Despite staggering statistics around the number of security breaches within critical infrastructure – arguably the backbone of global economy, new research shows that the gap between security concern and preparedness is overwhelming for utility, oil and gas, energy and manufacturing organizations. Nearly 70% of critical infrastructure companies surveyed by Ponemon Institute suffered a security breach in the last year.
A full 67% said their companies have had at least one security compromise that led to the loss of confidential information or disruption to operations over the last year. And, an almost equal number (64%) anticipate one or more serious attacks in the coming year. Yet only 28% of respondents ranked security as one of the top five strategic priorities for their organization.
“The findings of the survey are startling, given that these industries form the backbone of the global economy and cannot afford a disruption,” said Larry Ponemon, chairman and founder of the Ponemon Institute, in the report. "While the desire for security protection is apparent among these companies, not nearly enough is actually being done to secure our critical infrastructure against attacks.”
In addition, it turns out that few are taking basic precautions: Only one in six respondents describe their organization’s IT security program or activities as mature. For purposes of this research, a mature stage is defined as having most IT security program activities deployed. Most companies have defined what their security initiatives are but deployment and execution are still in the early or middle stages.
Respondents who reported suffering a data breach within the past year most often attributed these breaches to an internal accident or mistake, and 24% of respondents said these compromises were due to an insider attack or negligent privileged IT users negligent insiders – but on the employee education front, only 6% provide cybersecurity training for all employees.
“Whether malicious or accidental, threats from the inside are just as real and devastating as those coming from the outside,” said Dave Frymier, chief information security officer at Unisys, which sponsord the survey. “We hope the survey results serve as a wake-up call to critical infrastructure providers to take a much more proactive, holistic approach to securing their IT systems against attacks. Action should be taken before an incident occurs, not just after a breach.”
The survey also highlighted the concerns many of these executives feel regarding the security of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems, which monitor and control the processes and operations for power generation and other critical infrastructure functions. These are also notoriously aging and easily compromised.
When asked about the likelihood of an attack on their organizations’ ICS or SCADA systems, 78% of the senior security officials responded that a successful attack is at least somewhat likely within the next 24 months. Just 21% of respondents thought that the risk level to ICS and SCADA has substantially decreased because of regulations and industry-based security standards, which means that tighter controls and better adoption of standards are needed.