Energy sector over-confident about IT security capacity

A survey by Tripwire has found that utilities think they can detect hackers despite not having the right tools.

“The truth is, the energy sector is woefully under-prepared for attacks on its infrastructure and this is a serious problem for all of us."
“The truth is, the energy sector is woefully under-prepared for attacks on its infrastructure and this is a serious problem for all of us."

Most energy companies believe they can detect hackers when undergoing a cyber-attack despite not having the right tools in place with which to do so, according to a new survey.


The research, carried out by Tripwire, found that IT professionals within that sector were very confident in their ability to collect the data needed to detect a cyber-attack with 72 percent of energy respondents believe they could detect configuration changes to endpoint devices on their organisation's network within hours, but over half (52 percent) said their automated tools did not pick up all the necessary information, such as the locations, department and other critical details, needed to quickly identify unauthorised configuration changes to endpoint devices that can indicate an attack in progress.


The research also found that 84 percent of energy respondents believe they would receive alerts within hours if their vulnerability scanning systems detected unauthorised devices. However, over half (52 percent) did not know how long it took to generate these alerts.


Around 73 percent of energy IT professionals believe they could detect unauthorised software added to the organisation's network within hours, but only 59 percent know exactly how long the detection process would actually take.


The study of 100 IT professionals in the energy sector also discovered that 44 percent said that less than 80 percent of patches succeed in a typical patch cycle. Forty percent of the respondents did not know how long it took to generate an alert if a system fails to log properly, however 95 percent assumed a report would be generated within hours.


“The energy sector has made significant improvements in securing their slice of the nation's critical infrastructure, but broader adoption of security best practices is still lacking,” said Tim Erlin, director of IT security and risk strategist for Tripwire. “While dedicated security staff are intimately familiar with the deployed capabilities and gaps, IT at large is often working on assumptions of protection.”


"The energy sector is at the heart of the transition of operational technology (OT) from stand alone to being hyper connected like IT - that's what IoT is all about. With productivity gains, the connectedness of OT also imports many of the risks IT has been facing from cyber-attacks” Jonathan Sander, vice president of Product Strategy at Lieberman Software told SCMagazineUK.com.

 

Power stations, whose biggest threat was bad guys with bolt cutters and bombs, now need to be just as nimble as IT cyber-defence specialists so they can fend off malware, zero days, and the rest. The OT side is trying to adopt the advances from IT security, but the OT folks don't know how to apply cyber-defence and the IT people don't have the domain knowledge to understand all the attack vectors on the OT systems.


John Madelin, CEO at RelianceACSN, told SC that it is hard to say that there appears to be a significant gap between how prepared the energy sector thinks it is for a cyber-attack, versus how prepared it really is.


“The truth is, the energy sector is woefully under-prepared for attacks on its infrastructure and this is a serious problem for all of us. The ‘BlackEnergy' hack on Ukraine last year, where the 1.4 million homes were plunged into darkness, not only demonstrates the power of nation state attacks but also the disruption that a successful breach on critical infrastructure has,” he said.