Critical infrastructure providers are less engaged with government cyber protection despite growing

Fewer providers of critical national infrastructure (CNI) are currently engaged with government security programmes than last year, according to research.

Fewer providers of critical national infrastructure (CNI) are currently engaged with government security programmes than last year, according to research.

The survey suggest that only 37% of global CNI firms - such as energy, transport and telecoms companies - are engaged in government protection schemes in 2011, compared with 56% in 2010. This is despite the fact that if the cyber networks of these companies were attacked and disabled, it would pose a threat to national security.

Such firms are also more ambivalent than they were in 2010 about government programmes, according to Symantec's 2011 Critical Infrastructure Protection (CIP) Survey.

When asked their opinion about government CIP programmes, 42% of respondents had no opinion or were neutral, and only 57% said they were willing to cooperate with CIP programmes compared with 66% a year ago.

Global organisations feel less prepared than they did a year ago, but this is not surprising, the report said, because as an organisation's assessment of the threat drops, their readiness drops as well.

Overall readiness on a global scale fell an average of eight points to between 60% and 63% in 2011 compared with 68% to 70% in 2010.

The findings of the latest survey are alarming, considering recent attacks such as Duqu that have targeted critical infrastructure providers, said Dean Turner, director, Global Intelligence Network for Symantec.

"Limitations on manpower and resources as mentioned by respondents help explain why critical infrastructure providers have had to prioritise and focus their efforts on more day-to-day cyber threats. However, we think that targeted attacks against critical infrastructure providers in the form of Stuxnet, Nitro and Duqu will continue," he said.

According to Turner, businesses and governments around the world should be very aggressive in their efforts to promote and coordinate protection of critical industry cyber networks.

"These latest attacks are likely just the beginning of more targeted attacks directed at critical infrastructure," he said.

To ensure resiliency against cyber attacks, the report says CNI providers should:

- Develop and enforce IT policies and automate compliance processes.

- Protect information proactively by taking an information-centric approach to protect both information and interactions.

- Take a content-aware approach to protecting information, which is key in knowing who owns the information, where sensitive information resides, who has access, and how it is coming in or leaving your organisation.

- Manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status.

- Protect the infrastructure by securing endpoints, messaging and web environments.

-Develop an information management strategy that includes an information retention plan and policies.

Read more on IT security