According to the "State of IT Security: Study of Utilities & Energy Companies" report -- which was conducted by Ponemon Institute and sponsored by security monitoring software vendor Q1 Labs -- more than three-quarters of global energy organizations surveyed admit to having suffered at least one data breach during the past 12 months. Sixty-nine percent think a data breach is very likely or likely to occur in the coming year.
"We were surprised that utility companies didn't put a higher priority on issues like smart grid and smart meters, where there's been a lot of concern about cyberthreats," says Larry Ponemon, chairman and founder of Ponemon Institute. "Many of the people we talked to are still more focused on physical security than on cybersecurity."
It takes an average of 22 days for the energy companies in the study to detect insiders making unauthorized changes, the study says. Yet 43 percent of respondents ranked negligent or malicious insiders as their top security threat, with insiders the No. 1 root cause of data breaches among the companies surveyed.
Seventy-one percent of the respondents said their executive management team does not understand or appreciate the value of IT security, the study says. Sixty-seven percent of energy organizations were not using what they consider "state of the art" technologies to minimize risks to infrastructure-critical SCADA networks.
Respondents also expressed dissatisfaction with the tools they use to monitor their IT systems. Seventy-two percent said they don't think their monitoring systems are effective at gathering actionable intelligence, such as real-time alerts, threat analysis, and prioritization, about actual and potential exploits. Only 21 percent of global energy and utilities organizations think their existing controls can protect them against exploits and attacks through smart grid and smart meter-connected systems.
"After doing this survey, I'm more worried about the security of the power grid than I was before," Ponemon says. "In many cases, the people responsible for monitoring the cyber side are either being shot down by upper management or they don't have the right skill set to do the monitoring."
Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.