Critical Infrastructure Companies Plagued by Security Breaches, Survey Finds
From last year’s discovery of Stuxnet to reports of smart grid vulnerabilities, the subject of IT security at critical infrastructure companies has repeatedly found itself in the public eye – and the picture has not always been pretty.
The pessimism about security however may not be unwarranted. In a new survey of 291 IT and IT security practitioners from energy and utility companies, the Ponemon Institute found that data breaches are widespread.
According to the study, 76 percent of the respondents said their company has suffered one or more data breaches during the past year, and 69 percent said they believe a successful exploitation of their organization’s network is ’very likely’ or ’likely’ to occur within the next 12 months. Just 33 percent said their organizations are using ’start of the art’ technologies to minimize risk to SCADA (Supervisory Control and Data Acquisition) networks. SCADA systems are used to monitor and control industrial processes.
’A large number of respondents focus on uptime and availability as a main objective, with less emphasis on security system coverage or effectiveness,’ explained Dr. Larry Ponemon, chairman of the institute. ’In short, this extreme focus [on] uptime may result in organizations running older operating systems …thus reducing the organization’s ability to deploy newer security applications.’
There is a challenge posed by trying to patch systems that were designed to be constantly running, said Tom Turner, senior vice president of marketing and channels at Q1 Labs, which sponsored the Ponemon report. ’That is why security for these systems and networks must be augmented, particularly in the areas of detection, visibility and monitoring,’ Turner said.
The focus of many organizations seems to be on physical security, as just 29 percent said they were viewed as equally important. Only 29 percent said C-level executives fully understand and appreciate their organization’s security initiatives, and less than a third said that security operations have clearly-defined lines of responsibility and authority.
The most commonly cited threat among the respondents was negligent insiders, a group named as the top threat by 43 percent of participants. The next most commonly named threats were vulnerable Web applications (40 percent) and systems glitches (36 percent). Malicious insiders and Web-based attacks were cited by 11 and nine percent, respectively.
Despite the presence of regulations, compliance is not always considered a critical focus, the survey found. When asked if compliance with standards is a major security initiative, 77 percent said it was not. In addition, more than half of the respondents reported that the present regulatory environment has no impact on the effectiveness of their organization’s IT security program. Still, when asked to name their organization’s top security missions, 38 percent cited compliance with regulatory and legal mandates – indicating there may be a disconnect between stated objectives of the companies and what goes on in practice, the institute’s report noted.
Aligning the point in time nature of a compliance audit with the ongoing task of building and maintaining a secure network is one of the key challenges facing compliance efforts, Turner told CRN.
’Regulations driven by the government or other standards bodies should always be up for review and improvement,’ he said, ’particularly in light of the changing nature of the threat environment…and the dynamic nature of the networks in question.’
’Given the potential risk to national critical infrastructure, it would be important for companies in the utilities and energy industry to be held to very high security standards, including the use of leading-edged traffic/network intelligence systems, opined Ponemon.
’I believe self-regulatory initiatives with substantial teeth such as PCI-DSS (Payment Card Industry Data Security Standard) would be more effective than government oversight,’ he said.