Cyber-attacks on critical national infrastructure (CNI) are growing in volume and sophistication, with destructive attacks far more common than at first thought, according to a new report from Trend Micro and the Organization of American States (OAS).
Over 500 security chiefs working at CNI firms in 26 OAS member countries in North and South America were interviewed to compile the Report on Cybersecurity and Critical Infrastructure in the Americas.
It revealed that 43% had seen an increase in attacks over the past year, versus a quarter who hadn’t, and an overwhelming 76% said that these cyber raids were getting more sophisticated.
While attempts to steal information were the most commonly seen form of attack (60%), destructive cyber-attacks were not far behind.
Some 54% of respondents said that attackers had tried to “manipulate equipment” through an industrial control system (ICS), while 44% said they had tried to destroy information and 40% had attempted to shut down computer networks altogether.
Phishing (70%) was the most common attack method, followed by unpatched vulnerabilities (50%) and DDoS (42%).
The stats are interesting given that this type of online attack rarely makes it into the public domain, unlike the frequent incidents of large-scale data loss that make headlines around the world.
The report warns that CNI targets in the Americas are particularly vulnerable to attack given that large numbers of historically poorly protected systems are being connected to the internet, increasing their risk exposure.
Worryingly only 52% of respondents said they had a cyber incident response plan in place, and the majority (52%) claimed their security budget had not increased over the past year.
The OAS and Trend Micro urged more public-private partnerships to improve CNI cybersecurity in OAS countries and greater co-operation and information sharing between individual governments.
Chris McIntosh, CEO of security and comms firm ViaSat UK, argued that cyber-attacks have grown so sophisticated today that they should be viewed “on a par with a physical attack on infrastructure, if not more likely.”
“To avoid this risk, critical infrastructure companies need to review their entire IT systems from top to bottom; ensuring there are no unprotected points of entry for potential attackers and that all points of access are secured,” he added.
“Encryption of data in transit and rigorous authentication protocols should also become de rigeur. Organizations need to work on the assumption that they have already been compromised and work backwards on this basis”