Which are the best and worst performing sectors in the US in terms of cyber vulnerability and/or safety?
The third annual BitSight Insights Industry Benchmark report has found that energy/utilities and health care rank behind finance, the federal government and even retail when it come to cyber safety.
Out of 10,000 organisations across six industries, the report notes a slight dip in the performance of energy and utility companies.
Scored out of 900 total points, the energy and utility sector ranks 652. The cyber safety ranking for the energy and utility sector in 2014 was 653.
Control systems in the energy and utility sector are particularly vulnerable, and as more control systems are connected to the Internet, this cyber vulnerability will increase.
The report cautions: “As this industry connects previously isolated control systems to the internet it becomes increasingly important that a focus on operational technology (OT) does not overshadow the importance of information technology (IT) related threats such as a malware infection that could shut down the power grid.”
According to the paper, Lloyd’s insurance company, along with researchers at Cambridge University, have “estimated potential losses from a cyber crime-induced blackout could hit US$1 trillion.”
The report continues: “Interestingly, in 2014, the Energy sector was the most targeted sub-sector of the nation’s critical infrastructure with 32% of incidents reported.”
According to the ICS-CERT Monitor: “Of the total number of incidents reported to ICS-CERT, roughly 55 percent involved advanced persistent threats (APT) or sophisticated actors. Other actor types included hacktivists, insider threats, and criminals.”
A particular cyber vulnerability highlighted by the report was that of SSL intrusion. The report highlighted cyber vulnerabilities to Heartbleed, Freak and Poodle, with Freak and Poodle vulnerability being ranked at over 40% (see graphic).
Freak: (Factoring Attack on RSA-EXPORT Keys CVE-2015-0204) is a weakness in some implementations of SSL/TLS that may allow an attacker to decrypt secure communications between vulnerable clients and servers.
Poodle: A POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryption") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0.
Says Stephen Boyer, CTO of BitSight: “There is no question that energy and utility systems are vulnerable and will be attacked.
"Organizations will never be able to protect against everything, but they need to continuously monitor their security posture in order to identify and mitigate issues before too much damage is done.
He adds: “Benchmarking can also serve as a key indicator of security performance, allowing an organization to better understand their own posture, as well as that of the third parties with which they share their data. Given recent headlines that illustrate this security gap, we must look beyond our own companies and focus attention on those that access our information.”