Intel Security has just released a new report that once again illustrates the threadbare state of cybersecurity: most organizations believe they are better protected than the facts support. “We believe we have a degree of overconfidence, possibly complacency,” said Raj Samani, EMEA CTO, Intel.
The survey of IT executives within critical infrastructure organizations, ‘Holding the Line Against Cyber Threats: Critical Infrastructure Readiness Survey‘, produced by Intel Security and The Aspen Institute, found that 41% of respondents are already experiencing physical damage from attacks, and that 86% want more public-private cooperation. “This data raises new and vital questions about how public and private interests can best join forces to mitigate and defend against cyberattacks,” said Clark Kent Ervin, Director, Homeland Security Program, Aspen Institute, in a prepared statement. “This issue must be addressed by policymakers and corporate leaders alike.”
Critical infrastructure security – or its lack – has been all over the news recently, including:
-Germany passes strict cybersecurity law to protect ‘critical infrastructure’
-Ireland gears up for cyber war with a new strategy to protect critical infrastructure;
-Britain’s Ministry of Defence fends off thousands of cyber attacks every day while its military systems log more than a million suspicious incidents on a daily basis;
-the government of Canada was the target of a distributed denial of service (DDoS) attack that took down multiple federal websites, including those of the Departments of Justice, and Foreign Affairs; and,
-Poland’s national airline had to ground 22 of its planes after finding hackers had attacked its computer system in Warsaw.
At the end of June Tripwire reported that nearly all critical infrastructure industry executives recognize that their organizations are targets for cybercriminals, and more than half (61%) are confident their systems could detect attack in less than a day. The company questions this confidence.
“The idea that these attacks would be detected quickly is basically a perception that’s driven from the ability of these organizations to deliver energy with very high availability,” wrote Rekha Shenoy, VP of business and corporate development for Tripwire. “However, in our experience, these organizations don’t have the visibility into cybersecurity issues that would allow them to detect an attack faster than other industries.”
According to a new report a cyber attack on the US east coast could cost the economy $1 trillion. “The evidence of major attacks during 2014 suggests that attackers were often able to exploit vulnerabilities faster than defenders could remedy them,” Tom Bolt, director of performance management at Lloyd’s, said in the report from the University of Cambridge Centre for Risk Studies and the Lloyd’s of London insurance market.
A lot of money is being spent on security. The global enterprise IT security market is predicted to reach $34 billion by 2018, up from $19.8 billion in 2013, growing at a Compound Annual Growth Rate of 11.4% from 2014 to 2018. Just the threat intelligence security market is currently worth $3 billion, and is expected to grow to $5.86 billion by 2020, at a CAGR of 14.3%.
Despite the billions of dollars being thrown at cybersecurity, the reality is that we are less secure today than ever before:
-by 2019 cybercrime will cost businesses over $2 trillion, almost four times the estimated cost of breaches in 2015;
-security compromises increased 64% in 2014;
-54% of breaches remain undiscovered for months;
-60% of data is stolen in hours; and,
-100% of companies connect to domains that host malicious files or services.
This is much more serious than the better-known cybersecurity threats like stealing data and money, said Samani in an interview with IT Trends & Analysis. “We’re talking about systems that are keeping the lights on, keeping your water clean… the reality is the impact of getting this wrong is considerably worse”.
The reality is that the use of technology for critical infrastructure, it’s not just beneficial to the organization, but to society at large, he said. The reality is that it’s not impossible to protect these environments, and I would argue in many cases it would be easier than IT security, said Samani.
Part of the solution, he said, is an integrated approach to security, better information sharing, better co-operation. “Fundamentally, we have to develop solutions that will ensure that we have a foundation of trust within the systems we rely on.”
He said people are still the weakest link, i.e. “how can we get employees not to install iTunes on the shop floor”. According to IBM, 55% of all attacks are carried out by malicious insiders or inadvertent actors, also known as insider threats.
A month ago Intel announced a partnership with Honeywell Process Solutions (HPS) to help protect critical industrial infrastructure and the Industrial Internet of Things (IIoT). “The threat of cyber attacks on industrial and critical infrastructure targets is growing rapidly and our customers are demanding effective cyber security to assist them in protecting their assets and people. Working with Intel Security expands our capabilities to enhance the availability, reliability and safety of customers’ industrial control systems and plant operations,” said Jeff Zindel, global business leader for Honeywell’s Industrial Cyber Security Solutions group.
Samani believes the opportunity for technology to play a leading role in managing the finite resources we have on this planet is going to be critical. “With great opportunity comes great risk.”
5 Major Findings of the Critical Infrastructure Readiness Report
1. Disconnect or Overconfidence: Even though major data breaches make regular headlines, many executives surveyed rated their organization’s defenses good to excellent, possibly from overconfidence or misplaced faith in their capabilities to effectively respond to an attack.
2. Risk Confusion: Despite the current wave and increased volume of cyberattacks, most respondents believe their organizations face less risk today compared to three years ago.
3. Favorable to Cooperation: More than three quarters of executives believe it is important to increase cooperation between organizations and with their own governments to counter cyber threats. US, UK, and German companies were the most supportive of this view; those in France were more unconvinced.
4. Serious Cyberattack Believed Likely: Despite high confidence in their own defenses, US and French respondents in particular rate a serious cyberattack affecting critical services and causing loss of life as highly likely within the next three years. The transportation and energy sectors are seen have the most risk.
5. BYOD a Non-Factor, Humans Still the Weakest Link: Few executives believe that the proliferation of personal devices at work is a prime cause of cyberattacks, despite the priority assigned to bring-your-own device issues (BYOD) by cybersecurity companies. Respondents believe user error, not software or device failure, is the leading cause of security breaches.