Energy industry at risk of cyberattack, survey says

Asked which industry is the biggest target for cyberattack, critical infrastructure insiders in the U.S., Canada, and Europe point to the energy sector.

The energy industry also is the most vulnerable to cyberattacks and would have the most detrimental breach, while the financial sector is the best prepared in the case of a cyberattack, according to the survey sponsored by security firm Secure Computing. All other industries were deemed to be "not prepared" by greater than 50 percent of the respondents.

Survey participants from the U.S. and Canada were also asked how soon major exploits of critical infrastructure were likely to occur and more than half said they had already begun. Another 14 percent predicted that a major exploit was likely in the next 12 months. Only 2 percent said there would never be a severe exploit, according to the research released Monday.

Concerns about cyberattacks on the energy sector spurred U.S. lawmakers to consider legislation to broaden federal authority over electric companies in September.

Contributing to the increased vulnerability in the energy industry are: an increase in the number of access points through the use of sensors, smart meters, and third-party contractors with remote access capability; use of more IP-based networks; integration between corporate and operational networks; reliance on standard or commodity IT platforms such as Microsoft Windows; and lack of attention to security by network automation and control system vendors, according to a white paper on the research written by Energy Insights.

The biggest bottleneck to improving the security of critical infrastructure is cost, followed by apathy. Government bureaucracy and internal issues were tied for third place.

Nearly 200 industry leaders from the critical infrastructure industries completed the survey at industry events in August and September.

Security experts have discussed how easy it would be to break into a power plant. Cybersecurity worries prompted U.S. lawmakers in September to consider legislation to broaden federal authority over electric companies.

This chart shows how prepared respondents said specific industries are or aren't for cyberattack.

(Credit: Secure Computing)

[n3td3v]

I'm getting sick of all these reports and surveys coming out now that we've got a president-elect. Its obvious they are trying to influence the next administration as they are coming in and 100 days after. http://youtube.com/watch?v=FSUPTZVlkyU

[ferretboy88]

I'm sick of how anytime a Republican is in the white house the media is always super against them. They should be neutral.

[skswave]

We need to continue to point to the solution. Every endpoint device should have a capability for hardware based authentication and there should be no devices on the network that do not have SECURE device authentication. This model has worked really well for the cellular industry and has worked really well for the Cable industry. The standards are already in place, the Trusted Computing Group has Published specifications for the TPM (trusted Platform Module) It is an industry standard device now in over 275 million PCs. The technology leveraged networking standards that are already in every Access Point and Switch. By building a network where every device is authenticated and all traffic is encrypted we can dramatically reduce the attack vector.
Yes IT will actually have to register every device on the network but that's a good thing.
No this is not to hard to do. EVERYON who has a portable phone, or a garage door opener, or Blue tooth understands the concept of registration.
Every IT manager today has the ability to Turn on the TPM and start building a network of Known devices. The TPM is easy to use, Easy to configure and easy to manage but it is new.

Perhaps IT has gotten so stuck that only regulation can help them architect their networks but time will Tell. You PC manufacturer has invested in the tools to drive security forward and put them in every new PC now industry has to use them.

It is time to ask this question everytime an article like this is written.

Steven Sprague
CEO
Wave Systems Corp.

[weddie88]

I guess Steven doesn't understand that most critical infrastructure components such as SCADA systems do not support TPM. Many SCADA systems are difficult to protect since they communicate with non-standard protocols and no security vender in the world wants to invest in protecting a protocol which may only be used in one facility in the world. TPM is a good idea in theory but try building into 20 year old SCADA systems and you will have a mess on your hands.

[bilgisayar-danismani]

thank you for your useful sharing.
<a href="http://www.ersineser.com" title="notebook"><b>notebook</b></a>
i think same in Turkiye - istanbul.

[Harrison912]

Thanks, Elinor, for bringing this to our a attention. As a web site owner of safety and security products, I know preperation is important if we want to be safe. NOW is the time to prepare. Our enemies sure are!

[aspolicastro]

Security experts have been warning about the vulerabilities of our infrastructure for years. Maybe, it will take a major breach to awaken the people running the country's power grid and communications networks. I have always believed one day hackers would take control of a major part of the US infrastructure and hold the country hostage. Based on my research, I have written Dark End of the Spectrum where a group of hackers take over the power grid and cell phone network and hold the US hostage. I hope my book will make a difference in this all important issue. You can download a free copy at http://stores.lulu.com/aspnovelist.