Vulnerabilities / Threats
5/29/2014
06:02 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Large Electric Utilities Earn High Security Scores

Critical infrastructure is a big target for attack, but new data shows some operators in that industry suffer fewer security incidents than other industries.

It may sound counterintuitive, but major utilities rank as one of the most secure organizations, according to a new study.

Large electric utilities scored 751 on a grading scale of 250 to 900-- second only to the traditionally security-forward financial industry, which scored 782, according to BitSight Technologies' new security index that analyzes the security performance of finance, utility, retail, and healthcare organizations in the Standard & Poor's 500.

Overall, 82% of the companies in the four industry sectors were hit with a security incident during the period analyzed in the report, from April 1, 2013 through March 31, 2014.

"I was looking for utilities to do poorly. But what we learned here is it's mostly SCADA systems that have their [security] issues. The largest utilities in the S&P 500 are pretty high-performing" when it comes to securing their networks, says Stephen Boyer, founder and CTO of BitSight, which tracks malicious traffic on the Internet. "Beyond those small utilities that have a lot of problems, the larger ones are pretty sophisticated. They are pretty good at segmentation and responding very quickly" to threats, he says.

"Large investor owned utili­ties have fairly sophisticated security practices. Like large financial institutions, they have significant security bud­gets and cyber risk has exec­utive level visibility," said Dave Dalva, vice president of security science at Stroz Friedberg, in a statement in BitSight's report, published this week.

ICS/SCADA systems notoriously suffer from security shortcomings mainly due to plant operators' priority of operations and safety, rarely patching and updating software for fear of disrupting the power supply or manufacturing process, for instance.

BitSight gathered the data for its analysis via its global sensors on the Internet that detect botnet and other malicious traffic, and tracks malware and the duration of its presence on systems for its customers.

Utilities are mostly plagued by a family of Trojans called Redyms (26%), which redirect search engine results, Zeus (15%), Zero Access (13%), Cutwail (8%), and Confickr (8%).

Financial firms are hit mostly by Zeus (33%), followed by ZeroAccess 12%), Redyms (10%), Confickr (7%), and Spambot (7%), according to BitSight's findings.

Meanwhile, the healthcare industry scored poorly, 660, as did retail, 685. "What was surprising was healthcare," Boyer says. "The fact that Confickr was so prominant there says a lot," with 13% of the malware infections, he says.

The full report is available here for download.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
jweiss950
50%
50%
jweiss950,
User Rank: Apprentice
6/3/2014 | 10:56:27 PM
Re: The comments and conclusions do not apply to control systems.
The mission of an electric utility is to generate, transmit, and/or distribute electricity. The means of doing that is with control systems.  Business IT systems are necessary for front-office business operations but not for the core mission of the utility. Unless you don't care if the lights are on, how can you make any conclusions on the security of an electric utility when you are not even looking at the control systems?  Moreover, since control systems are often networked systems, excluding them means the scope of the project was incomplete.

Joe Weiss
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/3/2014 | 3:54:01 PM
Re: The comments and conclusions do not apply to control systems.
If I'm following you, Joe, BitSight's report and analysis doesn't dispute that control systems themselves are notoriously security-deficient. This report was based on data gathered from malware attacks on networked systems of the large electric utilities. 
jweiss950
50%
50%
jweiss950,
User Rank: Apprentice
6/2/2014 | 8:04:58 PM
The comments and conclusions do not apply to control systems.
What makes a utility different than a commercial business are the industrial control systems that monitor and control the generation, transmission, or distribution of electricity (or water or natural gas). However, this article was written from an IT focus with little knowledge of control systems. Consequently, the statements and conclusions about security and resources may be relevant to the business IT systems in a utility but they are NOT relevant to the control systems. The comments on control systems seem to focus on patching as if that is the only or biggest problem - it is not. I encourage the readers to learn more about control system cyber security. I have written a book on the subject – Protecting Industrial Control Systems from Electronic Threats or you can view my lecture to a Masters class at Stanford - https://www.youtube.com/watch?v=S3Yyv53dZ5A

Joe Weiss
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
6/2/2014 | 9:32:50 AM
Re: Disruption Cause for Low and High Security
@RyanSepe  "What good is data security if your own trusted entities can't access it. This is why security is strongest and most efficient when ingrained at the start of product development."  Couldn't agree more!


The trouble, of course, is that utilities -- for good reason -- aren't keen on updating their software, so even if we start building software that's got security beautifully baked in, they're unlikely to start using it.


 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/30/2014 | 5:15:38 PM
Re: Disruption Cause for Low and High Security
The first three bullets seem to advocate not patching while the others provide data as to why patching should occur.

But this is why risk analysis is so important. There is no absolute answer but what makes the most sense to you. Is the risk of patching acceptable versus the consequence of not patching?/Is the risk of patching acceptable versus the possiblitly of system shutdown during patch? I would say whichever merits the highest risk in the scenario above, this does not site other factors that should be taken into account, should be the option not taken. Thoughts?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/30/2014 | 1:54:26 PM
Re: Disruption Cause for Low and High Security
Thanks for the info @ christianabryant. But honestly, the data you cite doesn't inspire a lot of confidence...
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
5/30/2014 | 1:26:03 PM
Re: Disruption Cause for Low and High Security
I felt the same way as @RyanSepe but after researching and reading a couple excellent articles on the topic [1][2].

Some takeaways (assuming patches can be installed without shutting down the process) include:


  • "In a landmark study of the patches for post-release bugs in OS software, Yin et al showed that between 14.8% and 24.4% of all fixes are incorrect and directly impact the end user. And if that's not bad enough, 43% of these faulty 'fixes' resulted in crashes, hangs, data corruption or additional security problems."
  • "...patches don't always solve the security issues they were designed to address. According to Kevin Hemsley, a member of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), in 2011, ICS-CERT saw a 60% failure rate in patches fixing the reported vulnerability in control system products."
  • "Most patches require the shutdown and restart of the manufacturing process. Some can also break or remove functionality previously relied on by the control system. For example, one of the vulnerabilities the Stuxnet worm exploited was a hardcoded password in Siemens' WinCC SQL database."
  • The patching process often requires staff with special skills to be available; resources aren't always on-hand or budget doesn't allow for them.
  • "At the SCADA Security Scientific Symposium (S4) in January 2012, Sean McBride noted that less than half of the 364 public vulnerabilities recorded at ICS-CERT had patches available at that time."

[1] https://www.tofinosecurity.com/blog/scada-security-welcome-patching-treadmill

[2] http://www.tofinosecurity.com/blog/patching-scada-and-ics-security-good-bad-and-ugly
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/30/2014 | 1:19:35 PM
Re: Disruption Cause for Low and High Security
Agreed, @RyanSepe. The problem with many of these older ICS/SCADA systems is that they are old and predate the security threats we face today. Many were built for the pre-Internet days, so it's a legacy problem, too. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/30/2014 | 11:23:46 AM
Re: Disruption Cause for Low and High Security
I agree. I think we need to remember as InfoSec Professionals that there is a functionality principle that needs to be adhered to. What good is data security if your own trusted entities can't access it.

This is why security is strongest and most efficient when ingrained at the start of product development. And hopefully with the many regulations in place for different types of institutions vendors will take that into consideration.
Bprince
50%
50%
Bprince,
User Rank: Ninja
5/30/2014 | 10:57:46 AM
Re: Disruption Cause for Low and High Security
I agree. Compensating measures have to be taken to keep those older systems safe. That's why strong perimeter security is important. Honestly, I just think there isn't much more that  can be done to secure some of these systems other than reduce their connectivity to the Internet as much as possible, but that can hurt business productivity.  Happy to see the utilities scoring so high on this.

BP
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5316
Published: 2014-09-21
Cross-site scripting (XSS) vulnerability in Dotclear before 2.6.4 allows remote attackers to inject arbitrary web script or HTML via a crafted page.

CVE-2014-5320
Published: 2014-09-21
The Bump application for Android does not properly handle implicit intents, which allows attackers to obtain sensitive owner-name information via a crafted application.

CVE-2014-5321
Published: 2014-09-21
FileMaker Pro before 13 and Pro Advanced before 13 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-2319...

CVE-2014-5322
Published: 2014-09-21
Cross-site scripting (XSS) vulnerability in the Instant Web Publish function in FileMaker Pro before 13 and Pro Advanced before 13 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-3640.

CVE-2014-6602
Published: 2014-09-21
Microsoft Asha OS on the Microsoft Mobile Nokia Asha 501 phone 14.0.4 allows physically proximate attackers to bypass the lock-screen protection mechanism, and read or modify contact information or dial arbitrary telephone numbers, by tapping the SOS Option and then tapping the Green Call Option.

Best of the Web
Dark Reading Radio