A worrying trend has been highlighted by recent research, showing how a rise in hacking activity on key structures has put systems offline with increasing frequency over the past 24 months.
The study, led by the Ponemon Institute, surveyed cyber specialists in the UK and five other countries, to discover that 90% had suffered at least one successful cyber-attack. Sectors covered by the research included utilities, energy, and health and transport.
Analysts have labelled the findings as a sharp reminder of the urgent situation in which industries find themselves, industries that are often guilty of failing to report on hacking activity and the damage it causes.
Secrecy over security is often cited as a reason for staff staying tight-lipped about incidents that affect key IT systems.
The report also said that inadequate resources and knowledge about “relentless and continuous” hacking campaigns are among the main dangers facing the industry.
Ponemon Institute used an anonymous quiz to gain insight from over 700 engineers charged with protecting critical infrastructure in countries including Japan, Mexico, Australia, Germany, the UK and the US.
Nine out of ten respondents said that their organisation had been adversely affected by a series of hacking attempts over the past two years, with a high number saying that between three and six cyber-attacks had taken place.
Around 50% of the hacks were reported to have caused major disruption, forcing critical systems to go down.
Speaking to the BBC news website, security specialist, Eitan Goldstein said:
“These are multiple, successful attacks on the physical world using cyber-technologies.
“That is a really big change and that’s why the risk isn’t just theoretical any more. We believe the reason behind it is increased connectivity to industrial control systems.
“Today we want to be able to do analytics and predictive maintenance in our power plants, but the proliferation of smart devices and sensors and IoT is really increasing our cyber-exposure to attack.
“In many cases, organisations don’t even know what is connected to the internet and what can be accessed by hackers,” Goldstein continued.
Professor Alan Woodward of the University of Surrey’s Cyber Security Centre said:
“Even if the results are perhaps slightly higher than might otherwise be the case, because the group is self-selecting, this data as a whole still paints a troubling picture. Most information in the public domain tends to be anecdotal, or driven by specific incidents. This is one of the few reports I’ve seen that has the number of respondents to make it potentially statistically meaningful.
“Not only are elements of critical infrastructure being attacked, they are being ‘successfully’ attacked: these attacks are having a tangible impact, sometimes on multiple occasions. The data also reveals worrying themes, such as a lack of skilled staff or appropriate incident response plans to mitigate the attacks.
“In many ways, it doesn’t matter what the motive of the attackers is. It could be criminals looking to extort money with a scattergun-type attack in which the infrastructure provider happens to get caught, or state actors seeking to disrupt services.
“The results on society are the same. When you think what critical infrastructure is, it’s something that we simply must invest in protecting,” he continued.