ESG recently published a new research report titled, Cyber Supply Chain Security Revisited, focused on cyber supply chain security practices and challenges at U.S.-based critical infrastructure organizations (note: I am an ESG employee). The term “critical infrastructure” is associated with 16 industries designated by the U.S. Department of Homeland Security (DHS), “whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof” (source: DHS).
Some experts believe that a cyber-attack on one or several critical infrastructure organizations could result in a “Cyber Pearl Harbor,” disrupting society and the economy for weeks or months. This places critical industry organizations firmly in the national security bucket.
Are these firms really being targeted? Yup. ESG research reveals that 68% of the critical infrastructure organizations surveyed claim that they experienced one or several security incidents over the past two years. As for the ramifications of these security incidents:
- 36% of critical infrastructure organizations say that cybersecurity incidents led to the disruption of a critical business process and/or critical operations. These disruptions could range from ATM network outages, offline clinical systems, or a power failure – serious stuff.
- 36% of critical infrastructure organizations say that cybersecurity incidents led to the disruption of a critical business application or IT system availability. These disruption could include airline reservation systems, hospital information systems, or SCADA systems. Once again, these types of disruptions can wreak havoc for hours or days on end.
- 32% of critical infrastructure organizations say that cybersecurity incidents led to a breach of confidential data. This data could be banking customer information, patient records, or top secret design documents of military systems. It’s pretty obvious that the bad guys are stealing our data for criminal gains or industrial espionage.
The ESG research clearly indicates that critical infrastructure organizations are under a state of constant cyber-attack. Alarmingly, 67% of cybersecurity experts working at critical infrastructure organizations also believe that the threat landscape is more dangerous today than it was two years ago so things are likely to get worse and worse. It remains unclear whether this could lead to a Cyber Pearl Harbor, but there’s no doubt that cyber-attacks are disrupting critical services and costing us all a lot of money. Hmm, maybe the presidential candidates should pay more attention to cybersecurity and critical infrastructure and do less jawboning about each other's bank accounts and looks.
I’ll continue to blog about my cyber supply chain security research over the next few weeks and months. In the meantime, ESG has made the report available for free download here. Your feedback on the report is welcome.