US critical infrastructure unprepared for cyber attack - report

Survey from Unisys and the Ponemon Institute indicates patchy preparedness of cyber attack

US critical infrastructure is largely unprepared for cyber attack with just 17 per cent of utilities claiming that their IT security programmes are deployed.

That is the result of research from Unisys, conducted by the Ponemon Institute.

"Fifty per cent of respondents say their IT security activities have not as yet been defined or deployed (7 per cent) or they have defined activities but they are only partially deployed (43 per cent). A possible reason is that only 28 per cent of respondents agree that security is one of the top five strategic priorities across the enterprise," concluded the report.

Such lackadaisical protection comes despite the almost universally held belief that the cyber threats faced by power companies, water utilities and other essential service providers has increased.

"Security compromises are occurring in most companies. It is difficult to understand why security is not a top a priority because 67 per cent of respondents say their companies have had at least one security compromise that has led to the loss of confidential information or disruption to operations over the last 12 months. Twenty-four per cent of respondents say these compromises were due to an insider attack or negligent privileged IT users," it continued.

One of the key problems highlighted by the report is the fear that upgrading legacy IT may result in the failure or compromise of mission-critical systems. In addition, many companies are not receiving the intelligence they need to secure their systems appropriately or that the intelligence they do receive or subscribe to is inadequate.

However, despite the focus over the past year on governmental-instigated attacks, the top security threat remains insiders, with "nation state, terrorist or criminal-syndicate sponsored attacks" coming a long way down the list of top security threats.

Among organisations that had been attacked, though, databases, end-point devices (such as PCs and tablets) and cloud-based systems were the three most frequent attack vectors, according to the report.

Ponemon Institute conducted research among 760 US utility industry specialists, as well as representatives of the oil and gas, chemicals and big industrial manufacturers.