A new survey revealed that only one in four utility companies (28 percent) have plans to execute a major security project in the next two years. BRIDGE Energy Group released the findings of its 2017 BRIDGE Index Grid Operations survey, which polled over 20,000 utility employees across North America, uncovering alarming statistics that suggest overconfidence in the energy sector. “The low percentage of major security projects is concerning,” said the utility consultancy and systems integration firm.
“Even though the U.S. distribution grid isn’t covered by CIP requirements, utilities seemingly have a false belief that a Ukraine-like incident can’t happen in the U.S.”
Among the top issues impacting both ongoing and planned security initiatives, survey respondents cited “integration of related systems/data,” as well as “supply and availability of experienced staff.” “Supporting normal operations while also staffing projects with the required combination of OT and security know-how continues to challenge utilities,” the company noted. “A lack of system/data integration is limiting visibility into security risks,” said BRIDGE Energy Group. When it comes to security and compliance metrics, less than 30 percent of respondents said they use a dashboard or geospatial visualizations—another 30 percent said they don’t report compliance metrics at all. Without analytical reporting and visualizations, companies face the risk of future compliance failures and weaken their ability to ensure timely threat detection, the company added. Additional key findings from the survey included:
- 48% of survey respondents say they plan on having a minor security project in the coming 24 months
- 76% have not yet fully integrated their real-time security and operations data
- 69% have a formal standard for calculating risk, while 31 percent still do not
- Only 25% of utilities have developed a chain of command for primary operations security
In late 2016, Tripwire’s Breach Detection Study revealed similar findings regarding breach overconfidence in the energy sector. Out of more than 780 IT professionals surveyed, 72 percent of energy respondents reported they felt very confident in their ability to collect the data needed to detect a cyber attack. However, over half (52 percent) also said their automated tools did not pick up all the necessary information needed to quickly determine indicators of an attack already in progress.
“The energy sector has made significant improvements in understanding and mitigating risk through the NERC Critical Infrastructure Protections standard, but the threat landscape continues to evolve” said Tim Erlin, director of IT security and risk strategy at Tripwire.
“Organizations’ defensive tools and techniques need to evolve to match the threat,” he said.
