An unnamed natural gas company hired an IT firm to test its corporate information system. POWER Magazine reported, “The consulting organization carelessly ventured into a part of the network that was directly connected the SCADA system. The penetration test locked up the SCADA system and the utility was not able to send gas through its pipelines for four hours. The outcome was the loss of service to its customer base for those four hours.”
As stories like these become more common, we wanted to study how well utility firms are preparing for what seems like the inevitable: a major, successful attack. The answer is a mixed bag.
This month, we release the results of Stealth Research: Critical Infrastructure, sponsored by Unisys. The purpose of this research is to learn how utility, oil and gas, alternate energy and manufacturing organizations are addressing cybersecurity threats.
Among the more alarming findings: 67 percent of those surveyed said they’d suffered at least one security compromise, but yet one quarter don’t actually know who’s in charge of security.
As the findings reveal, organizations are not as prepared as they should be to deal with the sophistication and stealth of a cyber threat or the negligence of an employee or third party. In fact, the majority of participants in this study do not believe their companies’ IT security programs are “mature.” For purposes of this research, a mature stage is defined as having most IT security program activities deployed. Most companies have defined what their security initiatives are but deployment and execution are still in the early or middle stages.
Key findings of this research
Most companies have not fully deployed their IT security programs. Only 17 percent of companies represented in this research self-report that most of their IT security program activities are deployed. Fifty percent of respondents say their IT security activities have not as yet been defined or deployed (7 percent) or they have defined activities but they are only partially deployed (43 percent). A possible reason is that only 28 percent of respondents agree that security is one of the top five strategic priorities across the enterprise.
The risk to industrial control systems and SCADA is believed to have substantially increased. Fifty-seven percent of respondents agree that cyber threats are putting industrial control systems and SCADA at greater risk. Only 11 percent say the risk has decreased due to heightened regulations and industry-based security standards.
Security compromises are occurring in most companies. It is difficult to understand why security is not a top a priority because 67 percent of respondents say their companies have had at least one security compromise that that led to the loss of confidential information or disruption to operations over the last 12 months. Twenty-four percent of respondents say these compromises were due to an insider attack or negligent privileged IT users.
Upgrading existing legacy systems may result in sacrificing mission-critical security. Fifty four percent of respondents are not confident (36 percent) or unsure (18 percent) that their organization would be able to upgrade legacy systems to the next improved security state in cost effective ways without sacrificing mission-critical security.
Many organizations are not getting actionable real-time threat alerts about security exploits. According to 34 percent of respondents, their companies do not get real-time alerts, threat analysis and threat prioritization intelligence that can be used to stop or minimize the impact of a cyber attack. If they do receive such intelligence, 22 percent of respondents say they are not effective. Only 15 percent of respondents say threat intelligence is very effective and actionable.
More than half, hit. The majority of companies have had at least one security compromise in the past 12 months. Sixty-seven percent of companies represented in this research have had at least one incident that led to the loss of confidential information or disruption to operations. Twenty-four percent of security incidents were due to a negligent employee with privileged access. However, 21 percent of respondents say they were not able to determine the source of the incident.
Who’s in charge? When asked if their company has dedicated personnel and/or departments responsible for industrial control systems and SCADA security, 25 percent say they do not have anyone assigned,. The majority (55 percent) say they have one person responsible
Out of control. Nearly one-third of respondents say that more than a quarter of their network components are outside their control, including third party endpoints such as smartphones and home computers are outside the direct control of their organization’s security operations.