Energy industry fears big cyber-attack this year

Insecurity experts believe a major cyber-attack on critical infrastructure such as that owned by energy companies will take place in the next year, according to a new report from McAfee.

In the report, In the Dark: Crucial Industries Confront Cyber-attacks (PDF), released yesterday, the security vendor and the Centre for Strategic and International Studies (CSIS) revealed that that more than 80 per cent of the 200 IT security executives questioned said their company had experienced a denial-of-service attack or network intrusion in the last year - and 40 per cent said they were were worried that a "major attack" on critical infrastructure would occur in the next 12 months.

Forty per cent of those questioned, who represent electricity infrastructure companies in 14 countries, also said they believed the industry had become more vulnerable - outnumbering almost two-to-one those who felt vulnerabilities had declined.

More worrying still, between a fifth and a third of respondents said that their company was either "not at all prepared", or "not very prepared" against cyber-attacks ranging from malware to denial-of-service.

McAfee reports that the energy industry as a whole has implemented only 51 per cent of necessary security measures, including encryption and authentication - a rise of just one per cent on the previous year.

Some countries are worse than others, with companies in Brazil, France and Mexico having adopted only half as many security measures as those in China, Italy or Japan.

The report goes on to accuse energy companies of "doubling down on the danger" by implementing "smart grid" technologies that give their IT systems more control over the delivery of power to individual customers - or even to individual appliances in customers' homes.

"Without better security," say the report's authors, "this increased control can fall into the hands of criminals or 'hacktivists', giving them the ability to modify billing information and perhaps even control which customers or appliances get electricity.

Between 90 and 95 per cent of the people questioned who were working on the smart grid said they were not concerned about security.

IT news website TechEye reports one anonymous source as saying: "There's already been attacks and threats to hospital infrastructure and financial institutions, while there's been numerous security warnings of cyber-attacks from China on utilities and infrastructure.

"Although it may be controversial to say, there's no better way to attack a country then hit its power grids and overall infrastructure. That said, and as this report seems to show, no-one is really doing anything about it."

The warning comes as consumer electronics giant Sony has been forced to admit that credit card and identity details of up to 77 million users may have been stolen in a hacking attack on its PlayStation Network online gaming system. Sony suspended the service last Wednesday, claiming that the PSN was down for "maintenance".

Early reports blamed 'hacktivist' group Anonymous for the attack, but Sony's statement on the intrusion suggests it may have been the work of a single, rogue hacker.

The outcome of a major attack on energy infrastructure could be still more catastrophic. Earlier this year, Russian scientists working on Iran's nuclear energy programme warned of the threat of "another Chernobyl", due to damage caused to the country's first reactor at Bushehr by the Stuxnet worm. Stuxnet is widely believed to have been the work of the Israeli and US secret services.

Iran yesterday reported that government systems had come under attack from another virus, identified by the head of the country's civil defence, Gholamreza Jalali, as 'Stars'.