In a recent study, two-thirds of the citizens of a large city reported being mugged, but only a quarter said that stopping muggings was a top priority. OK, not really, but close.
SC Magazine reported a similar situation in an article by Daneille Walker on July 11 of this year. They reported on a study of critical infrastructure companies conducted by Unisys and Ponemon where “67 percent said they had dealt with at least one security compromise” but only 28 percent said that security was a top priority. There are more interesting statistics in the article along with a link to the actual report. It is good reading.
This seems to be a bit upside-down to me. I honestly thought critical infrastructure companies (utilities and such) had a much greater concern about security threats. Wiping out even a sector of the any country’s electric grid, for instance, is a major deal. The big Northeast (US) Blackout of 2003 left some 55 million without electricity, but in 2012 a blackout in India left 670 million people without power. There is no indication that either of these blackouts was due to sabotage or cyber attacks.
However, the Northeast Blackout was blamed on a software bug. The impact included closed businesses, caused politicians to lose office, and at least ten deaths. A cyber attack on critical infrastructure could have even greater impact.
I understand the need for low utility rates. I understand that rates are high enough to have a significant negative impact on the economically disadvantaged, the elderly on fixed incomes, and those in areas of severe heat or cold. I also understand that those groups would also be most severely impacted by a major outage in the extreme heat of summer or cold of winter. I know suggesting that utilities spend (more) money on something is unpopular, but it’s time.
Utilities need to spend more time and effort on cyber- (and maybe physical) security. Most people don’t have the three-day UPS I do (our power goes out frequently some winters due to snow and ice); when their power goes out, it is out. I remember in 1998 and 1999 utilities and other critical infrastructure companies spend lots of time and effort on “the Y2K problem” (software that used two digits for storing the year number in order to be space-efficient on older computers). The whole country seemed to support that and many worried that on January 1, 2000 they’d wake up with no electricity, no telephone service, no rail service, and on and on. That disaster didn’t happen, of course, because the critical infrastructure companies worked hard on the issue.
I don’t want to wake up some morning and find the electric grid down, my Internet dead, and/or my phone useless because of a cyberattack. The critical infrastructure companies need to act now to improve their security and protect against attacks and hackers “just playing around”.
Let us know what you think in the comments below. Are you concerned? What should be done?