From warnings of "a zero-day attack coming from a thumb drive" to findings of "accelerating threats and vulnerabilities" facing critical infrastructure, a new report from McAfee and the Center for Strategic and International Studies (CSIS) is enough to scare any complacent utilities manager straight.
As they did a year ago, McAfee and CSIS surveyed IT executives from critical electricity infrastructure enterprises around the globe for Tuesday's report titled "In the Dark: Critical Industries Confront Cyberattacks". But whereas just over half of all respondents reported facing a large-scale denial of service attack or network infiltration at their facilities in 2009, more than 80 percent said they'd experience such incidents in 2010.
Threats to critical infrastructure like the "smart grid" technology being deployed by power companies are growing, the study reports, citing such new developments as the Stuxnet Windows computer worm which specifically targets industrial software and computer equipment. Yet executives in the sector made only "modest progress in securing their networks" in 2010.
The report identifies loosely organzied cyberterrorism and "hacktivism" as a growing area of concern. Unlike with cybercriminals, the "cyberwarrior" sees the shutdown of a target as the payoff rather than a failure to properly extort money from a victim in return for calling off an attack.
Government-sponsored cyberattacks pose a similar threat, according to McAfee and CSIS.
Stuxnet "is almost certainly the work of a government, not a criminal gang," the report claims. "Stuxnet is, in short, a weapon. It is a concrete demonstration that governments will develop malware to sabotage their adversaries' IT systems and critical infrastructure."
Which isn't to say that good old profit-seeking cybercrime isn't still prevalent in the sector. One in four survey respondents said they had been "victims of extortion through cyberattacks or threatened cyberattacks" in the past year.
The McAfee-CSIS study recommends a number of steps for the critical infrastructure sector to take to improve IT security, including improved authentication measures to building better partnerships with governments. But the study's authors seem to be fairly pessimistic about security actually improving.
"Overall, we found little good news about cybersecurity in the electric grid and other crucial services that depend on information technology and industrial control systems," the study concludes. "Whether audits and similar regulation will work better remains to be seen, but we can no longer pretend that it is business as usual for cybersecurity."