14 DAY TRIAL // A survey on a sample of 599 employees responsible with the IT security measures in critical infrastructure companies revealed that most of these entities have not fully deployed their IT security programs.
The study was conducted independently between April and May this year by the Ponemon Institute and was sponsored by Pennsylvania-based global IT company Unisys. It included IT security executives in 13 countries, all of them familiar with security regulations regarding the protection of information assets and critical infrastructures.
According to the report, only 17% of the surveyed companies have initiated measures to mitigate the risk of cyber-attacks, although 57% believe “cyber-threats are putting industrial control systems and SCADA at greater risk.”
67% of the respondents acknowledge that their companies have been affected by at least one security compromise in the past year, which led to loss of sensitive information or disruption of operations.
In some cases (24%), the incidents occurred because of an insider attack or the carelessness of IT users with increased privileges.
The figures in the survey show that most of the respondents are aware of the high risks the industrial control systems (ICS) are facing when there is no improvement as far as the security posture is concerned.
“Security maturity levels are mostly at the early or middle stage,” reads the report, which also says that “the majority of companies say important security governance activities are only partially or not implemented at all.”
“Specifically, 58 percent of the respondents say their organizations are only partially or not vetting contractors, vendors and other third parties to make sure they have high security standards. Similarly, compliance with security requirements are only partially or not strictly enforced.”
It is also highlighted that there is no proactive attitude for mitigating future security risks, but rather a concern on immediate incidents. This is because minimization of downtime is considered more important than adopting security measures for preventing cyber-attacks.
Furthermore, only 32% of the respondents recognize the importance of enhancing the security posture as a top objective and even less (6%) offer cyber-security training programs for their employees.
More than half (55%) of the surveyed entities said they had only one person responsible for the security of the ICS/SCADA systems. More worryingly, a quarter of the respondents said they had no one to fulfil this duty and 5% did not know.
Databases, computer systems (desktops, laptops, smartphones and tablets), cloud-based systems, servers and ICS, were among the most attacked devices, while the most vulnerable to attacks were applications, databases, mobile devices, routers/switches, and servers.
The survey included utility, oil and gas, energy and manufacturing companies, and Ponemon admits that the results rely on the responses provided by the subjects and that there is the possibility that not all of them were accurate.