In this latest installment of our series on security issues in a variety of industries, we look at the utilities and energy sectors. These companies represent a prime market for managed services providers (MSPs) and value-added resellers (VARs), because for any country, protecting the energy grid must be a high priority.
A chilling and widely reported bit of news surfaced recently when the director of the U.S. National Security Agency (NSA) warned that Chinese cyber attacks could shut down the U.S. infrastructure, including the power grid.
As reported by Reuters, China and "probably one or two" other countries have the ability to invade and possibly shut down computer systems of U.S. power utilities, aviation networks and financial companies, Admiral Mike Rogers, director of the NSA testified to the U.S. House of Representatives Intelligence Committee on cyber threats.
Attackers have been able to penetrate such systems and perform "reconnaissance" missions to determine how the networks are put together, Rogers said, and what concerns the government is that access can be used by nation-states, groups or individuals to take down those systems.
And as reported by CNN, Rogers, who also serves as head of U.S. Cyber Command, said the U.S. has detected malware from China and elsewhere on U.S. computer systems that affect the daily lives of every American.
Cyber security threats to the power grid and the energy and utilities industries in general certainly hit home for everyone—literally. As winter approaches in the northern hemisphere, no one wants to think about losing electricity and heat.
And to be sure, companies in this sector are facing their share of security incidents. According to a report by consulting from PwC and CIO and CSO magazines, “The Global State of Information Security Survey 2015,” which queried 9,700 business and technology executives worldwide from March to May 2014, 45% of those in the energy, utilities and mining sectors said they had detected at least 10 security incidents in the past 12 months, and more than a quarter of the respondents had detected 50 or more incidents.
That compares with 39% for all industries that reported at least 10 incidents, and 24% that reported 50 or more. Companies in these businesses face a range of potential attackers, according to the report, including current and former employees, current and former service providers, competitors, hackers, organized crime and activists.
Another study paints a scary picture of the cyber security threats facing these industries. The research report released by Ponemon Institute and Unisys in July 2014, “Critical Infrastructure: Security Preparedness and Maturity,” found “alarming security gaps in the world’s critical infrastructure organizations that could impact their ability to prevent devastating attacks to disrupt power generation and other critical functions.”
The study surveyed 599 IT and IT security executives at utility, oil and gas, alternate energy and manufacturing organizations in 13 countries from April to May 2014. The survey asked respondents how they are addressing cybersecurity threats to protect their organizations’ information assets and critical infrastructure, and the results highlighted the concerns of many executives regarding the security of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems that monitor and control the processes and operations for power generation and other critical infrastructure functions, according to the researchers.
For example, nearly 70% of the critical infrastructure managers surveyed reported at least one security breach that led to the loss of confidential information or disruption of operations in the past 12 months. Nearly 80% said a successful attack on their organization’s ICS or SCADA systems is at least somewhat likely within the next 24 months. Still, only one in six respondents described their organization’s IT security program or activities as “mature.”
Most companies have not fully deployed their IT security programs, according to the report. Only 17% reported that most of their IT security program activities are deployed. Half of the respondents said their IT security activities have not yet been defined or deployed, or they have defined activities but they are only partially deployed. And only 28% of the respondents reported that security is one of the top five strategic priorities across the enterprise.
What the Congressional testimony and the industry research about potential and actual attacks should make clear is that these vital sectors need to be protected against security breaches with the most effective and comprehensive security technology available.
Technologies such as anti-malware software, mobile security tools and security for virtualized computing environments can help utilities and energy companies better protect their systems and data. As a VAR or MSP, you can help them deploy these solutions, and help keep these critical infrastructure components from being compromised.