Energy, oil & gas industries ignore cyber risks

London – More than 40% of IT security executives from critical electricity infrastructure businesses expect a major cyber attack within the next year. The same percentage believes the industry’s vulnerability has risen over the last 12 months.

These are two of the key findings from a new report, In the Dark: Crucial Industries Confront Cyberattacks, prepared by internet virus software specialist McAfee and the Center for Strategic and International Studies (CSIS), based in Washington, DC. The report is based on a survey of 200 IT security executives in 14 countries, of which almost one-third (30%) believe their company is not prepared for a cyber attack.

Stewart Baker, who led the study for CSIS, said the adoption of security measures in important civilian industries has badly trailed the increase in threats. Over the last year the energy sector has increased its adoption of security technologies by only a single percentage point (51%). Oil and gas were little better, increasing by just three percentage points (48%).

One critical assessment of the lack of cyber security was provided by Jim Woolsey, former US director of central intelligence. He said: “Ninety to 95% of the people working on the smart grid are not concerned about security and only see it as a last box they have to check.”

The latest McAfee/CSIS study is a follow-up to a report in 2010 that highlighted the staggering cost and impact of cyber attacks on critical infrastructures. However, the 2011 research concludes that the response level has not improved significantly, even though the threat to infrastructures has been accelerating.

This lack of action has been despite the fact that many respondents in 2011 (nearly 70%) said they had frequently found malware designed to sabotage their systems. And nearly half of respondents in the electric industry sector said that they had found Stuxnet on their systems.

This growing threat to electrical smart grids infrastructures prompted McAfee VP Dr Phyllis Schneck to remark: “What we are learning is that the smart grid is not so smart.” She added that most critical infrastructures have not been designed with cyber security in mind and organisations need to implement stronger network controls to avoid being vulnerable.