Do utility companies slight IT security?

Do utilities and energy companies spend huge amounts for physical security but slight information-technology security?

By Ellen Messmer

April 06, 2011Network World

Do utilities and energy companies spend huge amounts for physical security but slight information-technology security?

That's what's suggested in the results of a survey of 291 information technology professionals in industries that have to operate both industrial-control systems as well as the type of business systems, such as billing, procurement human resources, used elsewhere.

SCADA vulnerabilities prompt U.S. government warning

The Ponemon Institute's "State of IT Security: Study of Utilities & Energy Companies" found that 29% of respondents said their organization's budget for physical security ranged between $20 to $40 million per year, and 32% said over $40 million. But the IT security budget was dramatically less. Twenty-one percent had less than $1 million in their budget for IT security each year, 32% had up to $2 million, 16% had $2 to $4 million, 13% had $4 million to $6 million and 11% had between $6 million and $8 million. Only 7% had a bigger budget, and nothing over $14 million.

"The concept of physical security permeates the security mindset," says Dr. Larry Ponemon, head of Ponemon Institute about the findings related to the utility and energy companies, expected to be published in a report later this month.

The interviews with many of the survey participants suggest that often ideas about security are dominated by the idea of preventing downtime, Ponemon said.

The companies involved in the survey present a broad mix — all were U.S.-based but many had operations in Canada, Europe, the Middle East, Africa, Asia and Latin America. But one thing they had in common was they operated supervisory control and data acquisition systems (SCADA) that manage energy generation or pipelines, and they all faced regulation under the Federal Energy Regulatory Commission and the North American Electric Reliability Corp. Critical Infrastructure Protection (CIP) guidelines.

About half the survey respondents said they believe their organizations have sufficient resources to achieve compliance with security standards, such as those prescribed by NERC.

Less than half believe their organizations "see security as a strategic priority across the enterprise," or are "dedicated to preventing or detecting Advanced Persistent Threats," or use "state-of-the-art technologies to minimize risks to SCADA networks."

Only 32% believe their security organization is "dedicated to protecting the nation's critical infrastructure." Only 29% said they thought their organization "views IT security as equally important to physical security."

According to the survey, 77% said compliance with standards such as NERC are not a major security objective. 69% perceived their security operations as having no "clearly defined lines of responsibility and authority." 61% said 'contractors, vendors and other third parties" are not 'held to high standards for security as a business condition."

Originally published on www.networkworld.com. Click here to read the original story.
RESOURCE CENTER