Critical infrastructure firms deficient on security priorit: study
12 Jul 2014
Security teams at critical infrastructure firms had little trouble understanding that their networks were vulnerable, however companies themselves had failed to make security a priority, according to nearly 600 security executives from 13 countries, surveyed by the Ponemon Institute.
The institute's study published 10 July revealed that external attackers and malicious or negligent employees managed to compromise two-thirds of the companies' networks in the past 12 months, which caused the loss of data or a disruption in operations.
The study, titled Critical Infrastructure: Security Preparedness and Maturity, funded by technology firm Unisys found around 57 per cent of respondents believed that their industrial control systems were at risk from cyber-attacks.
The survey found that despite the recognition of cyber-attacks as a threat, most critical-infrastructure firms lacked security focus to counter the threat. The study found only 28 per cent of security practitioners stated that their firms considered security a top-five priority.
According to the study, immature security programs and loosely defined initiatives to address threats were leading to potentially dangerous security incidents at utility, oil and gas, alternate energy and manufacturing organisations.
Nearly 70 per cent of survey respondents, working in the energy, chemical or industrial manufacturing industries, said their organisation experienced the loss of confidential information or a disruption to operations over the past 12 months.
"Organisations are not as prepared as they should be to deal with the sophistication and frequency of a cyberthreat or the negligence of an employee or third party," according to the report. "In fact, the majority of participants in this study do not believe their companies' IT security programs are 'mature.'"
According to security experts and solution providers too many people held the false belief that the systems at critical infrastructure facilities containing industrial controls systems (ICS) and supervisory control and data acquisition (SCADA) systems were completely disconnected from the internet.
An increasingly internet-enabled workforce had weakened the traditional "air-gap" surrounding critical industrial machinery at the facilities, they say. Many new technologies that enabled remote workers to monitor and respond to issues and conduct maintenance were weakening that gap, according to the study.
The survey respondents identified the root cause of 47 per cent of the security incidents as traceable to employee negligence or a careless insider with privileged user access, according to the report.
The study found that vulnerable applications, insecure databases and mobile devices were the most susceptible to data loss.