Majority Of Critical Infrastructure Companies Are Susceptible To Cyber Attacks But Are Not Doing Eno

By Author: EC-COUNCIL
Total Articles: 68
Comment this article

Information security of critical infrastructure companies has to be sufficiently protected as they are increasingly under attack. According to In the Dark: Crucial Industries Confront Cyberattacks, commissioned by McAfee and carried out by the Center for Strategic and International Studies, oil, gas, electricity and water firms should consider investing in IT security since they are particularly vulnerable to criminals who tailor malicious software to attack their networks.
According to a new report, cyber attacks on critical infrastructure companies are on the rise, with a jump in extortion attempts and malware designed to sabotage systems, like Stuxnet. Stuxnet is a Windows computer worm discovered in July 2010 that targets industrial software and equipment. It is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit.
Stuxnet first infected Windows-based industrial control computers while it hunted for particular types of equipment made by the Siemens Corporation. It was programmed to then damage a uranium centrifuge array ...
... by repeatedly speeding it up, while at the same time hiding its attack from the control computers by sending false information to displays that monitored the system. A senior Iranian military official says experts have determined the United States and Israel were behind the Stuxnet computer worm that has harmed Iran's nuclear program.
While attacks are increasing, many companies aren't doing enough to protect their systems and are instead rushing to adopt new technologies without ensuring they adequately secure against. “Stuxnet changed the game in our awareness,” Phyllis Schneck, vice president and chief technology officer for public sector at McAfee, said in an interview. "Attacks are being developed directly for the capability of creating events on a physical infrastructure."
According to the U.S. Government Accountability Office and independent security experts, the threat from sabotage includes electrical smart grids. Fifty-six percent of the respondents whose companies are planning new smart grid systems also plan to connect to the consumer over the Internet. But only two-thirds have adopted special security measures for the smart grid controls, the report said. "We could end up with a grid connected to peoples' homes that is not properly secured from a cyber attack," said Schneck. "If that system could be turned against itself, that is a disaster waiting to happen."
According to web security firm ScanSafe.Critical infrastructure organizations, such as those in the energy, oil, pharmaceutical and chemical sectors, encountered at least twice as much web malware as other organizations during 2009. More than any other verticals, the energy and oil sectors were pummeled with the greatest amount of data-theft trojans last year, according to ScanSafe's "Annual Global Threat Report 2009," released Thursday. Energy and oil companies experienced a 356 percent higher rate of direct encounters with data-theft trojans compared to other verticals, the report said. Also, those in the pharmaceutical and chemical sectors encountered 322 percent information-stealing malware compared to other verticals.
Another trend happening with critical infrastructure companies is extortion. One in four survey respondents said they had been victims of extortion through cyber attacks or threats of attack with the number of companies subject to extortion increasing by 25 percent over last year. India and Mexico had particularly high rates of extortion attempts, the report found. These report findings clearly points out that despite the increase in threats, critical infrastructure companies aren't beefing up their internet security.
Organizations need to implement robust internet security initiatives, including hiring highly trained information security experts in order to avoid security breaches. Information security professionals can increase their information security knowledge and skills by embarking on highly technical and advanced training programs. EC-Council has launched the Center of Advanced Security Training (CAST), to address the deficiency of highly technically skilled information security professionals.
CAST will provide advanced technical security training covering topics such as Advanced Penetration Testing, Digital Mobile Forensics training, Application Security, Advanced Network Defense, and Cryptography. These highly technical and advanced information security training will be offered at all EC-Council hosted conferences and events, and through specially selected EC-Council Authorized Training Centers.

About EC-Council
EC-Council is a member-based organization that certifies individuals in various e-business and security skills. It is the owner and developer of the world famous Certified Ethical Hacker (CEH) course, Computer Hacking Forensics Investigator (CHFI) program, License Penetration Tester (LPT) program and various other information security training programs offered in over 84 countries around the globe. EC-Council has trained over 90,000 individuals in technical security training and certified more than 40,000 security professionals. EC-Council has launched the Center of Advanced Security Training (CAST), to address the deficiency in the lack of highly technically skilled information security professionals.