A majority of companies controlling critical infrastructure across the world said they had been attacked in the past year and expected to be attacked again in the next year, yet few placed cybersecurity among their top priorities, according to a new study.
Sixty-four percent of respondents recognized the imminence of cyber attacks, but only 20 percent agreed that compliance, industry standards, state-of-the art security tools and adequate resourcing for cyber threats were priorities in their organizations.
“They knew there was a problem…but they weren’t sure what to do about it,” said Dave Frymier, chief information security officer for Unisys [UIS], which co-authored the study with the Ponemon Institute.
Most respondents said their security architectures were in early to mid-phases of deployment. Nearly 60 percent said they do not have training programs in place for employees, nor do they strictly enforce the existing security policies. In addition to their own employees, companies also fail to thoroughly vet their subcontractors and suppliers, creating space for cyber vulnerabilities in the supply chain.
One of the survey’s more surprising findings was how few people are assigned to security roles, said Larry Ponemon, chairman and founder of the Ponemon Institute.
“These are big companies and only one person is dedicated to the security of industrial controls,” he said at a dinner launching the study.
Fifty-five percent of respondents said they only have one person in charge of security, while 20 percent said they had no one. Only 15 percent said they had multiple or a department responsible for security.
Maintaining uptime on their systems was the top IT concern for respondents. Additionally, about half were not confident or unsure that they would be able to maintain operational functionality while upgrading from legacy systems.
“The picture I’m painting is very dismal,” Ponemon said.
While there has not been a cataclysmic attack to critical infrastructure, such as power or water utilities, the survey’s authors agreed such an occurrence is needed to convince industry of the risks.
“We do think there needs to be a precipitating event,” Frymier said.