US Critical Infrastructure Ripe for Attack

The Enterprise Strategy Group (ESG), a leading IT analyst, consulting, and research organization, has conducted a research project to assess whether organizations categorized by the U.S. Department of Homeland Security (DHS) as Critical Infrastructure and Key Resources (CIKR) were vulnerable to security attacks due to weaknesses in cyber supply chain security.

Based on primary research with 285 U.S.-based CIKR organizations, ESG concludes that critical infrastructure firms realize they are under attack. ESG found that the vast majority of CIKR firms participating in the survey suffered at least one security breach over the past two years. Survey respondents believe that the current threat landscape is worse than it was two years ago and will grow even more insidious between 2010 and 2012. In spite of increasing security risks, ESG found abundant security vulnerabilities: about 20% of survey respondents don’t believe their organizations are prepared to meet today’s cyber security challenges.

In analyzing the data, ESG also found an ironic and somewhat frightening correlation: CIKR organizations with the best cyber security preparation, knowledge, and technology defenses were also the most likely to experience the highest number of security incidents. This introduces an important question: Are less secure organizations finding fewer security attacks because they aren’t occurring or because these organizations lack the skills, processes, and tools to know what to look for? The frightening implication here is that many CIKR organizations may already be compromised.

Based on the research collected for this report, ESG concludes that:

Cyber security protection is directly related to regulatory compliance. About one-third of the CIKR organizations surveyed are obligated to comply with more than three industry/government regulations. This group had consistently better security policies, procedures, and safeguards than those required to comply with less than three regulations.

Critical infrastructure organizations face constant cyberattacks. Sixty-eight percent of CIKR organizations surveyed suffered at least one security breach over the past 24 months. Alarmingly, the organizations with the strongest security policies, procedures, and technical safeguards were also the ones with the highest number of security incidents. It is certainly possible that security-challenged CIKR organizations are under attack but lack the skills and tools to detect and remediate security incidents.

Threats continue to escalate. Twenty-eight percent of CIKR organizations believe that the threat landscape is much worse today than it was 24-36 months ago, while another 40% believe that the threat landscape is somewhat worse. Additionally, 71% of respondents believe that the threat landscape will be even worse two years from now. It is worth noting that CIKR organizations with the strongest security policies, procedures, and technical safeguards are the ones most likely to say that the threat landscape is getting much worse.

IT vendor security audits are performed inconsistently and are rarely thorough. While most CIKR organizations are doing some IT vendor due diligence, ESG found that IT security audits are done haphazardly and lack real depth.

In some cases, CIKR organizations conduct IT security audits that have little impact on IT procurement. To achieve best practices for IT vendor security audits, all vendors would need to be audited with standard audit procedures. The results of these IT security audits would then be a critical factor for ongoing IT procurement. Unfortunately, only 10% of CIKR follow these best practices for IT vendor audits.

External IT relationships lack appropriate security. To improve productivity, most CIKR organizations have opened internal IT systems to third parties like suppliers, customers, and business partners. While these relationships can help improve efficiency, increase revenue, and/or cut costs, they can also introduce cyber security vulnerabilities.

In aggregate, this research illustrates that many CIKR organizations are behind with basic security protection, let alone more advanced cyber supply chain security defenses. Many lack the skills or resources, while others need guidance and help with establishing best practices. There is also a visible cyber security communications gap between grass roots security professionals and executive managers who either don’t understand or don’t care about escalating cyber security risks. ESG believes that this situation leaves the U.S. critical infrastructure vulnerable to a cyberattack.