It may sound counterintuitive, but major utilities rank as one of the most secure organizations, according to a new study.
Large electric utilities scored 751 on a grading scale of 250 to 900-- second only to the traditionally security-forward financial industry, which scored 782, according to BitSight Technologies' new security index that analyzes the security performance of finance, utility, retail, and healthcare organizations in the Standard & Poor's 500.
Overall, 82% of the companies in the four industry sectors were hit with a security incident during the period analyzed in the report, from April 1, 2013 through March 31, 2014.
"I was looking for utilities to do poorly. But what we learned here is it's mostly SCADA systems that have their [security] issues. The largest utilities in the S&P 500 are pretty high-performing" when it comes to securing their networks, says Stephen Boyer, founder and CTO of BitSight, which tracks malicious traffic on the Internet. "Beyond those small utilities that have a lot of problems, the larger ones are pretty sophisticated. They are pretty good at segmentation and responding very quickly" to threats, he says.
"Large investor owned utilities have fairly sophisticated security practices. Like large financial institutions, they have significant security budgets and cyber risk has executive level visibility," said Dave Dalva, vice president of security science at Stroz Friedberg, in a statement in BitSight's report, published this week.
ICS/SCADA systems notoriously suffer from security shortcomings mainly due to plant operators' priority of operations and safety, rarely patching and updating software for fear of disrupting the power supply or manufacturing process, for instance.
BitSight gathered the data for its analysis via its global sensors on the Internet that detect botnet and other malicious traffic, and tracks malware and the duration of its presence on systems for its customers.
Utilities are mostly plagued by a family of Trojans called Redyms (26%), which redirect search engine results, Zeus (15%), Zero Access (13%), Cutwail (8%), and Confickr (8%).
Financial firms are hit mostly by Zeus (33%), followed by ZeroAccess 12%), Redyms (10%), Confickr (7%), and Spambot (7%), according to BitSight's findings.
Meanwhile, the healthcare industry scored poorly, 660, as did retail, 685. "What was surprising was healthcare," Boyer says. "The fact that Confickr was so prominant there says a lot," with 13% of the malware infections, he says.
The full report is available here for download.