Oil companies and others with critical infrastructure are ill-prepared to thwart computer system threats, even though more than two-thirds have had at least one significant security compromise in the past year, according to a report released Thursday.
The Ponemon Institute analysis shows that the people in charge of managing critical control systems know their organizations are not ready for the sophistication and frequency of cyberattacks.
Just 17 percent of the 599 security executives at utility, oil, gas, energy and manufacturing companies surveyed by the research group said they had deployed most of their major information technology initiatives meant to fend off cyberattacks.
And only 28 percent of the respondents said security was one of the top five strategic priorities at their organizations.
"This is a big issue, and you'd expect folks to be engaged," said Larry Poneman, head of the institute that conducted the survey, who instead sees a "big disconnect" between the corporate levels and the people doing security.
The result is that while "people across the board recognize the problem and impact of security, as an organizational priority it is not in the top five," Ponemon added. "People aren't doing enough."
The survey was commissioned by Unisys Corp., a Pennsylvania-based information technology company that sells security software, including a program meant to cloak certain devices, data and users within a network.
The findings dovetail with other sobering reports on lapses from IT firm Symantec and telecommunications giant Verizon.
Energy firms are attacked regularly - recently by Russian hackers calling themselves "Energetic Bear" and "Dragonfly." And those attacks are increasingly successful, with energy companies now suffering more breaches than banks.
Unisys chief information security officer Dave Frymier said it might take a disaster to get C-suite executives' attention.
"As depressing as it may be, we do think there just needs to be a precipitating event" before executives prioritize the issue, Frymier said. "Unfortunately, there's going to have to be something bad that gets everybody's attention."
Last year's data breach involving Target may have spurred retailers to bolster defenses, but that doesn't mean the hardening has spread to other sectors.
Frymier said the "bad guys" - which could include corporate spies, terrorists and even national governments - are likely already lurking inside the networks of the companies that control major infrastructure.
And according to the Unisys-Ponemon report, the risk is mounting, despite heightened regulations and voluntary standards meant to strengthen the resilience of industrial control systems.
The companies are improving the security of their systems, Ponomon said, but they may not be keeping up with a faster-moving bar of expectations.
Unisys chief technology officer Mark Cohn said major challenges to bolstering cyber defenses include the transition away from compartmentalized computer systems to flatter, more expansive ones. Video cameras and alarms that used to be hard-wired into systems are now linked in networks, and more easily compromised.
Hackers also may be able to short-circuit safeguards in systems called "supervisory control and data acquisition" that monitor and control activities at electric utilities, gas pipelines and oil production sites. Companies may depend on those systems to serve up warnings about an attack, but determined hackers may be able to fool the computer programs.
For instance, workers and the supervisory control system itself might see evidence that a gas pipeline was still flowing even if it had been cut off.
The survey included respondents from 13 countries; at least 63 percent were in the energy space, including 26 percent in the oil and gas sector. Others surveyed worked for chemical manufacturers and water utilities.
Seventy-eight percent of respondents said a successful attack against their control systems is at least somewhat likely within the next two years - even though 68 percent said they were using state-of-the-art technologies to minimize security risks to control systems.
Nearly half of security incidents respondents reported were traced to a "negligent employee." And almost a fourth of the incidents were blamed on negligent employees who had privileged access.
Frymier said cultural and age differences between top executives and security officials may be one reason for the disconnect in the perception of vulnerability and the steps companies are taking to address the risks.
The report showed security professionals think the risks may lie more within their organization than outside. Only 19 percent of respondents cited attacks by nations, terrorists or criminal syndicates as among their top three security threats, by contrast to 54 percent who fingered "negligent insiders."
©2014 the Houston Chronicle