On Thursday, McAfee shed light on the cost and impact of cyberattacks on critical infrastructures such as electrical grids, oil and gas production, telecommunications and transportation networks. More than half of 600 IT security executives from critical infrastructure enterprises worldwide report large-scale attacks or infiltrations from organized crime, terrorists or nation-states.
The average estimated cost of downtime associated with a major incident was a jaw-dropping $6.3 million per day.
"In today's economic climate, it is imperative that organizations prepare for the instability that cyberattacks on critical infrastructure can cause," said Dave DeWalt, president and CEO of McAfee. "From public transportation to energy to telecommunications, these are the systems we depend on every day. An attack on any of these industries could cause widespread economic disruptions, environmental disasters, loss of property, and even loss of life."
Cyberattacks on the Rise
The report, titled In the Crossfire: Critical Infrastructure in the Age of Cyberwar, warns of the rising risk of cyberattacks. Thirty-seven percent of IT executives said the vulnerability of their sector has increased over the past 12 months, and two-fifths expect a major security incident in their sector within the next year. Only 20 percent think their sector is safe from serious cyberattack over the next five years.
Many of the world's critical infrastructures were built for reliability and availability, McAfee noted, not security. Traditionally, these organizations have had little to no cyber protection, and have relied on guards, gates and guns. Today, however, McAfee said computer networks are interconnected with corporate IT networks and other infrastructure networks accessible from anywhere in the world.
"The recently identified Operation Aurora was the largest and most sophisticated cyberattack targeted at specific corporations, but it could have just as easily targeted the world's critical infrastructure," DeWalt said. "The attack announced by Google and identified by McAfee was the most sophisticated threat seen in years, making it a watershed moment in cybersecurity because of the targeted and coordinated nature of the attack."
The Role of Regulation
More than a third of respondents believe their sector is unprepared to deal with major attacks or stealthy infiltrations by high-level adversaries, while two-thirds of IT execs report the current economic climate has caused cutbacks in the security resources available.
More than half, or 55 percent, believe the laws in their country are inadequate to deter potential cyberattacks, with those based in Russia, Mexico and Brazil the most skeptical. Another 45 percent don't believe the authorities are capable of preventing or deterring attacks.
"Governance issues are at the center of any discussion of security for critical infrastructure," said Stewart Baker, a distinguished visiting fellow at CSIS and a lawyer at Steptoe and Johnson. "The relationships between the governments and private-sector organizations involved are complex, but it is essential that each have faith in the others' ability. The security industry will always strive to stay one step ahead, but in the absence of any technological silver bullet, regulation has a role to play in defending critical infrastructures around the world."