Risk
4/6/2011
04:48 PM
Tim Wilson
Tim Wilson
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%

Utilities Still Struggling With IT Security Issues, Study Says

Three-quarters of energy firms have experienced a breach in the last year; 69 percent expect more to come

Seventy-five percent of energy and utility companies have suffered an IT security breach in the past year, and the situation doesn't seem likely to improve anytime soon, according to a study published today.

According to the "State of IT Security: Study of Utilities & Energy Companies" report -- which was conducted by Ponemon Institute and sponsored by security monitoring software vendor Q1 Labs -- more than three-quarters of global energy organizations surveyed admit to having suffered at least one data breach during the past 12 months. Sixty-nine percent think a data breach is very likely or likely to occur in the coming year.

"We were surprised that utility companies didn't put a higher priority on issues like smart grid and smart meters, where there's been a lot of concern about cyberthreats," says Larry Ponemon, chairman and founder of Ponemon Institute. "Many of the people we talked to are still more focused on physical security than on cybersecurity."

It takes an average of 22 days for the energy companies in the study to detect insiders making unauthorized changes, the study says. Yet 43 percent of respondents ranked negligent or malicious insiders as their top security threat, with insiders the No. 1 root cause of data breaches among the companies surveyed.

Seventy-one percent of the respondents said their executive management team does not understand or appreciate the value of IT security, the study says. Sixty-seven percent of energy organizations were not using what they consider "state of the art" technologies to minimize risks to infrastructure-critical SCADA networks.

Respondents also expressed dissatisfaction with the tools they use to monitor their IT systems. Seventy-two percent said they don't think their monitoring systems are effective at gathering actionable intelligence, such as real-time alerts, threat analysis, and prioritization, about actual and potential exploits. Only 21 percent of global energy and utilities organizations think their existing controls can protect them against exploits and attacks through smart grid and smart meter-connected systems.

"After doing this survey, I'm more worried about the security of the power grid than I was before," Ponemon says. "In many cases, the people responsible for monitoring the cyber side are either being shot down by upper management or they don't have the right skill set to do the monitoring."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.