession-driven cuts have been widespread and sometimes deep. And there is concern about how well-prepared critical infrastructure is to deal with large-scale attacks.

By gathering details on the actual security measures that organizations adopted, we were able to make an objective comparison of security in different criti­cal infrastructure sectors, and in different nations. The executives with responsibility for operational or industrial control systems were also asked a series of special questions about the security measures employed on those systems.

Executives in China reported by far the highest rates of adoption of security measures including encryption and strong user authentication. Among sectors, water/sewage executives reported the lowest rate of adoption of security measures. Broken down by sector and by nation, the survey data reveals significant variations in attitudes to and reports about regulation and other government activity. Executives in India reported the highest levels of regulation, closely followed by China and Germany. Executives in the United States reported the lowest levels. Views about the impact and effectiveness of regulation varied widely, but overall most agreed that they improve security.

A majority of executives believed that foreign governments were already involved in network attacks against their country’s critical infrastructure. The United States and China were seen as the most worrisome potential cyber aggressors, but attribution challenges in cyberspace give all attackers “plausible deniability.”

View the complete article

McAfee, January 2010