Close to 30% of respondents believe their company was not prepared for a cyberattack, and more than 40% expect a major cyberattack within the next year, according to a survey of 200 IT security executives from electricity infrastructure enterprises in 14 countries conducted by Vanson Bourne for McAfee and CSIS. The survey results are presented in their new report "In the Dark: Crucial Industries Confront Cyberattacks".
The energy sector increased its adoption of security technologies by only a single percentage point (51%) compared to last year’s report, and the oil and gas industries increased only by three percentage points (48%).
“Perhaps one of the most frightening findings in the report is the fact that, although the security threat and awareness of the threat have increased exponentially, the energy sector increased its adoption of security technologies by only one percent”, Phyllis Schneck, chief technology officer for public sector at McAfee, wrote in a blog.
Schneck offered two reasons for this lag in security investment by the energy sector. First, there is a lack of incentive to invest in security when the threats are not tangible. Second, cybersecurity investment decisions are made at the chief information officer level, when they need to be made at the chief executive level. “Cyber security is a business risk – if the lights go out, everyone loses money”, she said.
The new study reveals that while the threat level to critical infrastructure has accelerated, the response level has not, even after the majority of respondents frequently found malware designed to sabotage their systems (nearly 70%). Nearly half of respondents in the electric industry sector reported that they found Stuxnet malware on their systems.
This threat to infrastructure also includes electrical smart grids, which are growing in adoption and expected to have exceeded $45 billion in global spending in 2015.
Brazil, France, and Mexico are lagging in their security measures, adopting only half as many as leading countries China, Italy, and Japan. Concurrently, China and Japan were also among the countries with the highest confidence levels in the ability of current laws to prevent or deter attacks in their countries.
Respondents in China and Japan reported high levels of both formal and informal interaction with their government on security topics, while the US, Spain, and UK indicated little to no contact.
Other key findings of the report include: 80% of respondents have faced a large-scale denial of service (DDoS) attack; 25% have been victims of extortion attempts; nearly 70% frequently found malware designed to sabotage their systems; and a quarter of reported daily or weekly DDoS attacks.
“It is our hope that this report electrifies the discussion of securing cyber systems for the sake of our safety. We want to engage the conversation about incentives – what does it take to get us to protect against a threat which, although we cannot see it yet, could be devastating to public safety, business and the economy? How do we break the vicious cycle of building great new systems, such as the smart grid, without including security from the ground up? Are we really going to repeat the fatal flaw of the Internet to save a few dollars in the short term?” Schneck concluded.