Utilities Don't Consider Security To Be A Strategic Priority, Ponemon Study Shows

Utility and energy industry executive management hasn't fully bought into IT security, according to a Ponemon Institute survey of IT and security practitioners in these critical infrastructure companies. Fewer than half the respondents said that security is a strategic priority across the enterprise, and only 29 percent said that their C-level executives fully understand and appreciate security initiatives.

Further, in the "State of IT Security: Study of Utilities & Energy Companies," sponsored by Q1 Labs, Ponemon reports that only three of 10 companies have clearly defined lines of responsibility and authority in security operations. "There's quite a disconnect between the IT security people, who we deal with day to day, and those in executive management, around the strategic importance of IT security," says Tom Turner, Q1 Labs senior VP of marketing and channels. "Against the backdrop of headlines, this was surprising."

Minimizing downtime, selected in 55 percent of the surveys, was by far the top security objective within the organization, followed by compliance with regulatory and legal mandates (38 percent). High-profile attacks such as Stuxnet notwithstanding, preventing or minimizing advanced persistent threats (APTs) was last on the list, at just 5 percent, and preventing cyber attacks was given short shrift compared with basic security goals, such as minimizing risks and vulnerabilities and improving the organization's security posture.

While IT and security personnel agreed that compliance was important to the organization, they don't think it's a major factor in improving security. Only 23 percent viewed compliance with standards such as the North American Electric Reliability Corporation-Critical Infrastructure Protection (NERC-CIP), a major security objective.

Negligent insiders and insecure Web applications (about four out of 10 each) are regarded as the top security threats to critical infrastructure, followed closely by "system glitches" (including process failures). The concern about negligence and system problems appears to support the high premium on up-time, and an overall message that the greatest concern is about internal failures rather than outside attack (11 percent of respondents cited malicious insiders as a top threat). Nation-state, terrorist or criminal syndicate-sponsored attacks were near the bottom of the threat list.The concern with downtime was not unexpected, says Turner, but he expected a more vigorous response to smart grid security. Only one in 20 respondents consider insecure smart meters a top threat. "We hear a lot of concern on smart meters about personal information and tampering that utilities fear could occur," Turner says. "And, there's concern on the consumer side about personal information that goes out from the smart meter to the utility network about use of electricity."

The IT response to smart grid security indicates that most utility companies are not well-positioned to protect the smart grid. Only about a fifth of the respondents feel that their existing security control adequately protects against attacks on smart grid systems and meters.

Protecting smart meters ranked fifth among six security priorities, far behind the top priorities, protecting supervisory control and data acquisition (SCADA) networks and enterprise systems. About 40 percent said they had taken no new steps to secure the smart grid, while a third were unsure. Firewalling electronic access and limiting third-party physical access are the most common protective measures, followed by ensuring smart meter security monitoring of suspicious traffic from the meter to the utility and limiting access to consumer and energy consumption data.

The survey shows that physical security costs remain overwhelming, with budgets running about nine times the amount spent on digital security. Most utilities (about 60 percent) spend between $18 million and $40 million on physical security.

See more on this topic by subscribing to Network Computing Pro Reports Security: Epic Fail (subscription required).