According to a recently released report by the Poneman Institute, titled "The State of IT Security: A Study of Utilities and Energy Companies", the majority of companies in the energy sector are not prepared to defend against threats to cyber security.
As is usually the case with security, the big disconnect is at the executive level, with seventy-one percent of the almost three-hundred security professionals surveyed indicating that the CxO level does not comprehend the importance of network security.
Larry Poneman commented on the report in a blog post, stating that "research revealed that utilities and energy companies in our study are more concerned about preventing downtime tha[n] stopping a cyber attack. In addition, a majority of respondents said that compliance with standards such as NERC CIP is not a top priority. Most surprisingly, only 16 percent of respondents believe that their organization's existing controls are designed to protect against exploits and attacks through the smart grid."
Despite an impressive amount of data available from several leading security research companies citing the marked increase in threats to Supervisory Control and Data Acquisition (SCADA) systems used to provide operations control for critical infrastructure and production networks, including energy production and distribution, top-level leadership has failed to make investment in security a priority.
“One of the big surprises in this survey was that despite increasing cyber attacks on networks, the strategic importance of IT security among C-level executives hasn’t increased. It seems that the industry is very reactive in terms of IT security investment," said Tom Turner of Q1 Labs, which sponsored the survey.
Responding to the increased threats to the nation's critical infrastructure, the International Society of Automation last month announced the formation of a task group to conduct a gap analysis on the ANSI standards governing SCADA security.
The ISA99 standard offers guidance to SCADA systems operators on how to mitigate risks from threats and vulnerabilities, and the gap analysis will evaluate how well organizations following the standard would have responded to a Stuxnet-type attack.
Stuxnet is a highly sophisticated designer-virus that wreaks havoc with SCADA systems which provide operations control for critical infrastructure and production networks.
Also, the North American Electric Reliability Corporation (NERC) approved new industry protocols on January 24, 2011 which are now collectively referred to as the CIP Version 4 standards; CIP 002-4 through CIP-009-4.
But even improved standards can not guarantee improved security measures.
“We do see a number of organizations come to us to use our technologies to meet NERC guidelines. However, compliance really depends on how prescriptive the standards are. If the standards are too generic then people are left to do what they deem best and perhaps that doesn’t drive the level of security that a control standard ought to," Turner said.
Again, translating information and network security issues into the language of the boardroom is the one of the biggest challenges security professionals face.
In the case of defending our nation's critical infrastructure, the translation needs to go beyond merely conveying network defense efforts in terms of mitigating enterprise risk, the conversation needs to touch on the issue of strengthening our national security.