The report, written and researched by the Center for Strategic and International Studies (CSIS) and commissioned by McAfee, is based on the responses in September from 600 IT security executives working at critical infrastructure organizations worldwide.
More than half of the respondents said their organization has already experienced “large-scale” cyberattacks and “stealthy infiltration” of their networks by organized crime gangs, terrorists or nation-states. Malware and virus infections were the most widely reported cyberattacks, which 89 percent of respondents said their organization has experienced.
Brian Ahern, CEO of Industrial Defender, a company that provides cybersecurity solutions for critical infrastructure systems, told SCMagazineUS.com in an email on Thursday, that a cyberattack on critical operational infrastructure can threaten public safety, cause environmental damage, disrupt power and transportation, or result in deaths.
“This report is a great continuing effort to raise the public awareness of cybervulnerabilities of critical infrastructure in an ever-increasing networked world,” Ahern said.
The risk of cyberattacks on critical infrastructure systems is rising, the report states. Two-fifths of respondents said they expect a major cybersecurity incident to cause an outage of at least 24 hours or loss or life within the next year, the study found. Further, 80 percent expect such an incident within five years.
Twenty-nine percent of respondents said their company's networks currently suffer large-scale distributed denial-of-service (DDOS) attacks several times a month, the survey found. These attacks can affect functions needed to operate by making public websites inaccessible and disrupting email connectivity and internet-based telephone systems, the report states.
The cost of downtime resulting from a cybersecurity incident are staggering, the report concluded. Respondents, on average, estimated that a 24-hour network outage would cost an organization $6.3 million.
Phyllis Schneck, a vice president and director of threat intelligence at McAfee, told SCMagazineUS.com on Thursday that she hopes the survey findings will incentivize the private sector to invest money in cybersecurity.
“I think numbers like this will be motivators to the private sector to stand up more and allocate the funds,” she said.
The majority of survey respondents said they have adequate resources to protect their organization's computer networks, but more than one-third said their resources are currently “inadequate” or “somewhat adequate.” In addition, two-thirds of respondents said there have been cuts in the security resources available to them due to the recession.Michael Assante, vice president and CSO of the North American Electric Reliability Corp. (NERC), the organization that sets and enforces standards for power company owners and operators, told SCMagazineUS.com in an email Friday that cyberthreats are a growing concern for virtually all connected industries.
“There have been reports of infrastructure-focused attacks around the world, and we remain focused on working to ensure the reliability of the bulk power system given these concerns,” Assante said.
He added that protection efforts focus on reducing the ability of attacks to impact infrastructure operations and the delivery of essential services.