Energy Companies Under Attack

Wednesday, April 6, 2011 @ 06:04 PM gHale

Just over 75 percent of global energy companies suffered one or more data breaches in the last year, according to a new survey by the Ponemon Institute.

The survey, entitled “The State of IT Security: Study of Utilities and Energy Companies,” finds widespread shortcomings in the energy and utilities industries. The Ponemon Institute released the report this week.

The survey, which reached 291 IT and IT security workers, talks about the mounting threats and warns about the vulnerability of critical energy infrastructure at a time when worms like Stuxnet show energy firms, utilities and other critical infrastructure are on the radar of potential attackers.

Long perceived to be beyond the attention of hackers, energy firms and utilities now report they are the targets of attacks. In the Ponemon study, 76% of the IT security staff interviewed reported their organization had experienced “one or more data breaches” in the last 12 months. In this age of security enlightenment, 69% of respondents said they felt a data breach was likely to occur in the next 12 months, according to the report.

Among those surveyed, most said IT security resources were not going to the right areas. Almost all, 96%, said complying with industry related regulation like NERC was “very difficult” and 77% said doing so would not improve their organization’s security readiness. Having said that, respondents said compliance remained the second major priority for energy firms. The top priority is availability of service, according to the report.

When asked about the threats they take the most seriously, respondents said malicious or negligent insiders as the top threat. However, 5% of respondents said that ranked as their top priority. Instead, availability of service (minimizing downtime) was the top-ranked goal of 55%. Just 14% said protecting against cyber attacks was a top priority of their IT security program.

Energy firms and public- and private utilities operated in isolation for many years, relying on their obscurity and “air gap,” or physically separate, networks for security. But with a massive shift to common IP based platforms in the last decade, those air gaps have disappeared, said Tom Turner, an executive at Q1 Labs in Waltham, Massachusetts, which sponsored the Ponemon study.

IT workers in the energy sector tend to be older and grayer than their counterparts elsewhere (the average survey respondent had 11 years of experience). Those workers now have to adjust to a fast-changing world that includes more complex links between business and production networks and the advent of new infrastructure like Internet-connected smart meters, Turner said.

Unlike firms in other verticals, such as financial services or retail, energy firms have fewer financial resources at their disposal for addressing cyber security. They must also contend with a complex physical and IT infrastructure, including Supervisory Control and Data Acquisition (SCADA) systems that have not traditionally been a focus of IT security investment. Add to that the pressure to keep electric and other utilities online at all times, and IT security falls down on the list of priorities, Turner said.

Countless reports have shone a light on deficiencies in addressing the security of SCADA systems and the networks that large energy companies and utilities operate. SCADA companies are just now responding to reports of serious vulnerabilities in their software.

At the same time, security researchers are finding and publishing more of those holes and creating tools to make it easier to locate Internet-connected SCADA and industrial control systems that might be targets of attack. The Stuxnet worm showed sophisticated attackers had the knowledge and money to attack specialized SCADA and industrial control systems.

Turner said the industry would need to shift from a security approach that emphasizes physical protections to one that makes IT security a strategic imperative for senior management.