Critical Infrastructure Companies Lack Cyberdefenses
Although the U.S. government has established a framework for managing cybersecurity risks, it is voluntary, and few of the world's critical infrastructure companies follow it. NIST's guidance "is very daunting, and many agencies don't know where to start," said Tripwire CTO Dwayne Melancon. So, they "either do nothing or try to do too much and fail, or they seek outside help."
Jul 11, 2014 7:19 AM PT
Companies providing the world's critical infrastructure are woefully unprepared for cyberattacks despite the increasing threat level, evidenced by the release of the Stuxnet worm and the Shamoon virus in recent years, a survey conducted jointly by the Ponemon Institute and Unisys has found.
Nearly 70 percent of the 599 surveyed oil, gas, utility, energy and manufacturing companies in the past 12 months have reported at least one security breach that cost them confidential information or disrupted operations.
Further, 64 percent of the respondents expected one or more serious cyberattacks this year.
However, only 28 percent ranked security as one of the top five strategic priorities for their organization. On the other hand, a majority considered minimizing downtime their top business priority.
Squishy Humans Are a Risk
Most of the respondents that suffered data breaches over the past year attributed them to an internal mistake or accident.
Negligent insiders were the most cited threat to company security.
However, only 6 percent of respondents said they provided cybersecurity training for all employees.
"Numerous studies … across multiple industries have shown human error is the major source of breach," Stu Sjouwerman, CEO, KnowBe4, told TechNewsWorld.
"Defense in depth, which includes stepping all employees through security awareness training to create a human firewall, is a vital step in preventing unauthorized access," he said.
The breakroom training sessions conducted annually by many companies won't do, Sjouwerman cautioned. "Effective training is now being offered, with real-world scenarios to keep security top of mind."
The survey, conducted online from April to May, polled senior security executives from companies in 13 countries.
Trouble With a Capital 'T'
Cyberattacks against critical infrastructure companies have increased, Dwayne Melancon, CTO of Tripwire, told TechNewsWorld.
The problem is severe enough that Aegis, which provides liability and property insurance and related risk management services to the utility and energy industries, recently launched a new package, CyberResilience, that offers first- and third-party coverage for cyberattacks against operational technology and critical infrastructure in addition to data protection and privacy insurance.
However, awareness of cyberattacks has increased as well, with greater scrutiny, more continuous monitoring, and executive attention on the critical infrastructure, Melancon said, referring to a White House executive order issued in February of last year.
Rules for the Industry
The National Institute of Standards and Technology in February unveiled a security framework in keeping with the executive order.
The framework "references globally accepted standards, guidelines and practices" so both U.S. and foreign organizations can use it to "efficiently operate globally and manage new and evolving risks," Adam Sedgewick, senior information technology policy advisor at NIST, told TechNewsWorld.
NIST "has been actively sharing the framework with other countries," he said.
Why Cybersecurity Is Inching Along
The framework is voluntary, and there is no enforcement of adherence to its guidelines.
It could be that critical infrastructure companies are therefore not following the framework's recommendations, because NIST's guidance "is very daunting, and many agencies don't know where to start," Tripwire's Melancon pointed out. So, they "either do nothing or try to do too much and fail, or they seek outside help."
Certain aspects could be made mandatory, but this "could be tricky, because one size definitely doesn't fit all when it comes to effective security," Melancon said. "I prefer we focus on the universal IT capabilities that help all organizations … the first four controls of the SANS Top 20, which can be mapped to a subset of the NIST framework."
Security, Compliance and Proper Training
Remember that compliance does not equal security, KnowBe4's Sjouwerman pointed out.
"Former Target executives can tell you all about the audits they passed just before being taken out by user error," Sjouwerman said. "All it takes is one click."
The Target department store chain, which lost the credit card numbers of 40 million customers at its nearly 1,800 stores nationwide in what has been called the biggest data breach ever, ignored warnings generated by its recently installed alert system.