Attacks/Breaches
8/15/2014
12:00 PM
Mark L. Cohn
Mark L. Cohn
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Infographic: 70 Percent of World's Critical Utilities Breached

New research from Unisys and Ponemon Institute finds alarming security gaps in worldwide ICS and SCADA systems within the last 12 months.

Information security professionals all know the cyberrisks to oil and gas, utilities, alternative energy, and manufacturing industries, and when it comes to strategic priorities, one would think that security remained a key priority across these sectors. Unfortunately, for the majority of providers, it’s not.

Nearly 70 percent of companies surveyed that are responsible for the world’s power, water, and other critical functions have reported at least one security breach that led to the loss of confidential information or disruption of operations in the past 12 months, according to a Unisys survey released in partnership with the Ponemon Institute.

In a Web survey of 599 security executives at utility, oil and gas, energy, and manufacturing companies, 64 percent of respondents anticipated one or more serious attacks in the coming year. Despite this risk, only 28 percent ranked security as one of the top five strategic priorities for their organization. A majority named their top business priority as minimizing downtime.

(Source: Unisys)
(Source: Unisys)

When asked about the likelihood of an attack on their organizations’ industrial control systems or Supervisory Control and Data Acquisition systems, 78 percent of the senior security officials responded that a successful attack is at least somewhat likely within the next 24 months. At the same time, just 21 percent of respondents thought that the risk level to ICS and SCADA has substantially decreased because of regulations and industry-based security standards. That doesn’t necessarily mean that tighter controls and better adoption of standards are needed.

With inevitable attacks on the horizon, chief information security officers in critical infrastructure face multiple pressures -- internal and external -- that affect business priorities. Most say their organizations are unaware or unsure of potential vulnerabilities. Many doubt they have effective security systems and aren’t confident they can keep legacy systems up to date. They need better information and new strategies for managing risk.

Do we invest in security or focus just on minimizing downtime? Must we do both? What are the pressures security officers face and how can we mitigate them? How do we make sure energy and utility businesses are focusing attention in the right places? I’d love to hear your thoughts in the comments below.

Mark L. Cohn is Chief Technology Officer for Unisys Federal Systems, responsible for portfolio strategy and solution development for major federal systems programs, working with government industry partners. His expertise includes national security systems development, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mcohn201
50%
50%
mcohn201,
User Rank: Author
8/20/2014 | 10:11:51 PM
Re: What do you mean by breach?

@Marily Cohodas – The breakdown was that 32% experienced at least 1 incident in the last year, 18% had 2 to 5 incidents, and 17% experienced more than 5 incidents.  While we don't have specifics on what "confidential information" was compromised or the length of disruptions from this study, we know that databases, end user devices (desktops, laptops, smartphones, and tablets) and cloud-based systems took the top 3 slots for most frequently compromised as a result of security breaches over that year followed by servers and industrial control systems.

mcohn201
100%
0%
mcohn201,
User Rank: Author
8/20/2014 | 10:09:28 PM
Re: Silicon Valley substation attack a prototype?

@Bprince - The data covers both.  Our Ponemon partner plans to follow on with a scaled down ICS–focused survey targeting respondents on the ICS side.

mcohn201
100%
0%
mcohn201,
User Rank: Author
8/20/2014 | 10:08:35 PM
Re: Silicon Valley substation attack a prototype?

@Charlie Babcock - Interesting you reference that incident. We tend to think from an IoT perspective about the importance of infosec and physical security professionals working together at strategic and tactical levels to protect corporate or government assets. But my impression is that was a pure physical attack:  rifle fire after advance recon and comm lines cut with shell casings wiped clean.  It highlights uncomfortable vulnerability to physical attack of critical infrastructure and presence of a capable threat actor with military mindset.

GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
8/18/2014 | 3:27:54 PM
Re: Misleading research?
The loss or disruption of operations could be the result of a breach.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/18/2014 | 10:13:34 AM
Misleading research?

Post from Twitter "clappymonkeyAug 17, 3:51pm via Twitter for Android" questioning the research:

@DarkReading A loss of operation is not a breach. Misleading research is misleading

Thoughts anyone?

Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
8/18/2014 | 7:52:26 AM
What do you mean by breach?
Mark  -- Can you give us some context for the statistic that 68 percent or respondents reported at least "one security compromise that led to the loss of confidential information or disruption of services"? How much information? How long of a disruption? Are there any more details you can share?

That said, an even  more disturbing number is the percentage (26%) of utility security execs who say they can effectively manage security risks...

 
Bprince
50%
50%
Bprince,
User Rank: Ninja
8/15/2014 | 8:39:36 PM
Re: Silicon Valley substation attack a prototype?
Wow. That's disturbing. 70 percent seems extremely high. I'm legitimately surprised at that number. But are these corporate network issues or control system issues? Still bad either way, but much more serious if these are ICS.

BP
Charlie Babcock
100%
0%
Charlie Babcock,
User Rank: Moderator
8/15/2014 | 7:33:01 PM
Silicon Valley substation attack a prototype?
I suspect the public utility infrastructure is more vulnerable than we realize. There was an incident earlier this year -- almost a proof of concept test -- of a physical attack on a PG&E Silicon Valley electricity substation. Vandals with rifles from a safe distance took out several transformers, then disappeared long before any authorities could get there. They had plotted their approach and exit carefully, along routes that made their apprehension quite improbable. No special training or tools required. No one caught.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0985
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter.

CVE-2014-0986
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter.

CVE-2014-0987
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter.

CVE-2014-0988
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter.

CVE-2014-0989
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter.

Best of the Web
Dark Reading Radio