Systems for critical industries wide open to cyberattacks

The networks used to manage the industries that the nation relies on, such as energy, transportation and chemicals, are vulnerable to cyberattacks, according to a survey of executives that operate critical infrastructure.

Comment on this article in The Forum.The vulnerabilities have proliferated because most control systems that operate the nation's physical infrastructure are now connected to the Internet, which introduces weaknesses companies have yet to address, according to the survey conducted by the security software vendor Secure Computing and Energy Insights, part of the information technology research firm IDC.

All respondents said the energy industry, made up of electric utilities and oil and gas companies, is the biggest target for potential attacks. They said if hackers breached these control systems, it would create the most damage for the United States, compared with other industries. More than 60 percent of respondents believe the energy industry is not prepared to protect its control systems from cyberattack.

"These systems have existed for decades, and some are based in technology that could be as much as 100 years old," said Phyllis Schneck, vice president of research integration at Secure Computing. "We connect them to traditional IT systems so we can make them more efficient, and in the process introduce all the cyber vulnerabilities we've been trying so hard to avoid. These vulnerabilities are not new, but they are newly introduced."

Other industries, while less of a target than energy, fail to implement adequate information security measures to protect control systems, the survey results indicated. About 75 percent of respondents said transportation, and the shipping and postal industry, were not prepared to fend off cyberattacks. Nearly 70 percent said the same about the chemical industry. About 60 percent of respondents said the emergency services field is not prepared. Financial services earned the highest marked for its efforts to protect control systems from cyberattacks, with more than 60 percent of respondents regarding the industry as prepared.

"Before, the people that ran [IT] just worried about how to keep the power on and [systems] available," Schneck said. "But now the word 'security' needs to be aligned with 'availability.' A cyber event, whether intended or not, has a physical infrastructure consequence. But [until] it goes boom, it isn't taken seriously."

The cost to protect the systems was the biggest obstacle to protecting critical infrastructure networks, according to 29 percent of survey respondents. Just over 17.5 percent said apathy -- as in the sentiment "it's not my job" or "it won't happen to me" -- kept industries from better protecting systems.

The best incentives to encourage industries to protect their networks could be more stringent federal regulation and government funding. Under the 2005 Energy Policy Act, the North American Electric Reliability Corporation develops standards for power plants that are approved by the Federal Energy Regulatory Commission. FERC then enforces the benchmarks for most of the nation's power plants. Amid criticism from Congress for failure to properly protect the power grid from cyberattacks, FERC mandated the critical infrastructure protection standards in January, which focus on cybersecurity. Power plants must comply with a set of requirements to tighten security by mid-2009 and with another set of criteria by the end of 2010.

"When it's regulated, the budget is allocated," Schneck said. "I bet the results of this study will be very different next year."