Utility and energy industry executive management hasn't fully bought into IT security, according to a Ponemon Institute survey of IT and security practitioners in these critical infrastructure companies. Fewer than half the respondents said that security is a strategic priority across the enterprise, and only 29 percent said that their C-level executives fully understand and appreciate security initiatives.
Further, in the "State of IT Security: Study of Utilities & Energy Companies," sponsored by Q1 Labs, Ponemon reports that only three of 10 companies have clearly defined lines of responsibility and authority in security operations. "There's quite a disconnect between the IT security people, who we deal with day to day, and those in executive management, around the strategic importance of IT security," says Tom Turner, Q1 Labs senior VP of marketing and channels. "Against the backdrop of headlines, this was surprising."
Minimizing downtime, selected in 55 percent of the surveys, was by far the top security objective within the organization, followed by compliance with regulatory and legal mandates (38 percent). High-profile attacks such as Stuxnet notwithstanding, preventing or minimizing advanced persistent threats (APTs) was last on the list, at just 5 percent, and preventing cyber attacks was given short shrift compared with basic security goals, such as minimizing risks and vulnerabilities and improving the organization's security posture.
While IT and security personnel agreed that compliance was important to the organization, they don't think it's a major factor in improving security. Only 23 percent viewed compliance with standards such as the North American Electric Reliability Corporation-Critical Infrastructure Protection (NERC-CIP), a major security objective.
Negligent insiders and insecure Web applications (about four out of 10 each) are regarded as the top security threats to critical infrastructure, followed closely by "system glitches" (including process failures). The concern about negligence and system problems appears to support the high premium on up-time, and an overall message that the greatest concern is about internal failures rather than outside attack (11 percent of respondents cited malicious insiders as a top threat). Nation-state, terrorist or criminal syndicate-sponsored attacks were near the bottom of the threat list.