A growing number of cyber-attacks on key installations have successfully put systems out of action over the past two years, a study has revealed.
A survey of security professionals in six countries, including the UK, by the Ponemon Institute found 90% had been hit by at least one successful attack.
Staff in the utilities, energy, health and transport sectors were questioned.
Experts said the results are a wake-up call for an industry that often under-reports attacks and the damage done.
Staff tasked with keeping critical infrastructure systems running often kept details secret for security reasons, they said.
The report also concludes that a lack of resources and intelligence about “relentless and continuous” cyber-attacks are the industry’s biggest concern.
The Ponemon Institute, which specialises in cyber-security and privacy issues, used an anonymous poll to quiz more than 700 security professionals in the US, UK, Germany, Australia, Mexico and Japan who work to protect critical infrastructure.
Of those responding, nine out of 10 said the organisation they worked for had been damaged by a successful cyber-attack in the last two years. Many reported being hit by between three and six such incidents.
Respondents said around half of the successful attacks had resulted in downtime of critical systems. This was because essential systems were knocked out as part of the attack or operators had to turn off systems to repair the damage done.
“These are multiple, successful attacks on the physical world using cyber-technologies,” Eitan Goldstein, from security firm Tenable, which commissioned the report, told the BBC.
“That is a really big change and that’s why the risk isn’t just theoretical any more.
“We believe the reason behind it is increased connectivity to industrial control systems.
“Today we want to be able to do analytics and predictive maintenance in our power plants, but the proliferation of smart devices and sensors and IoT is really increasing our cyber-exposure to attack.
“In many cases, organisations don’t even know what is connected to the internet and what can be accessed by hackers.”
Prof Alan Woodward, of the University of Surrey’s Cyber Security Centre, questioned the unexpectedly high response rate in the survey but added: “Even if the results are perhaps slightly higher than might otherwise be the case, because the group is self-selecting, this data as a whole still paints a troubling picture.
“Most information in the public domain tends to be anecdotal, or driven by specific incidents. This is one of the few reports I’ve seen that has the number of respondents to make it potentially statistically meaningful.
“Not only are elements of critical infrastructure being attacked, they are being ‘successfully’ attacked: these attacks are having a tangible impact, sometimes on multiple occasions.”
How to protect key infrastructure
- Assume attacks will be made. Prepare with the right people, processes and technology, or risk long-term damage
- Realise the attacks will not stop. Many organisations are now successfully attacked several times a year
- Guard against human failings. An attack may succeed because just one employee clicks on a phishing email
- Share intelligence with similar organisations. National cyber-defence organisations often run online forums where experiences can be shared
“The data also reveals worrying themes, such as a lack of skilled staff or appropriate incident response plans to mitigate the attacks.”
He added: “In many ways it doesn’t matter what the motive of the attackers is. It could be criminals looking to extort money with a scattergun-type attack in which the infrastructure provider happens to get caught, or state actors seeking to disrupt services. The results on society are the same.
“When you think what critical infrastructure is, it’s something that we simply must invest in protecting.”.