Utilities struggling to address IT security, study finds


Dr Larry Ponemon,
Chairman, Ponemon
Traverse City, MI, U.S.A. — (METERING.COM) — April 11, 2011 – Utilities are struggling to address IT security issues and this needs to be addressed quickly if we are to prevent attacks and exploits that could disrupt the critical infrastructure, according to a new study from the Ponemon Institute.

The study, which was based on a survey of 291 IT and IT security practitioners in utilities and energy companies, revealed that more than three quarters of the companies admitted to having suffered at least one data breach over the last 12 months. Furthermore, almost 70 percent feel that a data breach is very likely or likely to occur over the next 12 months.

According to the study the vast majority of the organizations do not view IT security as a strategic initiative across the enterprise, with 71 percent of respondents saying the management team in their organizations does not understand or appreciate the value of IT security. As a consequence only 39 percent said their security program is dedicated to detecting or preventing advanced persistent threats and 67 percent are not using what would be considered “state of the art” technologies to minimize risks to SCADA networks.

Further, compliance with industry-related regulatory initiatives is not a priority, with 77 percent saying that compliance with standards such as NERC was not a major security initiative. However, almost all said that compliance is very difficult because of how the security control recommendations are published.

Of the breaches that occurred the extrapolated average was $156,000, and 29 percent of the respondents said databases and 27 percent said endpoints were the two top ranked systems compromised as the result of data breaches. Further according to 43 percent, the top ranked security threat their organization faces is negligent or malicious insiders and is the number one root cause of data breaches.

“One of the scariest points that jumped out at me is that it takes, on average, 22 days to detect insiders making unauthorized changes, showing just how vulnerable organizations are today,” said Dr Larry Ponemon, founder and chairman of the Ponemon Institute. “These results show that energy and utilities organizations are struggling to identify the relevant issues that are plaguing their company from a security perspective.”

According to the study the solution to the security issue is to make it a strategic initiative across the enterprise. Achieving a solid state of security will then help organizations face the dual challenge of dealing with security threats and complying with regulatory and legal mandates.

The study was sponsored by Q1 Labs, and was designed to better understand how global energy and utility organizations determine their state of readiness in the face of a plethora of information security, data protection and privacy risks.