'Alarming' gaps in Kiwi security leave critical infrastructure open
A new survey shows 86% of critical infrastructure providers in New Zealand and Australia have had at least one security breach in the past year resulting in lost confidential information or disrupted operations.
The ANZ figure is higher than the global average, of nearly 70% reporting at least one security breach that lead to the loss of confidential information or disruption of operations.
The Ponemon Institute survey, commissioned by Unisys, included 49 business and IT decision makers at companies responsible for power, water and other critical functions across Australia and New Zealand as part of a global survey, and found only 10% of ANZ respondents described their organisation's IT security programme or activities as mature.
Only 18% of ANZ respondents saw security as one of their top five strategic priorities. Ironically, 65% cited minimising downtime as their top business priority.
John Kendall, Unisys Asia Pacific security program director, says it's surprising so many utilities have not made security a strategic business priority, and says he hopes the survey results serve as a wake-up call to critical infrastructure providers to take a much more proactive, holistic approach to securing their IT systems.
Those who had suffered a data breach in the past year most often attributed the breach to an internal accident or mistake (50%) or negligent insiders (21%).
Despite that, only 6% of respondents said they provide cyber security training for all employees.
Almost half (48%) said they had suffered security incidents due to use of insecure networks, with 33% caused by unmanaged mobile devices and employee use of social networks.
The survey, Critical Infrastructure: Security Preparedness and Maturity, also found that 67% of ANZ respondents anticipated one or more serious attacks in the coming year.
Negligent insiders (47%), denial of service attacks (41%) and system glitches (39%) were listed as top security threats, with encryption of data in motion, automated code review and debuggers and data loss prevention systems cited as the technologies most effective to foster security objectives.
Kendall notes that the increased dependence of critical infrastructure on IT systems, and the interconnectedness of those systems, means utilities are increasingly vulnerable to cyber security failures that can result in data breaches or downtime.
“What's more, failure in one area of infrastructure can create outages in others, in a domino effect," Kendall adds. “In this region, we know the flow-on impact of outages caused by natural disasters like floods, bush fires and earthquakes.
“It is therefore essential to prevent further outages and breaches caused by cyber security failures.”
The survey also highlighted concerns regarding the security of industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems, which monitor and control the processes and operations for power generation and other critical infrastructure functions.
When asked about the likelihood of an attack on their organisation’s ICS or SCADA systems, 79% of the ANZ senior security officials responded that a successful attack is at least somewhat likely within the next 24 months.
Just 4% of ANZ respondents (compared to 21% globally) thought that the risk level to ICS and SCADA has substantially decreased because of regulations and industry-based security standards, which means that tighter controls and better adoption of standards are needed.