According to a recent survey by independent research organization Ponemon Institute and Unisys, industrial cybersecurity is a lot like diet and exercise. Most of us know we should do a lot more of it than we do—but we don't.
The study, "Critical Infrastructure: Security Preparedness and Maturity," found big security gaps in the world's critical infrastructure organizations that could impact their ability to prevent devastating attacks to disrupt power generation and other critical functions. The study surveyed 599 global IT and IT security executives at utility, oil and gas, alternate energy and manufacturing organizations in 13 countries from April to May 2014. These industries have become high-risk targets for cybersecurity incidents.
According to the survey, only 17% of companies represented in the research self-reported that most of their IT security program activities are deployed. Fifty percent say either that their IT security activities haven't been defined or deployed (7%), or they've defined activities, but they're only partially deployed (43%). Only 28% of respondents agree that security is one of the top five strategic priorities across the enterprise. At the same time, 57% of respondents agree that cyber threats put industrial control systems and SCADA at greater risk. Ten percent more (67%) say their companies have had at least one security compromise that led to the loss of confidential information or disruption to operations over the past 12 months.
So what are companies waiting for?
Reasons cover everything from lack of knowledge about threat severity to worry about the cost-effectiveness of remedial efforts and the effect they might have on uptime. A full one-third of those surveyed reported they were unaware of the potential vulnerabilities in their ICS/SCADA environment, and another 19% said they were unsure about the degree of threat.
The perception that much of their corporate network is out of the control of those responsible for security is another factor. Sixty-eight percent said that up to a quarter of their network components, including third-party endpoints such as smartphones and home computers, are outside the direct control of their organization's security operations. Another 30% estimate that between one-quarter and three-quarters of their networks are out of their control.
Finally, there's that "is-it-worth-it" factor. When asked whether they were confident they could upgrade legacy systems to improve security while maintaining operation functionality and cost-effectiveness, more than half said they were not very confident or unsure.
The complete report is available at www.unisys.com.