State of IT Security -- A Study of Utilities and Energy Companies

In a 2011 article from PC World (www.pcworld.com), titled “After Stuxnet, A Rush to Find Bugs in Industrial Systems,” Terry McCorkle, Information Security Red Team, Boeing, Inc., acknowledged that industrial manufacturers and organizations are experiencing a large learning curve when it comes to cyber-security issues and practices. McCorkle says, “The situation is reminiscent of what happened to Windows a decade ago, when hackers began picking apart Microsoft’s products. Industrial vendors are basically just 10 years behind the curve on security. It’s like we’re going back to the ‘90s.”

That observation is the major theme in the “State of IT Security: Study of Utilities and Energy Companies.” It seems “everybody” is late-to-the-party on cyber security, including industrial vendors, IT leaders, operations personnel and, in particularly, corporate-level executives.

The study cites that 71 percent of C-level executives do not fully understand and appreciate security initiatives within their organization, and “only 39 percent of energy organizations say their program is dedicated to detecting or preventing Advanced Persistent Threats.”  The report also states 67 percent of the organizations are not using what would be considered “state of the art” technologies to minimize risks to SCADA networks.

This disconnect by C-level executives on cyber-security issues may not be that surprising. During the recession and cost-cutting mantra of the 2000s, operations needed to sell upper management on “operation risk,” not necessarily IT security. The return-on-investment (ROI) on security measures are hard to measure, as noted in Wes Iversen’s Automation World, August 2010 feature,“Justifying Cyber Security Expenditures” (bit.ly/secure001).

The study also points to a lack of leadership and overall accountability for security programs with energy organizations. So who’s ultimately responsible for ensuring security objectives are achieved within the organization? Surprisingly, the top response, at 29 percent, cited “that no one has overall responsibility.” The Security Leader or Chief Security Officer (CSO) came in second at 18 percent and the third spot, at 15 percent, was an IT Security Leader responsible for security objectives within the organization. The takeaway seems clear: Defined roles for cyber-security objectives are just not there yet.

Additionally, bar chart 16 of the study provides an extrapolated average on the budgets or earmarks for IT and physical security. The total IT security budget averages a paltry $3,358 within the overall security budget average of $27,235. With just over 10 percent of the total budget being devoted to IT security (see chart 2) organizations are not prioritizing IT security. Thus, companies do not understand what security products are needed at this point.

With the Stuxnet virus penetrating mainstream media sources, data breaches and network security vulnerability discussions have reached a higher level. After Stuxnet, the next question is how often are data breaches occurring at utilities, and what kind? According to the survey, 76 percent of respondents’ organizations have suffered one or more data breaches during the past 12 months—survey data collection was finished in March 2011. And 22 percent say their organizations have experienced two or more data breach incidents.

So what are these security incidents? 56 percent of respondents say databases and 52 percent say endpoints—PCs and smart phones connecting to the network—were the two core systems compromised as a result of IT security incidents during the past 12 months. Other incidents included storage devices (27 percent), enterprise resource planning (ERP) applications (25 percent), servers (8 percent) and SCADA networks (5 percent).

The takeaway is security objectives need to be defined quickly for the energy industry and budgets need to be devoted toward IT security, not just physical security. Also, one other ominous data point from this study suggests security breach costs have been minimal over the last year. The study adds, “Only 4 percent of the respondents see the average cost as more than $500,000” from security incidents over the past 12 months.

Of note, respondents in this study include: public and private electric utilities (68 percent), oil and gas production (13 percent), gas utility (9 percent), oil and gas retailer (5 percent), water utility (3 percent) and other (2 percent).

—Grant Gerke, Automation World Digital Managing Editor, edited this study’s findings. 

Link to the full version of this white paper at bit.ly/study001

This study was sponsored by Q1 Labs and independently conducted by Ponemon Institute LLC. Publication Date: April 2011.