In a report by the Ponemon Institute and Unisys, it was discovered that critical infrastructure industries not just in the US have serious gaps in security.

The study involved nearly 600 security executives from manufacturing, energy, oil and gas and utility companies across 13 countries surveyed from April to May, and 64 percent of the respondents admitted to expecting at least one serious attack within the following year. Close to 70 percent of the surveyed companies are also responsible for water, power and other critical functions in the world, all of which reported a breach in security in their companies that led to either a disruption in operations or loss of sensitive information in the last 12 months.

Despite the risks, however, only 28 percent consider security to be one of the top priorities of their company. Results are surprising; most especially that a number of the companies surveyed form the backbone of the world economy. This means that the companies can't afford disruptions in their operations but at the same time not enough is being done to boost security against cyberthreats.

In the US, 16 critical infrastructure sectors exist and all are regulated by the National Cybersecurity Framework which came out in February. The framework was developed after US President Obama stated in the 2013 State of the Union that there was a need to protect critical security in the country.

Critical infrastructures have been called to make upgrades to enforce tighter security but the task is not so easy given that people depend on their services everyday so disruptions will not be welcomed. Even when companies may be willing to upgrade, more than half of the respondents to the study are not sure if that was even possible without incurring too many losses.

"Recent cyberattacks employing a sophisticated Russian malware have targeted U.S. energy grid operators as well as major electricity providers in Spain, Italy, France, Germany and Poland," said U.S. Department of Homeland Security and cybersecurity company Symantec. 

If upgrades can't be done at the moment, Chief Information Security Officer for Unisys Dave Frymier suggests companies should at least separate general IT infrastructure from critical infrastructure. This means the network used for basic services such as email should not be the same as the one utilized for system operations.

Cyberattacks have mostly involved corporate espionage but it is very possible for hackers to hold ransom a power grid or a water treatment plant for ransom.