Monday, April 11, 2011

Apparently, Many Utility Execs Continue to Use the Snooze Button on Security

Just 5 more minutes ... please ... zzzzzzz.

Actually, these chaotic days, I'm glad to hear some folks can still sleep soundly.

You must be familiar with power numbers have to persuade, right? Well, I'm shocked (Shocked!) to report that what we thought was true is now, in fact, empirically, demonstrably, numerically true. Thanks to the keen eyes of many colleagues and community members, I've received 50+ emails forwarding news of a just-released study by the respected Ponemon Institute.

Here are most provocative/telling numbers IMHO:
67 percent of information-technology professionals surveyed said their organizations had not deployed the best-available security to guard against hackers and Internet viruses, according to a report released today by Ponemon Institute LLC, an information-security research group.
Not sure the "best available" is good enough based on issues we know to be true with how the "supply chain" does and does not market secure products to utilities. But I think you/we get the point.
More than 75 percent of global energy organizations surveyed admit to having suffered at least one data breach over the last 12 months .... Furthermore, 69 percent of organizations feel a data breach is very likely or likely to occur over the next 12 months
Hmmm, those are pretty big numbers. What kind of data and how much was revealed on how many I wonder.
71 percent said their companies’ top executives don’t understand or appreciate the value of information-technology security, according to the report ...
This finding is what drives everything else. Low executive understanding of the business case for improving security = perpetually constrained funding and legacy organizational approaches for security. And it's our fault that there are no practical means for demonstrating, or witnessing, said desired improvement.
One of the big surprises in this survey was that despite increasing cyber attacks on networks, the strategic importance of IT security among C-level executives hasn’t increased,” said Tom Turner, SVP at Q1 Labs.
    Why do you think that is? Are utility executives as cold and uncaring about protecting their business operations and their customers' sensitive data as this study seems to suggest? Do utility execs walk away clean when their organizations are breached and targeted cyber attacks cause loss of reliability, money or life?  I sincerely doubt it.

    And what about operational technology (OT) security ... keeping the generators, control centers, substations and all safe from malicious attack? Though not mentioned in the report, this has got to be at least as big a challenge at securing the IT side of the house.

    One more thing: Larry Ponemon says utility execs “are more concerned about preventing downtime than stopping a cyber attack.” I posit reliability and security are much more tightly coupled than many in positions of power think. And as long as we remain inarticulate, incapable of demonstrating that relationship in a manner comprehensible to all, then only real-world cyber incidents causing major outages will compel a change of attitude and changes in executive behavior. I'd really rather it didn't come to that, though.

    OK, back to numbers. I'm 100% sure we've got a lot of great folks working on the tech parts of the problem. Maybe we should spend 50% our time thinking this through ... and articulating our answers ... in language senior business folks can understand more than they do now. Much more.

    For a great counterpoint/companion piece, see Dale Peterson's response to the same Ponemon study on the Digital Bond blog, HERE. With a comment from German Stuxnet wrangler Ralph Langner, no less.

    Darn, there's that alarm again. Alright, I'm getting up!

    Photo credit: Sean McGrath on

    No comments: