Study: Energy, Utilities Struggle with Security Readiness

Finance firms did the best in Bitsight's study of security readiness. Educational organizations fared the worst.
Finance firms did the best in Bitsight’s study of security readiness. Educational organizations fared the worst.

In-brief: a survey of key sectors found that energy and utilities firms are struggling to reduce their risk of an attack.

A study of security readiness by the firm BitSight finds that companies in key sectors including energy, utilities and education are struggling to secure their information technology infrastructure, potentially opening the door to malicious attacks.

The report, released on Tuesday, assessed the security of organizations across key verticals, looking for signs of weak security, including the the presence of systems vulnerable to known issues such as Heartbleed and Poodle. The energy and utilities firms ranked similarly to the troubled healthcare industry in protecting their networks against cyber attacks. Organizations in the education field exhibited the poorest security posture, the company found.

BitSight provides security risk ratings for companies and rates over 30,000 companies daily, then creates industry-specific metrics and benchmarks. The company surveyed 3,832 firms in the finance sector, 1,980 education institutions and 1,660 healthcare firms, as well as 1,012 energy and utilities firms. The company rates firms on a scale that ranges between 250 and 900, with higher rankings indicating better security. Companies are rated based on security events -observed compromises on a organization’s network – and evidence of due diligence in anticipating and preventing attacks. The frequency, severity, and duration of security incidents also figure into BitSight’s ratings.

an image of a metal tower of Power Lines
Energy and utilities firms performed poorly in a survey of security risk posture.

Universities and other educational institutions fared the worst among the industries Bitsight surveyed, despite the fact that they store high value information and have been the targets of sophisticated attacks, according to the report.

The industry’s rating as of August 1 was a low 630, compared to an average of 730 for the finance sector, which performed the best in Bitsight’s survey.

Education networks are challenged by having to support large student populations and a diversity of endpoint devices. But educational institutions also performed the worst in basic hygiene such as remediation of Heartbleed and other SSL vulnerabilities. Twenty three percent were found to still be vulnerable to that common and exploitable flaw, while more than 90% were vulnerable to the Poodle vulnerability.

Energy and utilities firms also rated low, with an average score of 690, slightly lower than its score in the same report last year. Energy and utility companies need to shore up their servers to protect against SSL vulnerabilities, though just 5% were vulnerable to Heartbleed. However, well documented and advanced attacks targeting firms in the energy sector make the problem more acute, Bitsight said.

Organizations in the healthcare sector also lagged behind finance firms and other sectors and were the second worst industry performer as an industry – not that surprising given headlines about major breaches at health insurers in the last  year. BitSight said the industry’s performance was “stagnant” in the last year, with a security rating that is practically unchanged at 687 and a high percentage of firms vulnerable to known vulnerabilities like Freak (43.4%) and Poodle (73.5%).

Surprisingly: the government sector was the second highest rating industry vertical studied by Bitsight – that, despite the recent breach at the Office of Personnel Management. Despite the dire news about the OPM breach, federal agencies and government organizations have better security overall, possibly do to the influence of federal regulations and guidelines for securing government networks, such as FISMA.

Read more over at Bitsight’s blog.