February 2017, Vol. 244, No. 2

Features

Energy Sector IT Professionals Overconfident in Capabilities as Attacks Increase

Tripwire, Inc., a Portland, OR-based global provider of security and compliance solutions for enterprises and industrial organizations, recently announced the results of an extensive study conducted for Tripwire by Dimensional Research. The study evaluated the confidence of information technology (IT) professionals regarding the efficacy of seven key security controls, which must be in place to quickly detect a cyberattack in progress. Study respondents included 763 IT professionals from various industries, including 100 participants from the energy sector.

According to the federal Department of Homeland Security, the energy sector faces more cyberattacks than any other industry. Despite the frequency in attacks, energy IT professionals participating in the survey were very confident in their ability to collect the data needed to detect a cyberattack. For example, 72% of energy respondents believe they could detect configuration changes to endpoint devices on their organization’s network within hours.

However, over half (52%) said their automated tools did not pick up all the necessary information, such as the locations, department and other critical details needed to quickly identify unauthorized configuration changes to endpoint devices that can indicate an attack in progress.

“These results show that most security professionals are assuming they are doing the right things to secure their environments, but lack real-world data to back up their assumptions,” said Travis Smith, senior security research engineer for Tripwire. “This highlights the importance of testing security controls to ensure they are functioning as expected. It’s not enough to install security tools throughout the environment. You must test the policies and procedures to be confident the controls in place will stop or detect real-world intrusions.”

Additional findings from the study include:

• 73% of energy respondents believe they could detect unauthorized software added to the organization’s network within hours, but only 59% know exactly how long the detection process would actually take.
• 84% of energy respondents believe they would receive alerts within hours if their vulnerability scanning systems detected unauthorized devices. However, over half (52%) did not know how long it took to generate these alerts.
• 44% of energy respondents said that less than 80% of patches succeed in a typical patch cycle.
• 40% of energy respondents did not know how long it took to generate an alert if a system fails to log properly, however 95% assumed a report would be generated within hours.

“The energy sector has made significant improvements in securing their slice of the nation’s critical infrastructure, but broader adoption of security best practices is still lacking,” said Tim Erlin, director of IT security and risk strategist for Tripwire. “While dedicated security staff is intimately familiar with the deployed capabilities and gaps, IT at large is often working on assumptions of protection.”

Tripwire’s study is based on seven key security controls required by a wide variety of compliance regulations, including PCI DSS, SOX, NERC CIP, MAS TRM, NIST 800-53, CIS Top 20 and IRS 1075. These controls also align with the United States Computer Emergency Readiness Team (US-CERT) recommendations and international guidance, such as the Australian Signals Directorate’s Strategies to Mitigate Targeted Cyber Intrusions.

The recommendations and guidance include:

• accurate hardware inventory
• accurate software inventory
• continuous configuration management and hardening
• comprehensive vulnerability management
• patch management
• log management, and
• identity and access management

When implemented across an organization, these controls deliver specific, actionable information that is necessary to defend against the most pervasive and dangerous cyberattacks. Before any damage is done, it is vital for organizations to identify indicators of compromise quickly so that appropriate action can be taken.