Do Utility Companies Slight IT Security?
Do utilities and energy companies spend huge amounts for physical security but slight information-technology security?
That's what's suggested in the results of a survey of 291 information technology professionals in industries that have to operate both industrial-control systems as well as the type of business systems, such as billing, procurement human resources, used elsewhere.
The Ponemon Institute's "State of IT Security: Study of Utilities & Energy Companies" found that 29% of respondents said their organization's budget for physical security ranged between $20 to $40 million per year, and 32% said over $40 million. But the IT security budget was dramatically less. Twenty-one percent had less than $1 million in their budget for IT security each year, 32% had up to $2 million, 16% had $2 to $4 million, 13% had $4 million to $6 million and 11% had between $6 million and $8 million. Only 7% had a bigger budget, and nothing over $14 million.
"The concept of physical security permeates the security mindset," says Dr. Larry Ponemon, head of Ponemon Institute about the findings related to the utility and energy companies, expected to be published in a report later this month.
The interviews with many of the survey participants suggest that often ideas about security are dominated by the idea of preventing downtime, Ponemon said.
The companies involved in the survey present a broad mix - all were U.S.-based but many had operations in Canada, Europe, the Middle East, Africa, Asia and Latin America. But one thing they had in common was they operated supervisory control and data acquisition systems (SCADA) that manage energy generation or pipelines, and they all faced regulation under the Federal Energy Regulatory Commission and the North American Electric Reliability Corp. Critical Infrastructure Protection (CIP) guidelines.
About half the survey respondents said they believe their organizations have sufficient resources to achieve compliance with security standards, such as those prescribed by NERC.
Less than half believe their organizations "see security as a strategic priority across the enterprise," or are "dedicated to preventing or detecting Advanced Persistent Threats," or use "state-of-the-art technologies to minimize risks to SCADA networks."
Only 32% believe their security organization is "dedicated to protecting the nation's critical infrastructure." Only 29% said they thought their organization "views IT security as equally important to physical security."
According to the survey, 77% said compliance with standards such as NERC are not a major security objective. 69% perceived their security operations as having no "clearly defined lines of responsibility and authority." 61% said 'contractors, vendors and other third parties" are not 'held to high standards for security as a business condition."
"We see these folks as disgruntled," said Ponemon, noting their views expressed trend toward the negative side. "And we basically find a view that NERC is not adequate."
There's been this belief that those with responsibilities for security in critical infrastructure are somehow savvier or better equipped than those in other industries, such as retail, Ponemon noted, adding, "There not a lot of evidence for that."
And though the topic of integrating physical and logic controls is popular to talk about, there's not a lot evidence that's happening in any widespread way, with 72% saying that logical-physical integration hadn't occurred in their organizations.
Although the survey didn't bring up the topic of the Stuxnet worm, many of the security professionals in these energy and utilities acknowledged that they've suffered a security breach caused by a successful exploit or data breach over the past year.
Forty-eight percent said they knew of one incident, 13% said two to five incidents, 9% reported more than five, while 6% said they could not determine. Twelve percent of the incidents were said to be caused by external attack, 5% by insider attack, 28% were accidental loss, 18% were traced to malicious code or botnets, 8% was "abuse by privileged IT staff," 16% was" abuse by outside vendors or business partners," 2% was from "exfiltrations (attack from the inside)" and 11% was unknown.
Databases, ERP systems and endpoints were seen as more targeted for compromise, though SCADA networks were hit in 5% of the incidents. The average time to detect an insider who had made some type of unauthorized change or committed malicious activity was 22 days. The average cost of security breaches over the past year was $156,663.
The newer responsibility facing these security professionals, the roll-out of the so-called smart grid with smart meters to the home, was also causing some unease. Some 47% said they didn't feel existing security control provide adequate levels of protection against attacks and exploits occurring through smart meters and smart-grid systems, while 32% were unsure."
Read more about wide area network in Network World's Wide Area Network section.