WASHINGTON — Oil companies and others with critical infrastructure are ill-prepared to thwart computer system threats, even though more than two thirds have had at least one significant security compromise in the past year, according to a report released Thursday.
The Ponemon Institute analysis shows that the people in charge of managing critical control systems know their organizations are not ready for the sophistication and frequency of cyberattacks.
Just 17 percent of the 599 security executives at utility, oil, gas, energy and manufacturing companies surveyed by the research group said they had deployed most of their major information technology initiatives meant to fend off cyberattacks.
And only 28 percent of the respondents said security was one of the top five strategic priorities at their organizations.
“This is a big issue, and you’d expect folks to be engaged,” said Larry Poneman, head of the institute that conducted the survey. But there’s a “big disconnect between the (corporate) levels and the people doing security.”
The result is that while “people across the board recognize the problem and impact of security, as an organizational priority it is not in the top five,” Ponemon added. “People aren’t doing enough.”
Utility executives: Major cyberattack on power grid is inevitable
The survey was commissioned by Unisys Corp., a Pennsylvania-based information technology company that sells security software, including a program meant to cloak certain devices, data and users within a network.
The findings dovetail with other sobering reports on security lapses from IT firm Symantec and telecommunications giant Verizon.
Energy firms are attacked regularly — most recently by Russian hackers calling themselves “Energetic Bear” and “Dragonfly.” And those attacks are increasingly successful, with energy companies now suffering more breaches than banks.
Unisys chief information security officer Dave Frymier said it might take a disaster to get C-suite executives’ attention.
“As depressing as it may be, we do think there just needs to be a precipitating event” before executives prioritize the issue, Frymier said. “Unfortunately there’s going to have to be something bad that gets everybody’s attention.”
The data breach involving Target may have spurred retailers to bolster their defenses, but that doesn’t mean the hardening has spread to other sectors.
Frymier said the “bad guys” — including terrorists and even national governments — are likely already lurking inside the networks of the companies that control major infrastructure.
And according to the Unisys-Ponemon report, the risk is mounting — despite heightened regulations and voluntary standards meant to strengthen the resilience of industrial control systems.
“These organizations are improving slowly,” Ponomon said, but they may not be keeping up with a faster-moving bar of expectations.
Connectivity comes at a cost
Unisys chief technology officer Mark Cohn said there are major challenges with bolstering cyber defenses — including the transition away from siloed and compartmentalized computer systems to flatter, more expansive networks. Video cameras and alarms that used to be hard-wired into systems are now on ethernet — and more easily compromised.
That might make it possible, for example, for intruders to cut off or damage a gas line while security video displays showed gas flowing normally.
Hackers also may be able to short-circuit safeguards in the “supervisory control and data acquisition” systems that monitor and control activities at electric utilities, gas pipelines and oil production sites. Companies may depend on those systems to serve up warnings about an attack, but determined hackers may be able to fool the computer programs and their human managers.
For instance, workers and the supervisory control system itself could see evidence that a gas pipeline was still flowing — even if it had been cut off.
The survey included respondents from 13 countries; at least 63 percent were in the energy space, including 26 percent in the oil and gas sector. Others surveyed worked for chemical manufacturers and water utilities.
Among the findings:
- 78 percent of respondents said a successful attack is at least somewhat likely against their control systems within the next two years.
- Nearly half of security incidents — 47 percent — were traced to a “negligent employee.” And 24 percent of the incidents were blamed on negligent employees who had privileged access.
- Just 68 percent said they were using state-of-the-art technologies to minimize security risks to control systems.
Frymier said cultural and age differences between top executives and security officials may be one reason for the disconnect in the perception of vulnerability and the steps companies are taking to address the risks.
The report showed security professionals think the threats may be more likely to come from within than launched outside an organization. Only 19 percent of respondents cited attacks by nation, terrorists or criminal syndicates as among their top three security threats, by contrast to 54 percent who fingered “negligent insiders.”