Researchers looking at “quantifiable differences in security performance” across industries from August 1, 2014, to August 1, 2015, found “challenging performance trends” in the critical energy and utilities sector.
The third annual BitSight Insights Industry Benchmark report analyzed security ratings of nearly 10,000 organizations in six industries: finance, federal government, retail, energy and utilities, healthcare, and education. Over the past year, BitSight researchers noted a dip in the performance of companies in the energy and utility sector, with the average rating being 652 (see figure, click to enlarge). (BitSight Security Ratings range from 250 to 900, with higher ratings equating to higher security performance.) That makes the industry’s ranking better than that for healthcare but worse than the retail sector, whose breaches seem to attract the most media attention.
Although the report does not break out power generation within the energy and utilities industry, it does note that control systems are major targets, especially as “more control systems are brought online,” and notes that the U.S. government has been tracking attacks against the energy industry through its Industrial Control Systems Cyber Emergency Response Team.
The energy and utilities ranking for the study period ending August 1 was 652—little changed from last year’s 653. However, given the critical importance of the industry, the rating is lower than it should be. “Energy and Utility companies need to shore up their servers to protect against SSL vulnerabilities,” the report says. “Companies in this sector are still vulnerable to Heartbleed (5.2%), Freak (40.5%) and Poodle (74.8%).”
Looking forward, although modernization of systems and increasing connections to the Internet “will improve the efficiency and performance of the grid, they will increase its vulnerability to potential cyberattacks” too, the report notes.
“There is no question that energy and utility systems are vulnerable and will be attacked. Organizations will never be able to protect against everything, but they need to continuously monitor their security posture in order to identify and mitigate issues before too much damage is done,” said Stephen Boyer, co-founder and CTO of BitSight. “Benchmarking can also serve as a key indicator of security performance, allowing an organization to better understand their own posture, as well as that of the third parties with which they share their data. Given recent headlines that illustrate this security gap, we must look beyond our own companies and focus attention on those that access our information.”
BitSight uses publicly accessible data to rate companies’ security performance on a daily basis. Observed security events and configurations, such as communication with a botnet, malware distribution, and email server configuration, are assessed for severity, frequency, and duration and used to generate security ratings. Industry ratings are calculated using a simple average of the BitSight Security Ratings of companies in that sector.
Finance consistently has ranked as the top performing industry in BitSight’s industry benchmark reports while education has consistently been the lowest performing. The federal government, on average, ranked second-highest despite the recent major Office of Personnel Management breach.
—Gail Reitenbach, PhD, editor (@GailReit, @POWERmagazine)