A majority of energy and utility companies don’t use “state-of-the art” technology to defend their networks and are exposing critical infrastructure to sophisticated cyber attacks, according to an industry survey.
Sixty-seven percent of information-technology professionals surveyed said their organizations had not deployed the best-available security to guard against hackers and Internet viruses, according to a report released today by Ponemon Institute LLC, an information-security research group.
Of the 291 security practitioners who responded to the survey, 71 percent said their companies’ top executives don’t understand or appreciate the value of information-technology security, according to the report from Traverse City, Michigan-based Ponemon. The group did not name the respondents’ companies, citing confidentiality.
“One of the big surprises in this survey was that despite increasing cyber attacks on networks, the strategic importance of IT security among C-level executives hasn’t increased,” said Tom Turner, senior vice president of marketing and channels for Q1 Labs Inc., a Waltham, Massachusetts-based security software company that sponsored the survey. “It seems that the industry is very reactive in terms of IT security investment.”
The report follows recent high-profile cyber attacks, including the Stuxnet computer worm, which affects machines sold by Munich-based Siemens AG and can take over networks that run factories and power plants. Most Stuxnet-infected computers are in Iran, prompting security analysts to speculate that the country’s nuclear program was the target.
The Ponemon report also identified shortcomings in adhering to industrywide regulatory initiatives. Seventy-seven percent of survey respondents said that compliance with industry security standards did not rank as a priority at their organizations.
U.S. regulators currently lack the authority to issue and enforce rules for protecting electric grids from cyberthreats, leaving the industry to follow its own voluntary standards. Those guidelines are set by the North American Electric Reliability Corp., an industry self-regulatory group that helps companies assess their ability to respond to potential attacks.
“We do see a number of organizations come to us to use our technologies to meet NERC guidelines,” Turner said in an interview. “However, compliance really depends on how prescriptive the standards are. If the standards are too generic then people are left to do what they deem best and perhaps that doesn’t drive the level of security that a control standard ought to.”
Combat Imminent Threats
U.S. lawmakers are pushing at least eight different proposals aimed at boosting cybersecurity at energy and utility companies, including measures giving the government power to issue regulations and impose penalties.
Senator Joe Lieberman, an Independent from Connecticut and chairman of the Homeland Security and Governmental Affairs Committee, and Senator Susan Collins of Maine, the panel’s top Republican, introduced a bill Feb. 17 that would classify utility companies as critical infrastructure and put them under the regulatory supervision of the Homeland Security Department.
The Ponemon survey supports the findings in a U.S. Government Accountability Office report issued in January and a separate Center for Strategic and International Studies report previewed in February.
The GAO concluded that the rapid adoption of smart-grid technology may leave the U.S. vulnerable to cyber attacks, unless it can address the nation’s fragmented and voluntary regulatory environment, and improve cybersecurity planning.
The CSIS report found that cybersecurity was an afterthought in energy companies’ race to build so-called smart grids, which aim to save electricity and lower costs by using advanced technologies such as computerized meters to manage electricity use and systems that monitor how much power home appliances consume.
The risks associated with electric-grid computers were illustrated four years ago when researchers at the Idaho National Laboratory, a U.S. Energy Department nuclear research site, seized control of an electric generator over the Internet. While the findings of Project Aurora, as it is called, are classified, a leaked online video shows a generator emitting black smoke as its controls are overtaken.