Attacks/Breaches
8/15/2014
12:00 PM
Mark L. Cohn
Mark L. Cohn
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Infographic: 70 Percent of World's Critical Utilities Breached

New research from Unisys and Ponemon Institute finds alarming security gaps in worldwide ICS and SCADA systems within the last 12 months.

Information security professionals all know the cyberrisks to oil and gas, utilities, alternative energy, and manufacturing industries, and when it comes to strategic priorities, one would think that security remained a key priority across these sectors. Unfortunately, for the majority of providers, it’s not.

Nearly 70 percent of companies surveyed that are responsible for the world’s power, water, and other critical functions have reported at least one security breach that led to the loss of confidential information or disruption of operations in the past 12 months, according to a Unisys survey released in partnership with the Ponemon Institute.

In a Web survey of 599 security executives at utility, oil and gas, energy, and manufacturing companies, 64 percent of respondents anticipated one or more serious attacks in the coming year. Despite this risk, only 28 percent ranked security as one of the top five strategic priorities for their organization. A majority named their top business priority as minimizing downtime.

(Source: Unisys)
(Source: Unisys)

When asked about the likelihood of an attack on their organizations’ industrial control systems or Supervisory Control and Data Acquisition systems, 78 percent of the senior security officials responded that a successful attack is at least somewhat likely within the next 24 months. At the same time, just 21 percent of respondents thought that the risk level to ICS and SCADA has substantially decreased because of regulations and industry-based security standards. That doesn’t necessarily mean that tighter controls and better adoption of standards are needed.

With inevitable attacks on the horizon, chief information security officers in critical infrastructure face multiple pressures -- internal and external -- that affect business priorities. Most say their organizations are unaware or unsure of potential vulnerabilities. Many doubt they have effective security systems and aren’t confident they can keep legacy systems up to date. They need better information and new strategies for managing risk.

Do we invest in security or focus just on minimizing downtime? Must we do both? What are the pressures security officers face and how can we mitigate them? How do we make sure energy and utility businesses are focusing attention in the right places? I’d love to hear your thoughts in the comments below.

Mark L. Cohn is Chief Technology Officer for Unisys Federal Systems, responsible for portfolio strategy and solution development for major federal systems programs, working with government industry partners. His expertise includes national security systems development, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mcohn201
50%
50%
mcohn201,
User Rank: Author
8/20/2014 | 10:11:51 PM
Re: What do you mean by breach?

@Marily Cohodas – The breakdown was that 32% experienced at least 1 incident in the last year, 18% had 2 to 5 incidents, and 17% experienced more than 5 incidents.  While we don't have specifics on what "confidential information" was compromised or the length of disruptions from this study, we know that databases, end user devices (desktops, laptops, smartphones, and tablets) and cloud-based systems took the top 3 slots for most frequently compromised as a result of security breaches over that year followed by servers and industrial control systems.

mcohn201
100%
0%
mcohn201,
User Rank: Author
8/20/2014 | 10:09:28 PM
Re: Silicon Valley substation attack a prototype?

@Bprince - The data covers both.  Our Ponemon partner plans to follow on with a scaled down ICS–focused survey targeting respondents on the ICS side.

mcohn201
100%
0%
mcohn201,
User Rank: Author
8/20/2014 | 10:08:35 PM
Re: Silicon Valley substation attack a prototype?

@Charlie Babcock - Interesting you reference that incident. We tend to think from an IoT perspective about the importance of infosec and physical security professionals working together at strategic and tactical levels to protect corporate or government assets. But my impression is that was a pure physical attack:  rifle fire after advance recon and comm lines cut with shell casings wiped clean.  It highlights uncomfortable vulnerability to physical attack of critical infrastructure and presence of a capable threat actor with military mindset.

GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
8/18/2014 | 3:27:54 PM
Re: Misleading research?
The loss or disruption of operations could be the result of a breach.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/18/2014 | 10:13:34 AM
Misleading research?

Post from Twitter "clappymonkeyAug 17, 3:51pm via Twitter for Android" questioning the research:

@DarkReading A loss of operation is not a breach. Misleading research is misleading

Thoughts anyone?

Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
8/18/2014 | 7:52:26 AM
What do you mean by breach?
Mark  -- Can you give us some context for the statistic that 68 percent or respondents reported at least "one security compromise that led to the loss of confidential information or disruption of services"? How much information? How long of a disruption? Are there any more details you can share?

That said, an even  more disturbing number is the percentage (26%) of utility security execs who say they can effectively manage security risks...

 
Bprince
50%
50%
Bprince,
User Rank: Ninja
8/15/2014 | 8:39:36 PM
Re: Silicon Valley substation attack a prototype?
Wow. That's disturbing. 70 percent seems extremely high. I'm legitimately surprised at that number. But are these corporate network issues or control system issues? Still bad either way, but much more serious if these are ICS.

BP
Charlie Babcock
100%
0%
Charlie Babcock,
User Rank: Moderator
8/15/2014 | 7:33:01 PM
Silicon Valley substation attack a prototype?
I suspect the public utility infrastructure is more vulnerable than we realize. There was an incident earlier this year -- almost a proof of concept test -- of a physical attack on a PG&E Silicon Valley electricity substation. Vandals with rifles from a safe distance took out several transformers, then disappeared long before any authorities could get there. They had plotted their approach and exit carefully, along routes that made their apprehension quite improbable. No special training or tools required. No one caught.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.