We recently surveyed 1,580 private businesses worldwide that are involved in industries termed critical infrastructure providers, i.e., their industries are of such importance that if their cyber networks were successfully attacked and disabled, it would result in an actual threat to national security.
Our survey measured the awareness among private companies of efforts by governments to institute critical infrastructure programs, whether or not companies would be willing to cooperate with governments in those efforts, and the state of readiness of companies to ward off nation-wide attacks targeted at specific industries. A recent example of this type of attack is the Stuxnet worm and how it targeted energy companies around the world.
The survey revealed that critical infrastructure providers’ networks are being attacked. Fifty-three percent of respondents state their companies have experienced perceived politically motivated attacks. These attacks cost companies an average of $850,000 per attack. We also discovered that industry is willing to partner with government on critical infrastructure protection. However, only one-third of critical infrastructure providers feel extremely prepared against all types of attacks. We learned that the energy industry is the best prepared, while the communications industry is the least prepared. Here are some recommendations to ensure resiliency against critical infrastructure cyber attacks:
- Develop and enforce IT policies and automate compliance processes
- Protect information proactively by taking an information-centric approach to protect both information and interactions
- Authenticate identities to ensure only authorized personnel have access to systems
- Manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status
- Protect the infrastructure by securing endpoints, messaging and Web environments
- Ensure 24X7 availability
- Develop an information management strategy that includes an information retention plan and policies
As you can see from the recommendations listed above, security alone is not enough for critical infrastructure protection. Companies need to implement a combined approach that includes security, high availability and disaster recovery, and an information management strategy to maintain a network operating environment that is resilient against these types of attacks.
Click here to see all of the survey's findings. We’d like to hear from you—are you a critical infrastructure provider? Have you experienced politically motivated cyber attacks? Tell us about your organization’s state of readiness to others can follow your example.
Justin Somaini, CISO, Symantec Corp