Energy Sector Leaders Still Not Taking Cyber Threats Seriously, Survey Finds

Companies and organizations in the energy sector remain vulnerable to cyber attacks, which could result in the loss of intellectual property and leave critical infrastructure prone to damage, according to arecently released study.

Many of the world’s utility, oil and gas, energy and manufacturing companies have immature cyber security programs, according to a survey sponsored by Unisys and conducted by the Ponemon Institute. It polled 599 info-tech executives in 13 countries. Most respondents reported that security programs in their companies were unorganized and ill-equipped to handle network and other kinds of computer intrusions.

“As the findings reveal, organizations are not as prepared as they should be to deal with the sophistication and frequency of a cyber threat or the negligence of an employee or third party. In fact, the majority of participants in this study do not believe their companies’ IT security programs are ‘mature,’” the report said.

Although IT security executives are aware of the threats to industrial control systems (ICS) and supervisory control and data acquisition systems (SCADA), the IT professionals in the organizations said their companies are not fully committed to preventing attacks. The companies included utilities, oil and gas companies and manufacturers of alternative energy products.

The data revealed that as a strategic priority, reducing the risk of cyber threats is low across the energy sector.

A majority of respondents — 57 percent — said they believed the cyber risks to ICS and SCADA systems have increased, yet only 28 percent ranked security as one of the top five strategic priorities for their organization.

Over the last 12 months, about two-thirds of these global industries claimed they have had at least one security compromise that led to the loss of confidential information or to the disruption of operations.

Negligent employees were a root cause of security breaches, the report said. And while insider threats are recognized as the greatest risk to cyber security, only 6 percent of the organizations said they trained their employees to spot such threats.

In general, network security professionals lack confidence in the ability of their organizations to combat these attacks. According to the survey, most leaders believe the IT security programs at their organizations are stuck in the middle stages of maturity. Unisys defines the “middle stage” as having IT security program activities clearly defined, but only partially deployed.

Fewer than 20 percent said IT security programs at their respective organizations were fully deployed.

Many enterprises had few resources for addressing the dangers of cyber attacks — either by design, lack of experience, or budget constraints, the study said. The writers of the report suggested that unwillingness to allocate resources would continue until the world suffered a major cyber incident.

To reduce attacks, the report proposes that companies implement more agile and non-disruptive security networks and enforce user credentials policies.

Topics: C4ISR, Cybersecurity