Critical infrastructure firms hit by DoS attacks and extortion

Eighty per cent of critical infrastructure organisations, including oil, gas, water and power companies, have been hit by a denial-of-service attack in the past year, while extortion has jumped by a quarter, but few are adopting appropriate security measures, according to McAfee.

The security firm's latest Critical National Infrastructure (CNI) report, In the Dark: Crucial Industries Confront Cyberattacks, found that critical infrastructure companies still lag behind when it comes to cyber security, despite the growing threat levels.

Some 40 per cent of executives surveyed believed that their industry's vulnerability had increased, nearly 30 per cent said that their company is not prepared for a cyber attack, and over 40 per cent expect a major cyber attack within the next year.

Yet despite this, only a quarter have tools to monitor network activity, while around the same number use those tools to detect anomalies.

CNI firms are increasingly on the radar of cyber criminals keen to exploit the relative lack of up-to-date security on vital supervisory control and data acquisition (Scada) systems.

The Stuxnet worm discovered in 2010 was targeted specifically at Scada systems, and appears to have been a watershed moment for the CNI firms and the cyber criminals.

Just last week, a report from Q1 Labs found that two-thirds of global energy companies are potentially exposed to a Stuxnet-like attack because they do not employ state-of-the-art Scada security.

Worryingly, nearly half of respondents in the electricity sector reported to McAfee that they had found Stuxnet on their systems.

Much of the problem seems to be energy firms adopting new technologies, including smart grids, but failing properly to mitigate the risks with the appropriate technologies and policies, according to McAfee senior director Sal Viveros.

"Everyone seems to be moving to smart grids, but what we have found is that smart grids aren't so smart," he said. "They are opening up a big hole for attacks on these companies."

Extortion attempts, in particular, have jumped by 25 per cent in the past year, according to the report. Anecdotal evidence suggests that recent power black outs in Brazil were down to cyber criminals interfering with IT systems, added Viveros.