News, news analysis, and commentary on the latest trends in cybersecurity technology.
Energy Sector Still Needs to Shut the Barn Door
One third of the companies studied haven't fixed their credential management — the same issue that led to the Colonial Pipeline hack last May.
"The 2021 Ransomware Risk Pulse: Energy Sector" report from Black Kite grades the performance of 150 energy companies from the Fortune 500 on various aspects of security preparedness. The report includes a heat map of how these companies score across the board. To the sector's credit — and thank goodness, considering how vital the services are — most companies rated fairly highly across most of the security postures, including awareness of attack surface (139 As, 11 Bs), fraudulent apps (134 As, 14 Bs, 2 Cs), and social media risks (133 As, 14 Bs, 2 Cs, and 1 F).
Where many companies need to improve is in areas like patch management, which is often overlooked but is vitally important for plugging vulnerabilities; 38 of the 150 companies rated an F here. Credential management was particularly bleak, with 52 companies earning an F. The most disturbing part there is that's exactly how the Colonial Pipeline attackers got in — through an unused but open VPN account.
But perhaps the biggest area for improvement is in SSL/TLS strength. While only 17 of the companies evaluated rated an F, almost half — 72 — squeaked by with a D grade. SSL and, hopefully more often, TLS encrypt communications between the Web client and server, ensuring the company's protocols and certificates are up to date is vital to protect customers' information.
Overall, the energy sector is a mixed bag, but at least now the IT staff knows where to concentrate their efforts. View the full energy sector report from Black Kite.
About the Author
You May Also Like
A Cyber Pros' Guide to Navigating Emerging Privacy Regulation
Dec 10, 2024Identifying the Cybersecurity Metrics that Actually Matter
Dec 11, 2024The Current State of AI Adoption in Cybersecurity, Including its Opportunities
Dec 12, 2024Cybersecurity Day: How to Automate Security Analytics with AI and ML
Dec 17, 2024The Dirt on ROT Data
Dec 18, 2024