According to the results of a recent Tripwire survey of more than 150 IT professionals in the energy, utilities, and oil and gas industries, 82 percent of respondents said a cyber attack on operational technology (OT) in their organization could cause physical damage.
The survey, conducted in November 2015 by Dimensional Research, also found that almost 60 percent of respondents said they aren't able to track all the threats targeting their OT networks, either because they don't have the visibility necessary to track all threats (16.2 percent), because they only track threats that directly target their department (8.1 percent) or because there are just too many threats (35.4 percent).
"After hundreds of years protecting our nation's geographic borders, it is sobering to note that possibly the most vulnerable frontier happens to be the infrastructure that runs the largest companies in the country," Rekha Shenoy, vice president and general manager of industrial IT cyber security for Tripwire parent company Belden, said in a statement.
Seventy-six percent of respondents said their organization is a likely target for a cyber attack that would cause physical damage, and 78 percent said their organization is a potential target for a nation-state cyber attack.
"The incredibly high percentages of these responses underscores the need for these industries to take material steps to improve cyber security," Tripwire director of IT security and risk strategy Tim Erlin said in a statement. "These threats are not going away. They are getting worse."
"There can be no doubt that there is a physical safety risk from cyber attacks targeting the energy industry today," Erlin added. "While the situation may seem dire, in many cases there are well understood best practices that can be deployed to materially reduce the risk of successful cyber attacks."
A separate Tripwire survey of 763 U.S. IT professionals, also conducted by Dimensional Research, found that 47 percent of respondents in the energy sector admitted having a success rate of less than 80 percent in a typical patch cycle.
Only 23 percent of all respondents said that 90 percent of the hardware assets on their organizations' networks are automatically discovered, and almost two-thirds of all respondents weren't sure how long it would take for automated tools to generate an alert if they detected an unauthorized device on the network.
"It’s good news that most organizations are investing in basic security controls; however, IT managers and executives, who don’t have visibility into the time it takes to identify unauthorized changes and devices, are missing key information that’s necessary to defend themselves against cyber attacks," Erlin said.
Recent eSecurity Planet articles have examined 10 open source security breach prevention and detection tools and offered advice on securing corporate data in a post-perimeter world.
Photo courtesy of Shutterstock.