Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Power and utilities
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Introduction // 1
Introduction
Contacts
Gearing up for convergence
Guidelines for advancing security
A more strategic approach is needed
Financial losses decline
Skilled threat actors
At risk and unready in an interconnected worldKey findings from The Global State of Information Security® Survey 2015
next
prev
Power and utilities
Cyber attacks against power and utilities organizations have transitioned from theoretical to indisputable.
Over the past year, sophisticated cyber adversaries have infected the industrial control systems of hundreds of energy companies in the US and Europe; others successfully infiltrated a public utility via the Internet and compromised its control system network.
The volume of incidents increased dramatically in the past year. Power and utilities respondents to The Global State of Information Security® Survey (GSISS) 2015, report the average number of detected incidents skyrocketed to 7,391, a six-fold increase over the year before. (We define a security incident as any adverse incident that threatens some aspect of computer security.)
Yet as attempts to compromise supervisory control and data acquisition (SCADA), industrial control, and information technology systems have soared, information security spending has not kept pace. Power and utilities respondents say security spending in 2014 increased by a comparatively modest 9%. In 2013, by contrast, survey respondents reported a significant 25% boost in security investments, which very well may account for a portion of this year’s increase in detected incidents. After all, organizations that spend more on security typically discover more incidents.
15
10
20
20+Detected incidents soared to more than 20 per day, per organization.
Power and utilities
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Introduction // 2
next
prev
3M
2M
1M
8K
6K
Average number of detected incidents Estimated total financial losses
Incidents
Sources of incidents
Security spending
GSISS 2015: Power and utilities results at a glance➻ Click or tap each title to view data
2013 2014 2013 2014
Even though businesses have invested more heavily in previous years, security spending has been stalled at 4% or less of the total IT budget for the past five years.
This lack of investment in security has very likely contributed to attrition of key security capabilities, including fundamental strategies, processes, technologies, and awareness programs. We also found some noteworthy improvements in security practices, but it’s worth pointing out that these advances were fewer and comparatively incremental.
Introduction
Contacts
Gearing up for convergence
Guidelines for advancing security
A more strategic approach is needed
Financial losses decline
Skilled threat actors
1,179
7,391
$2.4M
$1.2M
4K
All things considered, many power and utilities companies seem to be unready for the increasing risks of today’s interconnected world.
Power and utilities
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Introduction // 3
next
prev
Current employees Former employees
40%
30%
20%
Hackers Current service providers/consultants/contractors
Incidents
Sources of incidents
Security spending
2013 2014 2013 2014 20142013
Introduction
Contacts
Gearing up for convergence
Guidelines for advancing security
A more strategic approach is needed
Financial losses decline
Skilled threat actors
37%38%
31% 30%
17%
29%
20%
14%
20142013
Even though businesses have invested more heavily in previous years, security spending has been stalled at 4% or less of the total IT budget for the past five years.
This lack of investment in security has very likely contributed to attrition of key security capabilities, including fundamental strategies, processes, technologies, and awareness programs. We also found some noteworthy improvements in security practices, but it’s worth pointing out that these advances were fewer and comparatively incremental.
GSISS 2015: Power and utilities results at a glance➻ Click or tap each title to view data
All things considered, many power and utilities companies seem to be unready for the increasing risks of today’s interconnected world.
Power and utilities
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Introduction // 4
next
prev
Average annual IS budget IS spend as percentage of IT budget
Sources of incidents
Incidents
Security spending
3M
2M
4M
6%
4%
2%
2013
$3.4M
2014
$3.7M
2013
4.0%
2014
3.9%
Introduction
Contacts
Gearing up for convergence
Guidelines for advancing security
A more strategic approach is needed
Financial losses decline
Skilled threat actors
Even though businesses have invested more heavily in previous years, security spending has been stalled at 4% or less of the total IT budget for the past five years.
This lack of investment in security has very likely contributed to attrition of key security capabilities, including fundamental strategies, processes, technologies, and awareness programs. We also found some noteworthy improvements in security practices, but it’s worth pointing out that these advances were fewer and comparatively incremental.
All things considered, many power and utilities companies seem to be unready for the increasing risks of today’s interconnected world.
GSISS 2015: Power and utilities results at a glance➻ Click or tap each title to view data
Power and utilities
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Skilled threat actors // 5
This year, 14% of respondents attributed security incidents to activists and hacktivists, a 40% jump over 2013.
Skilled threat actorsThe primary threat actors—those who perpetrate security incidents—remained relatively constant in the past year.
next
prevSkilled threat actors
Contacts
Gearing up for convergence
Guidelines for advancing security
A more strategic approach is needed
Financial losses decline
Introduction
Current and former employees are once again the most-frequent culprits of security incidents, cited by 38% and 30%, respectively, of respondents.
While incidents caused by employees often fly under the radar of the media, those committed by organized crime groups, activists, and nation-states typically do not.
Often these groups employ powerful distributed denial of service (DDoS) attacks in an attempt to embarrass organizations for social or political ends, rather than to exfiltrate data or intellectual property. Similarly, the number of respondents who cited organized criminals as the source of attacks increased 31% over last year.
Cyber incidents attributed to nation-states continue to garner the lion’s share of attention.
They are keenly interested in energy, and they often target critical infrastructure providers and suppliers to steal IP and trade secrets as a means to advance their own political and economic advantage.
This year, incidents attributed to nation-states more than doubled over 2013. Given the ability of nation-state adversaries to carry out attacks without detection, we believe the volume of compromises is very likely under-reported.
14%
Attacks by these threat actors remain among the least frequent, but they are also among the fastest-growing incidents.
10%
Power and utilities
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Skilled threat actors // 6
Skilled threat actors
Contacts
Gearing up for convergence
Guidelines for advancing security
A more strategic approach is needed
Financial losses decline
Introductionnext
prev
The fastest-growing sources of security incidentsIncrease over 2013
Foreign nation-states Information brokers Activists/activist organizations/hacktivists
Organized crime
Security executives of power and utilities companies have told us that they also see security-incident patterns in which criminals seem to be indiscriminately “exploring” the network to find any data of any value. Once they find data, they quickly siphon it off and try to sell it.
That, in part, may account for the 43% rise in respondents who report that data was exploited as a result of security incidents, the most cited impact.
118% 48% 40% 31%
Power and utilities
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Financial losses decline // 7
Another explanation may be that, while adversaries have been able to gain access to power and utilities companies’ networks, they are typically stopped before they can wreak havoc on operational and SCADA systems. And unlike the retail sector, which has been hit by a barrage of breaches, power and utilities companies hold comparatively few payment card records and therefore are not liable for costly mitigation of card theft and customer data.
next
prev
Financial losses decline
Contacts
Gearing up for convergence
Guidelines for advancing security
A more strategic approach is needed
Skilled threat actors
Introduction
In part, the discrepancy may be attributed to the 25% rise in security spending in 2013, which may have enabled organizations to more quickly detect and mitigate incidents before they caused real financial harm.
Financial losses declineWhile the number of detected incidents increased dramatically, organizations say the financial impact of these security compromises lessened.
Power and utilities respondents say total financial losses resulting from security incidents declined to an average of $1.2 million, a 51% drop over 2013.
This finding seems counter-intuitive, given the huge upsurge in detected compromises.
We also looked into how power and utilities respondents calculate the financial consequences of security incidents, and found that many do not consider a full range of possible impacts, including costs associated with legal defense fees, court settlements, forensics, and reputational damage.
Power and utilities
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
A strategic approach is lacking // 8
Power and utilities companies seem to be falling short of the fundamentals:
Only 54% say they have a unified security and controls framework and/or enterprise risk-management framework to address cybersecurity risks. Last year that number was 61%.
A more strategic approach is neededAs risks to IT, operational, and connected-field assets continue to rise, some power and utilities companies may need to take a more strategic approach to information security.
next
prev
A more strategic approach is needed
Contacts
Gearing up for convergence
Guidelines for advancing security
Financial losses decline
Skilled threat actors
Introduction
At the core of this initiative should be a risk-based cybersecurity program that enhances the ability to identify, manage, and respond to privacy and security threats.
It all starts with an information security strategy—or at least it should. However, we found the number of organizations that have an overall information security strategy dropped to 70% this year, down from 79% in 2013. Moreover, those that have a security strategy that is aligned with the specific needs of the business declined to 45%, from 65% last year.
An effective security strategy will allocate spending to the assets that are most valuable to the business. Power and utilities respondents show a more solid, if incomplete, commitment in this area: 62% say their security investments are allocated to the organization’s most profitable lines of business.
A basic tenet of an effective information security strategy is that it should be founded on risk management.
Power and utilities
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
A strategic approach is lacking // 9
next
prev
A more strategic approach is needed
Contacts
Gearing up for convergence
Guidelines for advancing security
Financial losses decline
Skilled threat actors
IntroductionMany key security safeguards weaken
Before resources can be allocated, however, it will be necessary to first identify the organization’s most valuable assets and determine who owns responsibility for them. This is an area in which we found great potential for improvement: Only 54% of respondents have a program to identify sensitive assets, and the same number (54%) have an inventory of all third parties that handle personal data of customers and employees.
Cybersecurity and privacy should be embedded into an organization’s core, with a top-down commitment to security and ongoing employee training programs.
The number of organizations that have employee security-awareness training programs (47%) actually declined over last year, as did those that require personnel to complete training on privacy practices and policies (43%). Considering that employees are the leading source of security incidents, we believe that training should be universal and that accountability should cascade from the C-suite to every employee and third-party vendor and supplier.
Have information security strategy
Active monitoring/analysis of information security intelligence
Secure access-control measures
Risk assessments of third-party vendors
Patch-management tools
Employee awareness and training program
Intrusion-detection tools
Established security standards for external partners, suppliers, vendors and customers
Privileged user access
Require employees to complete privacy training
Vulnerability scanning tools
Inventory of all third parties that handle personal data of employees and customers
Security-event correlation tools
79%
70%
65%
57%
59%
56%
66%
55%
68%
55%
63%
55%
50%
54%
63%
49%
39%
48%
57%
47%
50%
44%
58%
43%
56%
43%
2013
2014
2013
2014
2013
2014
2013
2014
2013
2014
2013
2014
2013
2014
2013
2014
2013
2014
2013
2014
2013
2014
2013
2014
2013
2014
Power and utilities
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
A strategic approach is lacking // 10
2014
2013
45%
54%
2014
2013
61%
54%
2014
2013
65%
45%
2014
2013
65%
46%
2014
2013
54%
36%
2014
2013
52%
33%
An effective security program will require top-down commitment and communication.
Yet fewer than half (46%) of organizations have a senior executive who communicates the importance of information security to the entire enterprise. That’s a substantial drop from last year (65%) and demonstrates that the executive team may not be taking adequate ownership of cyber risks.
A more strategic approach is needed
Contacts
Gearing up for convergence
Guidelines for advancing security
Financial losses decline
Skilled threat actors
IntroductionStrategic processes are often lacking
Program to identify sensitive assets Have a unified security and controls framework for cybersecurity risks
Information security strategy is aligned with specific business needs
A senior executive communicates importance of security to entire enterprise
Collaborate with others to improve security
Have cyber insurance
Finally, cyber threats, technologies, and vulnerabilities are evolving at lightning speed, and sharing information among public and private entities has become central to a strong cybersecurity program.
More than half (55%) of overall survey respondents across industries say they collaborate with others to share security intelligence and tactics. Among power and utilities sector, however, the number of organizations that collaborate sank to 36% this year, a sharp drop over 2013.
next
prev
To do so, senior executives should proactively ensure that the Board of Directors understands how the organization will detect, defend against, and respond to cyber threats. Despite all the discussion following high-profile retailer breaches, many power and utilities companies have not elevated security to a Board-level discussion.
Consider, for instance, that only 26% of respondents say their Board of Directors participates in the overall security strategy. Fewer (23%) say their Board is involved in reviews of current security and privacy risks—a crucial component of any effective security program. The area in which Boards are most likely to participate is the security budget (40%).
Power and utilities
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Guidelines for advancing security // 11
For many, it may be necessary to reposition the security strategy by more closely linking technologies, processes, and tools with the organization’s broader risk-management activities.
International standards provide a good measure to gauge preparedness and build a strong cybersecurity program. Some of the most widely used include ISO/IEC 27001, COBIT 5, and ISA 62443. A new set of guidelines from the US National Institute of Standards and Technology (NIST) compiles these global standards into one framework, providing an up-to-date model for implementing and improving risk-based security.
Guidelines for advancing securityThis year’s survey indicates that power and utilities organizations are falling behind in key practices.
This comparatively low implementation rate is not necessarily discouraging; it’s a matter of timing. The Framework was released in February 2014, and our survey was conducted from March 27, 2014 to May 25, 2014, giving organizations little time to embrace the Framework.
Among those that have, most (54%) say they have leveraged the Framework to determine their risk based on Implementation Tiers, which are designed to help companies understand the maturity of their current cybersecurity risk-management capabilities. It seems very likely that organizations with mature security practices may have adopted some of the Framework’s controls and standards, while not formally implementing the entire set of guidelines.
No matter whether companies have adopted the Framework fully or partially, it seems to be elevating the discussion on cybersecurity. We believe that organizations across industries and even geographies can gain significant benefits by adopting the guidelines at the highest possible risk-tolerance level. As the world’s sophisticated organized criminals and nation-states devise new ways to compromise systems and steal intellectual property of power and utilities companies, the Framework provides the right foundation for proactive, risk-based cybersecurity.
next
prev
Guidelines for advancing security
Contacts
Gearing up for convergence
A more strategic approach is needed
Financial losses decline
Skilled threat actors
Introduction
The voluntary NIST Cybersecurity Framework, which targets critical infrastructure providers and suppliers, has been adopted by 11% of US power and utilities respondents; an additional 22% say adoption is a future priority.
22%
11%
Power and utilities
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Gearing up for convergence // 12
It also will create a new world of security risks, a possibility that power and utilities respondents are beginning to address.
In fact, 25% of respondents say they have already implemented a security strategy for the convergence of information, operational, and consumer technologies, most often referred to as the Internet of Things. An additional 27% say they are working on a strategy.
Gearing up for convergenceThe convergence of information, operational, and consumer technologies will very likely introduce tremendous benefits for businesses and significant conveniences for their customers.
When asked to name primary drivers for security spending, this year 17% of respondents cited modernization of field assets such as IP-connected process control systems, compared with 6% last year. This increased focus on connected field assets suggests that power and utilities respondents are gearing up for the Internet of Things.
next
prev
Gearing up for convergence
Contacts
Financial losses decline
Guidelines for advancing security
A more strategic approach is needed
Skilled threat actors
Introduction
Power and utilities
At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015
Contacts // 13
Brad BauchPrincipal713 356 [email protected]
Darren HighfillDirector678 419 [email protected]
ContactsTo have a deeper conversation about cybersecurity, please contact:
www.pwc.com/gsiss2015 // www.pwc.com/cybersecurity
PwC helps organisations and individuals create the value they’re looking for. We’re a network of firms in 157 countries with more than 184,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PwC does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
© 2014 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
The Global State of Information Security® is a registered trademark of International Data Group, Inc.
United States
next
prev
Contacts
Gearing up for convergence
Financial losses decline
Guidelines for advancing security
A more strategic approach is needed
Skilled threat actors
Introduction
Power and utilities