Report Shows Energy Infrastructure Susceptible to Attack

Thursday, April 07, 2011

Anthony M. Freed


According to a recently released report by the Poneman Institute, titled "The State of IT Security: A Study of Utilities and Energy Companies", the majority of companies in the energy sector are not prepared to defend against threats to cyber security.

As is usually the case with security, the big disconnect is at the executive level, with seventy-one percent of the almost three-hundred security professionals surveyed indicating that the CxO level does not comprehend the importance of network security.

Larry Poneman commented on the report in a blog post, stating that "research revealed that utilities and energy companies in our study are more concerned about preventing downtime tha[n] stopping a cyber attack. In addition, a majority of respondents said that compliance with standards such as NERC CIP is not a top priority. Most surprisingly, only 16 percent of respondents believe that their organization's existing controls are designed to protect against exploits and attacks through the smart grid."

Despite an impressive amount of data available from several leading security research companies citing the marked increase in threats to Supervisory Control and Data Acquisition (SCADA) systems used to provide operations control for critical infrastructure and production networks, including energy production and distribution, top-level leadership has failed to make investment in security a priority.

“One of the big surprises in this survey was that despite increasing cyber attacks on networks, the strategic importance of IT security among C-level executives hasn’t increased. It seems that the industry is very reactive in terms of IT security investment," said Tom Turner of Q1 Labs, which sponsored the survey.

Responding to the increased threats to the nation's critical infrastructure, the International Society of Automation last month announced the formation of a task group to conduct a gap analysis on the ANSI standards governing SCADA security.

The ISA99 standard offers guidance to SCADA systems operators on how to mitigate risks from threats and vulnerabilities, and the gap analysis will evaluate how well organizations following the standard would have responded to a Stuxnet-type attack.

Stuxnet is a highly sophisticated designer-virus that wreaks havoc with SCADA systems which provide operations control for critical infrastructure and production networks.

Also, the North American Electric Reliability Corporation (NERC) approved new industry protocols on January 24, 2011 which are now collectively referred to as the CIP Version 4 standards; CIP 002-4 through CIP-009-4.

But even improved standards can not guarantee improved security measures.

“We do see a number of organizations come to us to use our technologies to meet NERC guidelines. However, compliance really depends on how prescriptive the standards are. If the standards are too generic then people are left to do what they deem best and perhaps that doesn’t drive the level of security that a control standard ought to," Turner said.

Again, translating information and network security issues into the language of the boardroom is the one of the biggest challenges security professionals face.

In the case of defending our nation's critical infrastructure, the translation needs to go beyond merely conveying network defense efforts in terms of mitigating enterprise risk, the conversation needs to touch on the issue of strengthening our national security.

Possibly Related Articles:
SCADA Research NERC Stuxnet Poneman report Network Security Infrastructure
Post Rating I Like this!
John Burnham Full disclosure; I represent the sponsor of the study, Q1 Labs.
Your closing statement resonated with me:
"..the conversation needs to touch on the issue of strengthening our national security."

But as the study pointed out, only 9% of the respondents answered affirmatively to "Secure the national critical infrastructure (including the smart grid" as a Top security objective. This would be consistent with the primary focus on maintaining system uptime, understandably.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.