A new survey of top IT executives reconfirms the findings from other recent cybersecurity studies regarding the online defense at utilities and other vitally important public- and private-sector organizations. The report outlines what is good and what needs improvement in our online defense of critical infrastructure facilities.
Credit: Shutterstock/Matt Ragen
A new Aspen Institute and Intel Security sponsored survey found that, while optimism in online security protections is up, the threat level of cyberattacks has also escalated. One top finding: 86 percent of respondents see a need for improving public-private threat intelligence sharing partnerships.
The report focused on critical infrastructure organizations in France, Germany, the United Kingdom and the United States. You can read the eight-page PDF version of the survey results for free at this link:Critical Infrastructure Readiness Report: Holding the Line Against Cyberthreats.
Here are the top five findings from the executive summary (along with a brief description of the item, where needed):
Finding 1: Disconnect or overconfidence
Even though major data breaches make regular headlines, many executives surveyed rated their organization’s defenses good to excellent, possibly from overconfidence or misplaced faith in their capabilities to effectively respond to an attack, based on Intel Security threat reports.
Finding 2: Threats and confidence both on the rise
Finding 3: Favorable to cooperation
More than three quarters of executives believe it is important to increase cooperation among organizations and with their own governments to counter cyberthreats.
Finding 4: Serious cyberattack believed likely
Finding 5: BYOD a non-factor, humans still the weakest link
Few executives believe that the proliferation of personal devices at work is a prime cause of cyberattacks, despite the priority assigned to bring-your-own device issues (BYOD) by cybersecurity companies. Respondents believe user error, not software or device failure, is the leading cause of security breaches.
In my view this report is well done and worth reading. I found the first finding to be very intriguing, with destructive cyberthreats rising dramatically at the same time executive confidence in protections is rising. These results show either naiveté or remarkable faith in one’s cyberteam – at a time when new data breaches are reported in our headlines almost daily.
We are now eighteen months after the president’s executive order on protecting critical infrastructure cybersecurity, along with the release of the latest cybersecurity framework. It is important that we keep checking back to see how things are progressing.
I like several of the coverage pieces from the wider cybersecurity community on this report. This Marketwatch.com story highlighted the challenges still before us that are highlighted in the survey:
Steve Grobman, who is the chief technology officer for Intel Security Group, summarized the report under these three popular groupings for Dark Reading.
I also like this Cruxialcio.com summary of what a destructive attack might look like, if it happens:
“Many cities are also dependent on power service to maintain safe upkeep of homes, residential buildings, and business establishments. Most building heaters are powered by electricity, and so are many other environment controllers.
While it is still not likely that deaths could result from cyber attacks in the present time, this possibility looms in the future as more and more cities are starting to be dependent on computer systems to run. This means that cyber security professionals and companies must be twice as vigilant to prevent these incidents from occurring.”
Different Surveys on Critical Infrastructure Yield Similar Findings
Back in April, as similar report which focused on North and South America was released by Trend Micro and the Organization of American States (OAS). That report also showed a dramatic increase in cyberattacks directed against critical infrastructure owners and operators. You can read a summary of those OAS findings on hacking critical infrastructure here.
Another recent example comes from this Columbia University panel discussion on critical infrastructure cybersecurity from May 2015.
This CSPAN video from the Aspen Institute July conference 2015 on recent data breaches is worth watching http://www.c-span.org/video/?327112-6/discussion-cybersecurity
You can also learn more about the Aspen Institute and watch related sessions on global security at this website.
In this report, respondents from the transportation and energy sectors were more likely than their counterparts in other sectors to deem the possibility of a dangerous attack to be “likely or highly likely.” I find that result to be concerning.
Also, more than 70 percent of respondents think the threat to their organizations is escalating. Almost nine out of 10 experienced at least one attack in the last three years that caused some damage, disruption, or data loss, with a median of close to 20 attacks per year. Forty-eight percent believe it likely to extremely likely that a critical infrastructure cyberattack will result in human fatalities in the next three years.
What’s the bottom line from this report and the similar reports from similar reports this year?
If you haven’t already done so: Act now on cyberthreats to critical infrastructure under your control – and especially building new trusted relationships with others.
The cyberthreat is real and growing – and our sharing of threat intelligence must grow as well – along with new public-private partnerships on critical infrastructure protection.