Three quarters of global energy corporations have suffered one or more data breaches in the last 12 months, according to a new survey by The Ponemon Institute, which finds evidence of widespread shortcomings in the energy and utilities vertical.
The report, “The State of IT Security: Study of Utilities and Energy Companies” was released on Wednesday by The Ponemon Institute. The survey, of 291 IT and IT security workers, paints a grim picture of dispirited workers, absent management, outdated protections and mounting threats. The report is a stark warning about the vulnerability of critical energy infrastructure at a time when malicious programs like Stuxnet demonstrate that energy firms, utilities and other critical infrastructure have the eye of malicious hackers, said Tom Turner, an executive at Q1 Labs in Waltham, Massachusetts, which sponsored the Ponemon study.
Long perceived to be beyond the attention of hackers, energy firms and utilities now report that they are being targeted. In the Ponemon study, 76% of the IT security staff interviewed reported that their organization had experienced “one or more data breaches” in the last 12 months. A similar number – 69% – said they felt a data breach was likely to occur in the next 12 months, Ponemon said.
Part of the reason for the pessimistic attitude may be a pervasive view, among those surveyed, that their employer’s IT security resources are being misdirected. Almost all – 96% – said that complying with industry related regulation like NERC was “very difficult” and 77% professed the opinion that doing so would not improve their organization’s security readiness. Still: compliance related objectives were a top priority for energy firms, second only to availability of service, the study found.
When asked about the threats they take the most seriously, respondents to the Ponemon survey listed malicious or negligent insiders as the top threat. However, just 5% of respondents said that ranked as their top priority. Instead, the availability of service (minimizing downtime) was the top-ranked goal of 55%. Just 14% said protecting against cyber attacks was a top priority of their IT security program.
Energy firms and public- and private utilities operated in isolation for many years, relying on their obscurity and “air gap,” or physically separate, networks for security. But with a massive shift to common IP based platforms in the last decade, those air gaps have disappeared, said Turner. However, the IT security culture they spawned lingers on: IT workers in the energy sector tend to be older and greyer than their counterparts elsewhere (the average survey respondent had 11 years of experience). Those workers now have to adjust to a fast-changing world that includes more complex links between business and production networks and the advent of new infrastructure like Internet-connected smart meters, Turner said.
Unlike firms in other verticals, such as financial services or retail, energy firms have fewer financial resources at their disposal for addressing cybersecurity. They must also contend with a complex physical and IT infrastructure, including Supervisory Control and Data Acquisition (SCADA) systems that have not traditionally been a focus of IT security investment. Add to that the pressure to keep electric and other utilities online at all times, and IT security falls down on the list of priorities, said Turner of Q1 Labs.
Countless reports have shone a light on deficiencies in addressing the security of SCADA systems and the networks that large energy companies and utilities operate. SCADA vendors have been shown to be slow to respond to reports of serious security holes in their software. At the same time, security researchers are finding and publishing more of those holes and creating tools to make it easier to locate Internet-connected SCADA and industrial control systems that might be targets of attack. The Stuxnet worm revealed that sophisticated attackers – state sponsored and otherwise – had the knowledge and wherewithal to attack specialized SCADA and industrial control systems.
Turner said the industry would need to shift from a security approach that emphasizes physical protections to one that makes IT security a strategic imperative for senior management.