Power and utilities Introduction - PwC...Power and utilities At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Power and utilities

At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Introduction // 1

Introduction

Contacts

Gearing up for convergence

Guidelines for advancing security

A more strategic approach is needed

Financial losses decline

Skilled threat actors

At risk and unready in an interconnected worldKey findings from The Global State of Information Security® Survey 2015

next

prev

Power and utilities

Cyber attacks against power and utilities organizations have transitioned from theoretical to indisputable.

Over the past year, sophisticated cyber adversaries have infected the industrial control systems of hundreds of energy companies in the US and Europe; others successfully infiltrated a public utility via the Internet and compromised its control system network.

The volume of incidents increased dramatically in the past year. Power and utilities respondents to The Global State of Information Security® Survey (GSISS) 2015, report the average number of detected incidents skyrocketed to 7,391, a six-fold increase over the year before. (We define a security incident as any adverse incident that threatens some aspect of computer security.)

Yet as attempts to compromise supervisory control and data acquisition (SCADA), industrial control, and information technology systems have soared, information security spending has not kept pace. Power and utilities respondents say security spending in 2014 increased by a comparatively modest 9%. In 2013, by contrast, survey respondents reported a significant 25% boost in security investments, which very well may account for a portion of this year’s increase in detected incidents. After all, organizations that spend more on security typically discover more incidents.

15

10

20

20+Detected incidents soared to more than 20 per day, per organization.

Power and utilities


Introduction // 2

next

prev

3M

2M

1M

8K

6K

Average number of detected incidents Estimated total financial losses

Incidents

Sources of incidents

Security spending

GSISS 2015: Power and utilities results at a glance➻ Click or tap each title to view data

2013 2014 2013 2014

Even though businesses have invested more heavily in previous years, security spending has been stalled at 4% or less of the total IT budget for the past five years.

This lack of investment in security has very likely contributed to attrition of key security capabilities, including fundamental strategies, processes, technologies, and awareness programs. We also found some noteworthy improvements in security practices, but it’s worth pointing out that these advances were fewer and comparatively incremental.

Introduction

Contacts






1,179

7,391

$2.4M

$1.2M

4K

All things considered, many power and utilities companies seem to be unready for the increasing risks of today’s interconnected world.

Power and utilities


Introduction // 3

next

prev

Current employees Former employees

40%

30%

20%

Hackers Current service providers/consultants/contractors

Incidents


Security spending

2013 2014 2013 2014 20142013

Introduction

Contacts






37%38%

31% 30%

17%

29%

20%

14%

20142013





Power and utilities


Introduction // 4

next

prev

Average annual IS budget IS spend as percentage of IT budget


Incidents

Security spending

3M

2M

4M

6%

4%

2%

2013

$3.4M

2014

$3.7M

2013

4.0%

2014

3.9%

Introduction

Contacts










Power and utilities


Skilled threat actors // 5

This year, 14% of respondents attributed security incidents to activists and hacktivists, a 40% jump over 2013.

Skilled threat actorsThe primary threat actors—those who perpetrate security incidents—remained relatively constant in the past year.

next

prevSkilled threat actors

Contacts





Introduction

Current and former employees are once again the most-frequent culprits of security incidents, cited by 38% and 30%, respectively, of respondents.

While incidents caused by employees often fly under the radar of the media, those committed by organized crime groups, activists, and nation-states typically do not.

Often these groups employ powerful distributed denial of service (DDoS) attacks in an attempt to embarrass organizations for social or political ends, rather than to exfiltrate data or intellectual property. Similarly, the number of respondents who cited organized criminals as the source of attacks increased 31% over last year.

Cyber incidents attributed to nation-states continue to garner the lion’s share of attention.

They are keenly interested in energy, and they often target critical infrastructure providers and suppliers to steal IP and trade secrets as a means to advance their own political and economic advantage.

This year, incidents attributed to nation-states more than doubled over 2013. Given the ability of nation-state adversaries to carry out attacks without detection, we believe the volume of compromises is very likely under-reported.

14%

Attacks by these threat actors remain among the least frequent, but they are also among the fastest-growing incidents.

10%

Power and utilities


Skilled threat actors // 6


Contacts





Introductionnext

prev

The fastest-growing sources of security incidentsIncrease over 2013

Foreign nation-states Information brokers Activists/activist organizations/hacktivists

Organized crime

Security executives of power and utilities companies have told us that they also see security-incident patterns in which criminals seem to be indiscriminately “exploring” the network to find any data of any value. Once they find data, they quickly siphon it off and try to sell it.

That, in part, may account for the 43% rise in respondents who report that data was exploited as a result of security incidents, the most cited impact.

118% 48% 40% 31%

Power and utilities


Financial losses decline // 7

Another explanation may be that, while adversaries have been able to gain access to power and utilities companies’ networks, they are typically stopped before they can wreak havoc on operational and SCADA systems. And unlike the retail sector, which has been hit by a barrage of breaches, power and utilities companies hold comparatively few payment card records and therefore are not liable for costly mitigation of card theft and customer data.

next

prev


Contacts





Introduction

In part, the discrepancy may be attributed to the 25% rise in security spending in 2013, which may have enabled organizations to more quickly detect and mitigate incidents before they caused real financial harm.

Financial losses declineWhile the number of detected incidents increased dramatically, organizations say the financial impact of these security compromises lessened.

Power and utilities respondents say total financial losses resulting from security incidents declined to an average of $1.2 million, a 51% drop over 2013.

This finding seems counter-intuitive, given the huge upsurge in detected compromises.

We also looked into how power and utilities respondents calculate the financial consequences of security incidents, and found that many do not consider a full range of possible impacts, including costs associated with legal defense fees, court settlements, forensics, and reputational damage.

Power and utilities


A strategic approach is lacking // 8

Power and utilities companies seem to be falling short of the fundamentals:

Only 54% say they have a unified security and controls framework and/or enterprise risk-management framework to address cybersecurity risks. Last year that number was 61%.

A more strategic approach is neededAs risks to IT, operational, and connected-field assets continue to rise, some power and utilities companies may need to take a more strategic approach to information security.

next

prev


Contacts





Introduction

At the core of this initiative should be a risk-based cybersecurity program that enhances the ability to identify, manage, and respond to privacy and security threats.

It all starts with an information security strategy—or at least it should. However, we found the number of organizations that have an overall information security strategy dropped to 70% this year, down from 79% in 2013. Moreover, those that have a security strategy that is aligned with the specific needs of the business declined to 45%, from 65% last year.

An effective security strategy will allocate spending to the assets that are most valuable to the business. Power and utilities respondents show a more solid, if incomplete, commitment in this area: 62% say their security investments are allocated to the organization’s most profitable lines of business.

A basic tenet of an effective information security strategy is that it should be founded on risk management.

Power and utilities



next

prev


Contacts





IntroductionMany key security safeguards weaken

Before resources can be allocated, however, it will be necessary to first identify the organization’s most valuable assets and determine who owns responsibility for them. This is an area in which we found great potential for improvement: Only 54% of respondents have a program to identify sensitive assets, and the same number (54%) have an inventory of all third parties that handle personal data of customers and employees.

Cybersecurity and privacy should be embedded into an organization’s core, with a top-down commitment to security and ongoing employee training programs.

The number of organizations that have employee security-awareness training programs (47%) actually declined over last year, as did those that require personnel to complete training on privacy practices and policies (43%). Considering that employees are the leading source of security incidents, we believe that training should be universal and that accountability should cascade from the C-suite to every employee and third-party vendor and supplier.

Have information security strategy

Active monitoring/analysis of information security intelligence

Secure access-control measures

Risk assessments of third-party vendors

Patch-management tools

Employee awareness and training program

Intrusion-detection tools

Established security standards for external partners, suppliers, vendors and customers

Privileged user access

Require employees to complete privacy training

Vulnerability scanning tools

Inventory of all third parties that handle personal data of employees and customers

Security-event correlation tools

79%

70%

65%

57%

59%

56%

66%

55%

68%

55%

63%

55%

50%

54%

63%

49%

39%

48%

57%

47%

50%

44%

58%

43%

56%

43%

2013

2014

2013

2014

2013

2014

2013

2014

2013

2014

2013

2014

2013

2014

2013

2014

2013

2014

2013

2014

2013

2014

2013

2014

2013

2014

Power and utilities



2014

2013

45%

54%

2014

2013

61%

54%

2014

2013

65%

45%

2014

2013

65%

46%

2014

2013

54%

36%

2014

2013

52%

33%

An effective security program will require top-down commitment and communication.

Yet fewer than half (46%) of organizations have a senior executive who communicates the importance of information security to the entire enterprise. That’s a substantial drop from last year (65%) and demonstrates that the executive team may not be taking adequate ownership of cyber risks.


Contacts





IntroductionStrategic processes are often lacking

Program to identify sensitive assets Have a unified security and controls framework for cybersecurity risks

Information security strategy is aligned with specific business needs

A senior executive communicates importance of security to entire enterprise

Collaborate with others to improve security

Have cyber insurance

Finally, cyber threats, technologies, and vulnerabilities are evolving at lightning speed, and sharing information among public and private entities has become central to a strong cybersecurity program.

More than half (55%) of overall survey respondents across industries say they collaborate with others to share security intelligence and tactics. Among power and utilities sector, however, the number of organizations that collaborate sank to 36% this year, a sharp drop over 2013.

next

prev

To do so, senior executives should proactively ensure that the Board of Directors understands how the organization will detect, defend against, and respond to cyber threats. Despite all the discussion following high-profile retailer breaches, many power and utilities companies have not elevated security to a Board-level discussion.

Consider, for instance, that only 26% of respondents say their Board of Directors participates in the overall security strategy. Fewer (23%) say their Board is involved in reviews of current security and privacy risks—a crucial component of any effective security program. The area in which Boards are most likely to participate is the security budget (40%).

Power and utilities


Guidelines for advancing security // 11

For many, it may be necessary to reposition the security strategy by more closely linking technologies, processes, and tools with the organization’s broader risk-management activities.

International standards provide a good measure to gauge preparedness and build a strong cybersecurity program. Some of the most widely used include ISO/IEC 27001, COBIT 5, and ISA 62443. A new set of guidelines from the US National Institute of Standards and Technology (NIST) compiles these global standards into one framework, providing an up-to-date model for implementing and improving risk-based security.

Guidelines for advancing securityThis year’s survey indicates that power and utilities organizations are falling behind in key practices.

This comparatively low implementation rate is not necessarily discouraging; it’s a matter of timing. The Framework was released in February 2014, and our survey was conducted from March 27, 2014 to May 25, 2014, giving organizations little time to embrace the Framework.

Among those that have, most (54%) say they have leveraged the Framework to determine their risk based on Implementation Tiers, which are designed to help companies understand the maturity of their current cybersecurity risk-management capabilities. It seems very likely that organizations with mature security practices may have adopted some of the Framework’s controls and standards, while not formally implementing the entire set of guidelines.

No matter whether companies have adopted the Framework fully or partially, it seems to be elevating the discussion on cybersecurity. We believe that organizations across industries and even geographies can gain significant benefits by adopting the guidelines at the highest possible risk-tolerance level. As the world’s sophisticated organized criminals and nation-states devise new ways to compromise systems and steal intellectual property of power and utilities companies, the Framework provides the right foundation for proactive, risk-based cybersecurity.

next

prev


Contacts





Introduction

The voluntary NIST Cybersecurity Framework, which targets critical infrastructure providers and suppliers, has been adopted by 11% of US power and utilities respondents; an additional 22% say adoption is a future priority.

22%

11%

Power and utilities


Gearing up for convergence // 12

It also will create a new world of security risks, a possibility that power and utilities respondents are beginning to address.

In fact, 25% of respondents say they have already implemented a security strategy for the convergence of information, operational, and consumer technologies, most often referred to as the Internet of Things. An additional 27% say they are working on a strategy.

Gearing up for convergenceThe convergence of information, operational, and consumer technologies will very likely introduce tremendous benefits for businesses and significant conveniences for their customers.

When asked to name primary drivers for security spending, this year 17% of respondents cited modernization of field assets such as IP-connected process control systems, compared with 6% last year. This increased focus on connected field assets suggests that power and utilities respondents are gearing up for the Internet of Things.

next

prev


Contacts





Introduction

Power and utilities


Contacts // 13

Brad BauchPrincipal713 356 [email protected]

Darren HighfillDirector678 419 [email protected]

ContactsTo have a deeper conversation about cybersecurity, please contact:

www.pwc.com/gsiss2015 // www.pwc.com/cybersecurity

PwC helps organisations and individuals create the value they’re looking for. We’re a network of firms in 157 countries with more than 184,000 people who are committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PwC does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2014 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

The Global State of Information Security® is a registered trademark of International Data Group, Inc.

United States

next

prev

Contacts






Introduction

Power and utilities

Power and utilities Introduction - PwC...Power and utilities At risk and unready in an interconnected world // Key findings from The Global State of Information Security® Survey 2015

Documents