Study: Security not prioritized in critical infrastructure, though most admit compromise
Nearly 70 percent of critical infrastructure orgs said their company experienced a security compromise in the last year.
In a study, most IT execs at critical infrastructure companies revealed that their organization was compromised in the last year, but only 28 percent of them said that security was a top priority across their enterprise.
Nearly 600 global IT and IT security execs across 13 countries were polled for the “Critical Infrastructure: Security Preparedness and Maturity” report, released Thursday. And of those respondents, 67 percent said they had dealt with at least one security compromise, leading to the loss of confidential information or disruption to operations, at their companies.
The report (PDF), published jointly by global IT firm Unisys and the Ponemon Institute, aimed to shed light on how critical infrastructure organizations – including utilities and those serving the energy, manufacturing, and oil and gas sectors – addressed cyber security threats.
Fifty-seven percent of respondents said the risk level to industrial control systems (ICS) and SCADA networks had substantially increased because of cyber threats, but more than half (55 percent) said that only one person at their organization who was responsible for the security of those systems.
Twenty-five percent of participants said they had no dedicated personnel for such duties, while only five percent said they had a department dedicated to ICS and SCADA security.
In an interview with SCMagazine.com, Dave Frymier, CISO of Unisys, found it concerning that so many respondents seemed to be knowledgeable of threats to their organizations, but that this awareness hadn't translated to a heightened focus on security.
“Over 60 percent [or participants] said they expected another breach to occur in the 12 month period,” Frymier said. “Yet, only 25 percent of them said that security was one of the top five things they were interested in. They were interested in uptime, or availability – [meaning] when you turn the switch, the light comes on. But when you have a security event, it will definitely affect some aspect of this,” he said.
In the report, Unisys recommended that critical infrastructure organizations take on cost effective security strategies by aligning them with other business strategies and goals, and through managing identities and entitlements to improve identity assurance and reduce "critical employee errors," – as 47 percent of respondents said an "accident or mistake" was the root cause of their security breaches in the past year.
In addition, Unisys advised critical infrastructure operators to isolate ICS and SCADA end-points to reduce attack surfaces at their companies.
“All critical industries and utilities have a goal of zero safety incidents and zero downtime, yet these goals increasingly depend on zero security incidents,” the report said.