The industrial systems at power generation plants, oil and chemical refineries and other highly sensitive operations are not adequately protected and many of the same problems that lead to data breaches are causing disruptions to operations at critical infrastructure facilities, according to a new study issued today.
Immature security programs and loosely defined initiatives to address threats are leading to potentially dangerous security incidents at utility, oil and gas, alternate energy and manufacturing organizations, according to the Ponemon Institute survey of 599 global IT and IT security executives in 13 countries. Nearly 70 percent of survey respondents, all of whom worked in the energy, chemical or industrial manufacturing industries, said their organization experienced the loss of confidential information or a disruption to operations over the past 12 months.
"Organizations are not as prepared as they should be to deal with the sophistication and frequency of a cyberthreat or the negligence of an employee or third party," according to the report, commissioned by IT technology and services vendor, Unisys Corp. "In fact, the majority of participants in this study do not believe their companies’ IT security programs are 'mature.'"
Security experts and solution providers say far too many people hold the false belief that the systems at critical infrastructure facilities containing industrial controls systems (ICS) and supervisory control and data acquisition (SCADA) systems are completely disconnected from the Internet. An increasingly Internet-enabled workforce has weakened the traditional "air-gap" surrounding critical industrial machinery at the facilities, they say. Many new technologies that enable remote workers to monitor and respond to issues and conduct maintenance are weakening that gap, according to the study.
The root cause of 47 percent of the security incidents identified by survey respondents were traced to employee negligence or a careless insider with privileged user access, according to the report. Vulnerable applications, insecure databases and mobile devices are the most susceptible to data loss, the study found.
The five most effective security systems cited by survey respondents include identity and access management, perimeter or location surveillance and database scanning, according to the survey. But security vendors aren't solving underlying software security issues and system configuration weaknesses, experts say. A lot of breaches are made more severe by the failure to monitor and control user privileges, said Andrew Sherman, the security practice lead at Eden Technologies, a New York City-based security consultancy and solution provider. Data governance issues cause problems at many firms, Sherman said.
"People can't leak what they don't have access to," Sherman said. "You can use a lot of good technology make that effective that is a governance problem."
NEXT: Contractors, Service Providers Not Properly Vetted, Survey Found