Study: Security not prioritized in critical infrastructure, though most admit compromise

Share this article:
A draft of the voluntary framework was released by NIST.
Nearly 70 percent of critical infrastructure orgs said their company experienced a security compromise in the last year.

In a study, most IT execs at critical infrastructure companies revealed that their organization was compromised in the last year, but only 28 percent of them said that security was a top priority across their enterprise.

Nearly 600 global IT and IT security execs across 13 countries were polled for the “Critical Infrastructure: Security Preparedness and Maturity” report, released Thursday. And of those respondents, 67 percent said they had dealt with at least one security compromise, leading to the loss of confidential information or disruption to operations, at their companies.

The  report (PDF), published jointly by global IT firm Unisys and the Ponemon Institute, aimed to shed light on how critical infrastructure organizations – including utilities and those serving the energy, manufacturing, and oil and gas sectors – addressed cyber security threats.

Fifty-seven percent of respondents said the risk level to industrial control systems (ICS) and SCADA networks had substantially increased because of cyber threats, but more than half (55 percent) said that only one person at their organization who was responsible for the security of those systems.

Twenty-five percent of participants said they had no dedicated personnel for such duties, while only five percent said they had a department dedicated to ICS and SCADA security.

In an interview with SCMagazine.com, Dave Frymier, CISO of Unisys, found it concerning that so many respondents seemed to be knowledgeable of threats to their organizations, but that this awareness hadn't translated to a heightened focus on security.

“Over 60 percent [or participants] said they expected another breach to occur in the 12 month period,” Frymier said. “Yet, only 25 percent of them said that security was one of the top five things they were interested in. They were interested in uptime, or availability – [meaning] when you turn the switch, the light comes on. But when you have a security event, it will definitely affect some aspect of this,” he said.

In the report, Unisys recommended that critical infrastructure organizations take on cost effective security strategies by aligning them with other business strategies and goals, and through managing identities and entitlements to improve identity assurance and reduce "critical employee errors," – as 47 percent of respondents said an "accident or mistake" was the root cause of their security breaches in the past year.

In addition, Unisys advised critical infrastructure operators to isolate ICS and SCADA end-points to reduce attack surfaces at their companies.

“All critical industries and utilities have a goal of zero safety incidents and zero downtime, yet these goals increasingly depend on zero security incidents,” the report said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.

PCI publishes guidance on security awareness programs

PCI publishes guidance on security awareness programs

The guidance, developed by a PCI Special Interest Group, will help merchants educate staff on protecting cardholder data.