Utilities ignorant of IT security despite pounding by hackers: Ponemon

Security pundits have warned of the imminent hacking threat to critical infrastructure providers, but a new Ponemon Institute survey of infrastructure operators suggests the threat is already here.

The survey found 86 per cent of executives reporting they suffered at least one security breach, leading to a loss of confidential information or disruption of their operations, over the past 12 months.

The A/NZ figure was considerably higher than the nearly 70 per cent of executives globally reporting an attack, suggesting that this region has fallen behind the world in terms of data protection. Fully 24 per cent of respondents said the security breaches were due to an insider attack, or to negligent privileged IT users.

Despite such a high rate of security incidents, only 17 per cent of companies in the Critical Infrastructure: Security Preparedness and Maturity report – which was sponsored by Unisys and included 599 IT and IT security executives at infrastructure companies in 13 countries – had deployed most of their IT security program.

Half say they still have not defined their IT security activities, while 43 per cent said they had defined their activities but only partially deployed them. Some 55 per cent said they had just one person responsible for security of SCADA and industrial control systems.

Just 28 per cent of respondents named security as one of the top five strategic priorities for the enterprise – even though 64 per cent of respondents said they anticipate one or more serious attacks to networks or critical infrastructure each year.

“Top security objectives focus on immediate concerns rather than proactive measures to secure the infrastructure,” the report's authors warn. “Minimisation of downtime takes precedence over the prevention of cyber attacks and compliance....a very small percentage cite cyber-security training for all employees as a goal.”

Awareness of attacks against the industrial complex has stepped up in the wake of the Stuxnet worm, which was discovered in 2010 as a target attack against SCADA (Supervisory Control and Data Acquisition) systems in Iran, Indonesia and India.

Subsequent attacks have tested the vulnerability of a broader range of SCADA systems, with malware infiltration or just poor management already resulting in interruptions to utility services. One researcher claimed he discovered 23 vulnerabilities in SCADA software, while others slammed the industry's reliance on 'air gaps' – physically separating SCADA and operational networks in the belief that would keep them safe from attack. Security firm Kaspersky Labs is so worried about the SCADA vulnerabilities |potential risk to industrial control systems]] that it recently began building its own secure SCADA operating system.

“Organisations are not as prepared as they should be to deal with the sophistication and frequency of a cyber threat or the negligence of an employee or third party,” the report's authors warn.

“In fact, the majority of participants... do not believe their companies' IT security programs are 'mature' [defined as having most IT security program activities deployed]. Most companies have defined what their security initiatives are but deployment and execution are still in the early or middle stages.”

That inaction will surprise many given that 57 per cent of respondents to the survey agree that cyber threats are putting SCADA and industrial control systems at risk. A similar proportion (54 per cent) were not confident or unsure whether their organisation could upgrade legacy systems without sacrificing mission-critical security.

One in three respondents said their company did not get real-time alerts, threat analysis or threat prioritisation intelligence to help deal with a cyber attack. Some 22 per cent of those who did receive such information, said it was not effective, while just 15 per cent said threat intelligence is both effective and actionable.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersPonemonhacking

More about CSOEnex TestLabKasperskyUnisys Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts