Survey: Insider Mistakes, Attacks Disrupting Critical Infrastructure
The industrial systems at power generation plants, oil and chemical refineries and other highly sensitive operations are not adequately protected and many of the same problems that lead to data breaches are causing disruptions to operations at critical infrastructure facilities, according to a new study issued today.
Immature security programs and loosely defined initiatives to address threats are leading to potentially dangerous security incidents at utility, oil and gas, alternate energy and manufacturing organizations, according to the Ponemon Institute survey of 599 global IT and IT security executives in 13 countries. Nearly 70 percent of survey respondents, all of whom worked in the energy, chemical or industrial manufacturing industries, said their organization experienced the loss of confidential information or a disruption to operations over the past 12 months.
"Organizations are not as prepared as they should be to deal with the sophistication and frequency of a cyberthreat or the negligence of an employee or third party," according to the report, commissioned by IT technology and services vendor, Unisys Corp. "In fact, the majority of participants in this study do not believe their companies’ IT security programs are 'mature.'"
[Related: The Total Global Cost Of Cybercrime? $400 Billion A Year And Growing]
Security experts and solution providers say far too many people hold the false belief that the systems at critical infrastructure facilities containing industrial controls systems (ICS) and supervisory control and data acquisition (SCADA) systems are completely disconnected from the Internet. An increasingly Internet-enabled workforce has weakened the traditional "air-gap" surrounding critical industrial machinery at the facilities, they say. Many new technologies that enable remote workers to monitor and respond to issues and conduct maintenance are weakening that gap, according to the study.
The root cause of 47 percent of the security incidents identified by survey respondents were traced to employee negligence or a careless insider with privileged user access, according to the report. Vulnerable applications, insecure databases and mobile devices are the most susceptible to data loss, the study found.
The five most effective security systems cited by survey respondents include identity and access management, perimeter or location surveillance and database scanning, according to the survey. But security vendors aren't solving underlying software security issues and system configuration weaknesses, experts say. A lot of breaches are made more severe by the failure to monitor and control user privileges, said Andrew Sherman, the security practice lead at Eden Technologies, a New York City-based security consultancy and solution provider. Data governance issues cause problems at many firms, Sherman said.
"People can't leak what they don't have access to," Sherman said. "You can use a lot of good technology make that effective that is a governance problem."
NEXT: Contractors, Service Providers Not Properly Vetted, Survey Found
Facility owners focus on minimizing downtime, which takes precedence over the prevention of cyberattacks, according to the study. Only 32 percent of those surveyed said improving the security posture of the company is a top security objective and a very small percentage cite cybersecurity training for all employees as a goal, the survey found.
Security programs are also not necessarily backed by a team of IT security professionals. In fact, some activities are being maintained by managed security services providers and independent consultants. Vetting of outside individuals is not a priority, according to those surveyed. Fifty-eight percent of respondents say their organizations are only partially or not vetting contractors, vendors and other third parties to make sure they have high security standards. Survey respondents also said that their organization has only one person overseeing security objectives and in some cases the business unit leader is responsible.
The Department of Homeland Security said last month that it is sharing classified threat information with managed security service providers that monitor systems for private sector owners of critical infrastructure facilities. AT&T and CenturyLink are share a link with DHS through its Enhanced Cybersecurity Services program. But DHS is seeking to create threat information sharing ties with other MSPs, said DHS Assistant Secretary Andy Ozment, speaking last month at the Forum of Incident Response and Security Teams (FIRST) Conference in Boston.
President Obama signed an executive order on cybersecurity last year to create a program to bolster the critical infrastructure protection at critical infrastructure facilities. The NIST Cybersecurity Framework is part of voluntary program to get organizations to reduce cyberthreat risks. But solution providers say voluntary guidelines alone may not be effective enough to create change. New rules need enforcement mechanisms, said Kevin Wheeler, founder and managing director at InfoDefense, a Dallas-based information security services firm. Wheeler pointed to HIPAA compliance, which started to get healthcare firms to embrace stronger data security measures following a period of high profile fines against organizations that experience a breach.
"When something is purely voluntary, it's a tough sell for security to be pitched internally and get buy-in from leadership," Wheeler said. "There will always be some security people who want to embrace it within organizations, but it won't be widespread."