A study commissioned by Symantec in 2010 shows that companies running critical infrastructure such as energy and telecommunications are willing to engage with government to develop critical infrastructure protection (CIP) programmes.
The survey included 1,580 enterprises in 15 countries worldwide, the median company having between 1,000 and 2,499 employees. Symantec focused on six key critical infrastructure segments: energy, banking & finance, communications, IT, healthcare, and emergency services. The goal was to find out how aware critical infrastructure companies were of government efforts in this area and how engaged and enthusiastic private enterprise was about working with government.
Nearly all of the companies (90 percent) said they have engaged with their government’s CIP programme, with 56 percent being significantly or completely engaged. In addition, two-thirds have positive attitudes about programmes and are somewhat to completely willing to co-operate with their government on CIP.
“A country’s critical information infrastructure is characterised as businesses and industries whose importance is such that if their cyber networks were successfully breached and disabled, it could result in a threat to national security,” says Gordon Love, Regional Director, Symantec. In some countries, upwards of eighty-five percent of the nation’s critical infrastructure is owned by private corporations.
“The sharp increase in targeted attacks we have seen this year, especially in the South African financial sector, sends a clear signal that co-operation and mutual support are even more important if we are to be able to live and work safely online,” says Love. “Greater co-operation between the private sector and government is key if critical services are to be assured in the event of disasters or attacks that can cause data loss and bring operations to a halt.”
Recommendations to ensure resiliency against critical infrastructure cyber attacks:
Develop and enforce IT policies and automate compliance processes. By prioritising risks and defining policies that span across all locations, organisations can enforce policies through built-in automation and workflow and not only identify threats but remediate incidents as they occur or anticipate them before they happen.
Protect information proactively by taking an information-centric approach. Taking a content-aware approach to protecting information is key in knowing who owns the information, where sensitive information resides, who has access, and how to protect it as it is coming in or leaving your organisation. Utilise encryption to secure sensitive information and prohibit access by unauthorised individuals.
Authenticate identities by leveraging solutions that allow businesses to ensure only authorised personnel have access to systems. Authentication also enables organisations to protect public facing assets by ensuring the true identity of a device, system, or application is authentic. This prevents individuals from accidentally disclosing credentials to an attack site and from attaching unauthorised devices to the infrastructure.
Manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status.
Protect the infrastructure by securing endpoints, messaging and Web environments. In addition, defending critical internal servers and implementing the ability to back up and recover data should be priorities. Organisations also need the visibility and security intelligence to respond to threats rapidly.
Ensure 24×7 availability. Organisations should implement testing methods that are non-disruptive and they can reduce complexity by automating failover. Virtual environments should be treated the same as a physical environment, showing the need for organisations to adopt more cross-platform and cross-environment tools, or standardise on fewer platforms.
Develop an information management strategy that includes an information retention plan and policies. Organisations need to stop using backup for archiving and legal holds, implement deduplication everywhere to free resources, use a full-featured archive system and deploy data loss prevention technologies.
Recommendations for governments to promote critical infrastructure protection:
Governments should continue to make resources available to establish critical infrastructure protection programmes.
The majority of critical infrastructure providers confirm that they are aware of critical infrastructure programmes.
Furthermore, a majority of critical infrastructure providers support efforts by the government to develop protection programmes.
Governments should partner with industry associations to develop and disseminate information to raise awareness of CIP organisations and plans. Specific information should include how a response would work in the face of a national cyber attack, what the roles of government and industry would be, who the specific contacts are for various industries at a regional and national level, and how government and private business would share information in the event of an emergency.
Governments should emphasise that security alone is not enough to stay resilient in the face of today’s cyber attacks. In addition, critical infrastructure providers and enterprises in general should also ensure that their information is stored, backed up, organised, prioritised, and that proper identity and access control processes are in place.