The hackers are in the oil refineries – and the gas pipelines and the power plants. So says a study the Center for Strategic and International Studies and security software firm McAfee released Thursday.
More than half of the companies running critical infrastructure such as electric grids, gas and oil supplies have sustained cyber attacks of stealth infiltrations by organized gangs or state-sponsored hackers. The rates of "stealth infiltration" were highest in oil and natural gas operation, with 71 percent claiming to have been targets.
The cost of the downtime caused by cyber attacks is high, according to the study. For corporations, the average cost is $6.3 million a day.
The study – presented at the World Economic Forum in Davos, Switzerland – surveyed some 600 IT and security executives from the energy, transport, water and sewage, government, telecoms and financial sectors in 14 countries.
It's in McAfee's business interest to be alarmist, but still the findings are chilling, particularly as they come on the heels of both Operation Aurora – the high-profile episode whose targets included Google and Adobe Systems – and new revelations of orchestrated cyber attacks against Exxon Mobil, ConocoPhillips, and Marathon Oil.
Even worse news: The risk of cyber attack – including everything from garden variety-viruses and "malware" on up to the more vicious – is rising. Nearly 40 percent of all IT executives expected a major cybersecurity incident, defined as an attack causing an outage of "at least 24 hours, loss of life or... failure of a company" in their sector within the next year, the report revealed. Four in five expected such an incident within five years.
Thanks to the recession, most IT departments are suffering budget cuts (including IT departments representing critical infrastructure). Two-thirds of those surveyed in the report – titled "In the Crossfire: Critical Infrastructure in the Age of Cyberwar" – blamed the current economic climate for shrinking security resources available, and 25 percent said resources had suffered cuts of 15 percent or more. The cuts were most severe in the energy, oil and gas sectors.
The report also showed more than half of executives have little faith that their nation's laws will deter cyberattacks. The three countries named as most vulnerable to attacks: the U.S., Russia and China. Interestingly, respondents also named the U.S. as the biggest potential source of attacks.
"When they were asked which country ‘you worry is of greatest concern in the context of network attacks against your country/sector,' 36 percent named the United States and 33 percent China — more than any other country on a list of six," the report said. (China was praised, however, for its rapid adoption of security measures.)
Concluded the report: "If cyberspace is the Wild West, the sheriff needs to get to Dodge City."
What do you think? Have you or your business partners suffered a cyberattack recently? How did you handle it?