Malaysian critical infrastructure firms feel unengaged
ZD net Asia (21 Nov 2011)

UALA LUMPUR-Companies operating in the country's critical infrastructure sectors do not feel engaged with national critical infrastructure protection (CIP) programs, says Symantec executives who note that this situation is worrisome amid attacks on critical networks.

According to a survey commissioned by the IT security vendor, 34 percent of respondents in Malaysia felt unengaged in the government's CIP programs, while 36 percent said they were neutral or had no opinion on such initiatives.

CIP programs are policy-based, educational awareness programs undertaken by governments to ensure providers of critical infrastructure in their respective country are prepared to respond in the event of an emergency. In Malaysia, for instance, CIP programs are under the purview of CyberSecurity Malaysia, while the Singapore Information Technology Security Agency (SITSA) manages its country's CIP efforts.

The findings were part of an annual global survey conducted by Applied Research which polled 3,475 global respondents in 37 countries, comprising 1,900 small to midsize businesses (SMBs)-with 5 to 499 employees-and 1,575 enterprises. The organizations were from 14 critical infrastructure industries including finance, telecommunications, public services, energy, healthcare, manufacturing, government, transportation and public works.

This was the first time Malaysia, with 150 respondents, was included in the survey which ran for the second time this year.

Globally, respondents said they were less aware and not as engaged with their respective national CIP programs compared to last year. The survey revealed that 36 percent were "somewhat" aware of such plans being discussed in their respective country, compared to 55 percent in 2010. In addition, 26 percent said they were "neutral" or had "no opinion" of their government's CIP programs, compared to 42 percent last year.

Organizations also felt less prepared and indicated that their readiness to respond in an emergency had dropped by 8 percent, compared to last year.

Potential to do real harm
Ilias Chantzos, senior director of government affairs for Symantec's Asia Pacific, Japan and EMEA, said the decline in awareness indicated a worrisome trend especially amid the recent Stuxnex and Duqu attacks on critical infrastructures.

Speaking at a media briefing here Monday, Chantzos said the attacks on critical infrastructure were very targeted, highly motivated and specialized in nature. "This [trend] is going to continue and they have the potential to do very real harm," he warned.

Quizzed on why CIP awareness was on a decline, the Symantec executive said this was likely due to the rise of information security attacks in 2011 compared to last year, where these companies struggled to battle such attacks and prioritized this over other issues, such as finding out more about CIP programs.

"It's understandable that every critical infrastructure provider has finite resources, limited manpower and money, especially in today's economic environment," Chantzos explained. "These providers are limited to what they can throw at the problem."

He noted that the constant fire-fighting to deal with these attacks forced these companies to divert their resources toward managing the threats and dealing with day-to-day operational issues, rather than focusing on more strategic, long term objectives in securing their infrastructure and working with their respective governments.

"They need to make sure that they don't get hit and if they do, to focus on containing their infrastructure so that they will remain resilient," he said. "This is why I believe there is a decline in those numbers."

Asked if Singapore exhibited similar trends to that of Malaysia, Ng Kai Koon, Symantec's senior manager for legal and public affairs, noted that its Singapore findings were similar to the global results.

"We do have anecdotal evidence that the critical infrastructure providers are taking part in some of these CIP programs," Ng said on the sidelines of the briefing. "On the whole, we are going through the same challenges as other countries."

However, he said Singapore faced an additional challenge due to the rollout of its next-generation national broadband network. "As consumers and enterprises embrace high-speed broadband, Singapore will have to deal with certain threats more [than others]," he added.

Survey findings specific to Singapore were not released at the briefing, but Symantec executives said these would be made available in the near future.

Need to stay vigilant
Despite the decline in awareness, Chantzos noted it was important that critical infrastructure providers continued to develop and enforce IT policies as well as automate all compliance and processes.

"They should also manage systems by implementing secure operating environments," he added. "This includes having standalone systems free from any connectivity to the Internet, and the isolation of systems from any portable memory or disk devices."

As for governments, Chantzos said it is crucial they continue putting forth the resources to establish CIP programs. "There is also a need for them to partner industry associations and private enterprise groups to raise the awareness of CIP plans."

Edwin Yapp is a freelance IT writer based in Malaysia.