The scale of the cyber-security threat to industrial assets and infrastructure such as the power grid has been hidden from view due to unreported attacks, a leading expert has warned.
Massachusetts Institute of Technology (MIT) professor Stuart Madnick said utilities must be prepared to deal with the aftermath of increasingly unavoidable attacks, as prevention, whilst worthwhile, is often “futile”.
Speaking at Accenture’s International Utility and Energy Conference in Paris, Madnick joked there are two types of organisation in existence: “Those organisations that know they’ve had a cyber-attack and those that don’t yet know that they’ve had a cyber-attack”.
He said studies have found that security breaches in the US and Europe on average continue for 200 days before being detected, with the figure rising to 400 days in some parts of the Asia-Pacific region.
The founding director of the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity at the MIT Sloan School of Management noted that the issue has risen to the attention of top-level executives in recent years, having previously been consigned to the “bowels” of many major organisations.
Madnick said the development is partly explained by the widespread news coverage of attacks where customers’ personal information has been stolen. He said hacking has become a huge global industry, describing the illicit activities carried out by drugs cartels as “child’s play” by comparison.
“In fact, there have been so many credit cards stolen, it’s hard to sell credit card numbers anymore because there’s a glut on the market,” he remarked.
By contrast, he said attacks on industrial assets and infrastructure often go unnoticed as they usually do not involve credit card details and personal information which are covered by regulations requiring reporting.
“So, typically when a cyber-attack happens you’re not obligated to report it and if you think about for a moment, saying I was broken into yesterday is not going to be seen as a good thing for business,” he added. “One of the biggest challenges we have is cyber-attacks on industry tend to not be reported or not be reported very well”.
Madnick said, although companies should do all they can to identify and protect themselves against threats, falling victim to one is unavoidable over the long term.
Hackers can find new vulnerabilities as quickly as old ones are uncovered and addressed, and there is also the risk of computer systems being breached from the inside, usually with the help of an unwitting employee.
Accordingly, he said organisations should also put the right systems and processes in place to detect breaches promptly and respond to and recover from them as quickly as possible.
Talking to the BBC’s Andrew Marr earlier this week, foreign secretary Boris Johnson said “every possible precaution” must be taken to guard against a potential Russian cyber-attack on the UK’s power grid.