What’s worse? Having your phones go down for a few hours or losing access to purified water?
Three out of four IT workers surveyed by Energy Insights said they are “annoyed, angry or frustrated” with the state of critical infrastructure security. The survey, which queried professionals in Canada, the U.S. and Europe, found the financial, energy and telecom sectors were “the most prepared,” while the water, shipping and transportation industries werethe least prepared.Half of the respondents said their organizations had experienced attacks. Let’s think about previous attacks and critical infrastructure failures.
In early 2003, the SQLSlammer attack shut down automated teller machines throughoutNorth America. The air traffic control systems in the United Stateswere unaffected, but that’s because the organization had updated its patches, and the chief information officer said he was “not gloating.”
The following summer, most of Ontario and a good portion of the eastern U.S. lost power for about 12 hours, but this was not due to either an IT or physical security breach. But the following year, the National Post newspaper shared with ITBusiness a report by PublicSafety and Emergency Preparedness Canada – not originally intended for distribution to the general public – predicting a “probable” failure of critical information infrastructure within five years.
While it may seem scary that critical infrastructure is vulnerable to an attack, the consequences are not clear. There are security breaches and there are “threats” (such as spam) that software and service vendors aim to stop but aren’t going to kill you.
Some threats will prevent users from using their Internet connections or finishing their monthly reports, while others have more serious consequences and will actually prevent companies from operating at all. What happens when a municipal water system gets attacked? Will the filtration plant stop pumping, filtering and chlorinating water? Is it a case of one of the office workers getting an e-mail from a phisher purporting to be from a bank? Or will a denial of service attack slow down the Internet connection?In a best case scenario, the Energy Insights survey indicates that IT workers in “critical infrastructure” industries believe that if they were hackers, they could easily wreak havoc on the IT infrastructure upon which our critical infrastructure is dependent.
In a worst-case, criminals will launch some sort of an attack on what used to be knownas “vital points,” making it far more difficult for citizens to obtain the necessities of life. Either way, the best time to think about worst-case scenarios would be some time before they happen.