Like the numbers that make up computer code, probing infrastructure investors on their preparedness against cyber-attacks tends to give you binary answers.
On the record, most firms will tell you that they’re doing everything in their power to prevent breaches. But backstage many tend to offer more unsettling assessments. At our recent Investors’ Council event in Versailles, held under Chatham House rules, an industry expert asked for a show of hands. “How many of you incentivise cybersecurity plans through chief executive KPIs?” he asked. A telling stillness ensued.
Hard figures seem to back the worrying reality hinted at by ad-hoc surveys. Insiders reckon that an average of nine months tends to pass between an alleged breach at a private company and its discovery. In Versailles, it was pointed out that the chief executive of a US utility confessed to suffering three million attempted hacks every month; a recent survey found that 200 out of 500 infrastructure suppliers in North and South America have been the target of efforts to shut down their network.
Sometimes these attacks succeed. Such was the case in Ukraine last December, where the entire Ivano-Frankivsk region stayed in the dark for six hours. To disrupt the grid, hackers targeted a local plant’s supervisory control and data acquisition (SCADA) system. Experts say the station was not a weakling in terms of IT protection – its control systems were indeed deemed more secure than some in the US. Yet they allege the attacking squad could have disabled the facility permanently, had it wanted to.
This underlines how global cyber threats have become. Prior to the Ukraine outage, SCADA assaults had already occurred in Italy, Malta and the UK. Their potential success in shutting the cooling system of a nuclear plant or opening a dam on a populous valley raises even scarier prospects. If a high-profile breach with dramatic implications were to happen at a publicly managed asset, the ensuing public fallout and its impact on the industry would be nothing short of momentous.
Critical infrastructure hacks are rarely the work of petty criminals. Long planned and highly sophisticated, they often require funds and people only state-backed actors can access. This is why some measures are being promoted at the international level: a pact of non-aggression in cyberspace, limited to critical infrastructure, would probably enlist support from a host of nations.
But global co-operation would take time to reach a critical scale; holding signatories to account could prove difficult anyway (tracing back attack perpetrators with certainty is often tricky). It is thus time for infrastructure operators to take the matter into their own hands. Encouragingly, pundits suggest 80 percent of all breaches could be curtailed simply by observing better cyber-hygiene (such as regularly changing passwords). Enhanced information sharing would also help industry players spread best practice and keep track of the latest security patches.
Cyber-security is like an endless game of cat and mouse: hackers swiftly move on to find new holes once existing ones have been plugged. This is not a game investors can afford to lose – they should shore up the odds on their side.
Write to the author at firstname.lastname@example.org