Attacks/Breaches
8/15/2014
12:00 PM
Mark L. Cohn
Mark L. Cohn
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

Infographic: 70 Percent of World's Critical Utilities Breached

New research from Unisys and Ponemon Institute finds alarming security gaps in worldwide ICS and SCADA systems within the last 12 months.

Information security professionals all know the cyberrisks to oil and gas, utilities, alternative energy, and manufacturing industries, and when it comes to strategic priorities, one would think that security remained a key priority across these sectors. Unfortunately, for the majority of providers, it’s not.

Nearly 70 percent of companies surveyed that are responsible for the world’s power, water, and other critical functions have reported at least one security breach that led to the loss of confidential information or disruption of operations in the past 12 months, according to a Unisys survey released in partnership with the Ponemon Institute.

In a Web survey of 599 security executives at utility, oil and gas, energy, and manufacturing companies, 64 percent of respondents anticipated one or more serious attacks in the coming year. Despite this risk, only 28 percent ranked security as one of the top five strategic priorities for their organization. A majority named their top business priority as minimizing downtime.

(Source: Unisys)
(Source: Unisys)

When asked about the likelihood of an attack on their organizations’ industrial control systems or Supervisory Control and Data Acquisition systems, 78 percent of the senior security officials responded that a successful attack is at least somewhat likely within the next 24 months. At the same time, just 21 percent of respondents thought that the risk level to ICS and SCADA has substantially decreased because of regulations and industry-based security standards. That doesn’t necessarily mean that tighter controls and better adoption of standards are needed.

With inevitable attacks on the horizon, chief information security officers in critical infrastructure face multiple pressures -- internal and external -- that affect business priorities. Most say their organizations are unaware or unsure of potential vulnerabilities. Many doubt they have effective security systems and aren’t confident they can keep legacy systems up to date. They need better information and new strategies for managing risk.

Do we invest in security or focus just on minimizing downtime? Must we do both? What are the pressures security officers face and how can we mitigate them? How do we make sure energy and utility businesses are focusing attention in the right places? I’d love to hear your thoughts in the comments below.

Mark L. Cohn is Chief Technology Officer for Unisys Federal Systems, responsible for portfolio strategy and solution development for major federal systems programs, working with government industry partners. His expertise includes national security systems development, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mcohn201
50%
50%
mcohn201,
User Rank: Author
8/20/2014 | 10:11:51 PM
Re: What do you mean by breach?

@Marily Cohodas – The breakdown was that 32% experienced at least 1 incident in the last year, 18% had 2 to 5 incidents, and 17% experienced more than 5 incidents.  While we don't have specifics on what "confidential information" was compromised or the length of disruptions from this study, we know that databases, end user devices (desktops, laptops, smartphones, and tablets) and cloud-based systems took the top 3 slots for most frequently compromised as a result of security breaches over that year followed by servers and industrial control systems.

mcohn201
100%
0%
mcohn201,
User Rank: Author
8/20/2014 | 10:09:28 PM
Re: Silicon Valley substation attack a prototype?

@Bprince - The data covers both.  Our Ponemon partner plans to follow on with a scaled down ICS–focused survey targeting respondents on the ICS side.

mcohn201
100%
0%
mcohn201,
User Rank: Author
8/20/2014 | 10:08:35 PM
Re: Silicon Valley substation attack a prototype?

@Charlie Babcock - Interesting you reference that incident. We tend to think from an IoT perspective about the importance of infosec and physical security professionals working together at strategic and tactical levels to protect corporate or government assets. But my impression is that was a pure physical attack:  rifle fire after advance recon and comm lines cut with shell casings wiped clean.  It highlights uncomfortable vulnerability to physical attack of critical infrastructure and presence of a capable threat actor with military mindset.

GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
8/18/2014 | 3:27:54 PM
Re: Misleading research?
The loss or disruption of operations could be the result of a breach.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/18/2014 | 10:13:34 AM
Misleading research?

Post from Twitter "clappymonkeyAug 17, 3:51pm via Twitter for Android" questioning the research:

@DarkReading A loss of operation is not a breach. Misleading research is misleading

Thoughts anyone?

Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
8/18/2014 | 7:52:26 AM
What do you mean by breach?
Mark  -- Can you give us some context for the statistic that 68 percent or respondents reported at least "one security compromise that led to the loss of confidential information or disruption of services"? How much information? How long of a disruption? Are there any more details you can share?

That said, an even  more disturbing number is the percentage (26%) of utility security execs who say they can effectively manage security risks...

 
Bprince
50%
50%
Bprince,
User Rank: Ninja
8/15/2014 | 8:39:36 PM
Re: Silicon Valley substation attack a prototype?
Wow. That's disturbing. 70 percent seems extremely high. I'm legitimately surprised at that number. But are these corporate network issues or control system issues? Still bad either way, but much more serious if these are ICS.

BP
Charlie Babcock
100%
0%
Charlie Babcock,
User Rank: Moderator
8/15/2014 | 7:33:01 PM
Silicon Valley substation attack a prototype?
I suspect the public utility infrastructure is more vulnerable than we realize. There was an incident earlier this year -- almost a proof of concept test -- of a physical attack on a PG&E Silicon Valley electricity substation. Vandals with rifles from a safe distance took out several transformers, then disappeared long before any authorities could get there. They had plotted their approach and exit carefully, along routes that made their apprehension quite improbable. No special training or tools required. No one caught.
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report