New research from a IT strategy firm has found that the U.S. supply chain may be even more prone to cyber-attacks than commonly believed..

The Enterprise Strategy Group (ESG) unveiled research late last month divulging how vulnerable the businesses behind the U.S. supply chain and resources network — goods and services forming the backbone of the country’s well-being and economy — are to cyber-attack. ESG found that in the past two years most of them have been breached, many more than once. Only a few employ cyber-security best practices for the supply chain.

These are eye-opening findings, according to Jon Oltsik, ESG principal analyst and the author of the report, Assessing Cyber Supply Chain Security Vulnerabilities within the U.S. Critical Infrastructure.

“The assumption was that the U.S. critical infrastructure is very vulnerable to some kind of cyber-attack, but to my knowledge, and I dug fairly hard, no one had ever quantified that,” he said. “No one had ever done research to figure out just how vulnerable or if that was true, and so we wanted to do that.”

He and colleagues John McKnight, vice president of research; and Jennifer Gahm, senior project manager of market research, surveyed 285 IT and business leaders from public and private organizations, including federal and local government employees. The researchers selected participants from 18 industries deemed “critical infrastructure” by the U.S. Department of Homeland Security. The ESG report classifies them as critical infrastructure and key resource (CIKR) groups.

“Everyone is under attack to a greater degree than they were a few years ago. The difference, I’d say, is that these industries have a target on their back,” Oltsik said.

Regulation has hardened the cyber-security of banks and other financial institutions, so criminals are targeting elsewhere.

“If you wanted to disrupt the U.S. economy, you might do things like try to take out the power grid, try to disrupt the money supply or the financial system, try to disrupt the telecommunications networks. Those are the kinds of things that we’re really concerned about with critical infrastructure protection,” he said.

Sixty-eight percent of respondents experienced at least one security breach in the past 24 months, and 13 percent experienced more than three. Yet only 26 percent said they were very familiar with the cyber-security supply chain model, internal risk management and security practices designed to keep CIKR organizations safe. Thirty-seven percent said they were somewhat familiar, 22 percent said they’d heard of them but weren’t familiar, and 14 percent said they hadn’t heard of them.

Other report data include the following:

  • Forty percent of respondents said today’s threat landscape is somewhat worse than it was 24 to 36 months ago, 28 percent said much worse, 20 percent said the same, 6 percent said somewhat better, 2 percent said much better, and 4 percent had no opinion.
  • Fifty-six percent rated their internal policies and procedures as good, 22 percent said excellent, 18 percent said fair, 2 percent said poor, and 2 percent didn’t know.
  • After asking respondents questions about their security policies and safeguards, ESG deemed that 30 percent had strong cyber supply chain security, 36 percent found to be marginal, and 34 percent were weak.

     

Some survey questions were designed to discern respondents’ attitudes about outside parties, such as if they considered IT vendors’ security process when they made software purchases or if they held system integrators accountable for the security of systems they helped develop or design. The questioning suggests that modern cyber-security is an intricate affair.

“That’s true, but I would argue that that’s the cost of doing business now,” Oltsik said. “If we’re going to let people pay their electric bills online, or if we’re going to connect our internal systems to other people’s systems, if we’re going to buy equipment and build new applications to automate processes, it’s the cost of doing business.”

A whopping 71 percent of respondents felt the federal government should be more active with cyber-security strategy and defenses. Oltsik said he feels that recent administrations haven’t moved fast enough to keep up with a digital world that’s becoming more dangerous.

“There is more focus on it than there was a few years ago, but the legislative process is slow, and cyber-security issues are light speed, and the more there’s a mismatch, the longer it takes, the bigger the gap gets,” he said.

Hilton Collins, Staff Writer Hilton Collins  |  GT Staff Writer

By day, Hilton Collins is a staff writer for Government Technology and Emergency Management magazines who covers sustainability, cybersecurity and disaster management issues. By night, he’s a sci-fi/fantasy fanatic, and if he had to choose between comic books, movies, TV shows and novels, he’d have a brain aneurysm. He can be reached at hcollins@govtech.com and on @hiltoncollins on Twitter.