Security Experts:

Attacks on Critical Infrastructure Organizations Resulted in Physical Damage: Survey

A survey commissioned by The Aspen Institute and Intel Security shows that critical infrastructure organizations often deal with cyberattacks, and many of them have reported suffering physical damage as a result of these attacks.

A total of 625 IT decision makers from public and private critical infrastructure organizations in the United States, France, Germany and the United Kingdom took part in a survey conducted by Vanson Bourne.

The survey has found that while critical infrastructure security experts agree that attack volume, number of breaches, and the rate of vulnerable code are increasing, many of the respondents stated that their own organizations have become less vulnerable. Only 27 percent of respondents said they feel very or extremely vulnerable today. In comparison, 50 percent of them stated that they felt this way three years ago.

Organizations in the United States seem the most confident when it comes to rating their security posture -- perceived vulnerability dropped from 57 percent to 24 percent in three years.

It usually takes organizations weeks and even months to discover that their systems have been breached. However, three quarters of the decision makers surveyed for the critical infrastructure readiness survey are confident or extremely confident in their organization’s ability to identify cyber attacks, and roughly two-thirds said they are confident in their ability to mitigate and deflect attacks.

Nearly 90 percent of respondents admitted experiencing at least one cyberattack over the past year, with a median of almost 20 attacks per year. Close to 60 percent of attacks resulted in physical damage, 33 percent resulted in service disruption, and over 25 percent led to data getting compromised.

“Those who have endured a higher number of successful attacks and confirmed damage feel more vulnerable than the rest; this suggests that as the number of attacks on all organizations continues to increase, the confidence levels reported in the survey may erode,” the report says.

Forty-eight percent of those who took part in the survey believe that a cyberattack resulting in critical infrastructure takedown and possibly even loss of human lives will occur within the next three years. Professionals in the U.S. are more concerned than ones in Europe, the report shows.

Many believe their organizations have not been hit by a devastating cyberattack thanks to good IT security systems. A majority of respondents (84 percent) said they are satisfied with their endpoint protection, web gateway, and network firewall solutions.

While security firms often warn about the risks associated with the bring-your-own-device (BYOD) trend, professionals within critical infrastructure organizations see BYOD as the least concerning potential attack vector. Critical infrastructure security experts see humans as the weakest link, particularly user errors caused by lack of awareness, the use of unofficial online services, and the use of social media websites.

Cybersecurity threats to critical infrastructure are escalating and 86 percent of respondents believe public-private threat intelligence sharing is important for cyber defense. Organizations believe that their own government, international authorities, and similar organizations can be a valuable partner.

When it comes to confidence in their own government, French professionals are the most confident and Germans are the least confident. On the other hand, respondents from Germany were the most confident in international authorities.

The complete report, titled “Holding the Line Against Cyber Threats: Critical Infrastructure Readiness Survey” (PDF), is available online.

Related: Learn more at the ICS Cyber Security Conference

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.