Energy Sector Survey Shows Sorry State of Security
A new survey sponsored by Q1 Labs is full of surprises, and not the kind of surprises you’d hope to find.
For example, more than 75 percent of the 291 IT and IT security practitioners in global energy organizations surveyed say they have experienced at least one data breach in the last year, and more than two-thirds of organizations think a data breach is likely or very likely to occur in the next year.
State of IT Security: Study of Utilities & Energy Companies was designed “to better understand how global energy and utility organizations determine their state of readiness in the face of a plethora of information security, data protection, and privacy risks,” Q1 said in a release. From what I’ve read, the bottom line seems to be: they aren’t ready.
Over half of global energy enterprises don’t view IT security as a strategic initiative. Furthermore, “71 percent of IT Security executives at global energy producers state that their executive management team does not understand or appreciate the value of IT Security.” Q1 Lab’s’ Tom Turner, senior vice president of marketing and channels, didn’t mince words about that finding when we spoke last week.
“There’s clearly a disconnect between the IT practitioners who understand the risks and the C-suite of executives who end up funding the projects that address them,” he told me. “This survey becomes a validation point as well as a persuasive sales tool for IT security practitioners to make their case more effectively with their management about why they want to put better security intelligence sytems in place and make their networks more resilient.”
Amen to that. IT security experts are going to need help. Turner notes that the survey found that spending on physical security was 10 times that of IT security spending.
Dr. Larry Ponemon, founder and chairman of the Ponemon Institute (which conducted the survey), noted: “One of the scariest points that jumped out at me is that it takes, on average, 22 days to detect insiders making unauthorized changes, showing just how vulnerable organizations are today. These results show that energy and utilities organizations are struggling to identify the relevant issues that are plaguing their company from a security perspective.” The question is -- do they know what’s going on? The survey found that nearly three in four respondents (72 percent) claim that initiatives “are not effective at getting actionable intelligence (such as real-time alerts, threat analysis, and prioritization) about actual and potential exploits.”
Confirming what I’ve heard from a number of security experts, the survey found that 43 percent of respondents say the top security threat faced by their organization is negligent or malicious insiders; that’s also the top cause of data breaches.
Fewer than one-fourth of organizations (a meager 21 percent) believe their existing controls can protect them against exploits and attacks “through smart grid and smart meter-connected systems,” and two-thirds aren’t using state-of-the-art technologies to minimize risks to their SCADA networks. In fact, 77 percent of organizations say that compliance with industry-related regulations isn’t a priority, even though it’s the second-ranked security objective. Over half of respondents say that the regulatory environment has no impact on the effectiveness of their IT security.
“We were really taken aback by some of the results – especially that 71 percent of respondents believe that C-level executives don’t understand or appreciate security initiatives. This is further demonstrated by the statistic that the physical security budget is about 10X the information security budget,” said Turner in a statement. “IT Security in these organizations has the challenging task of protecting Critical Infrastructure against breach. Against a backdrop of Wikileaks, the Nasdaq Hack, the RSA breach, and the energy-specific Stuxnet virus, we have found that customers are crying out for Security Intelligence.”
I asked Turner if it’s going to take a major threat to get executives to pay attention. “Nothing focuses the mind quite like a breach that happens to you. The second best mind-focusing event is a breach that occurs to one of your peer group.”
If he conducts the survey again in a year, what will he expect to find based on the trends he’s seen? “I expect we’ll see a reduction in the number of IT security professionals who don’t think that executive management understands the importance of IT security -- very likely because we will have seen a significant exploit against a utility or energy company. We’ll also see that networks are getting better at providing security intelligence.”
-- James E. Powell
Editorial Director, ESJ
Posted by Jim Powell on 04/11/2011