Despite the data breach headlines, it turns out that the energy and utilities sector is performing lower than the retail vertical. Over the past year, BitSight researchers noted a dip in the performance of energy and utility companies, which have an average rating of 652 in the third annual BitSight Insights Industry Benchmark report. In response to this news that the energy and utilities sector is performing lower than the retail vertical in terms of cyber security, security experts from ESET and Tripwire commented on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Mark James, Security Specialist at ESET :
“This particular story is aimed around the United States energy companies, but it is also very worrying for our energy and indeed far too many large corporations in the UK. A lot of companies, both large and small, still have Windows XP machines in their infrastructure.
As we all know, Windows XP was released for general use in October 2001; that’s 14 years ago! It was declared End of Life by Microsoft themselves in April 2014 and, at that time, it was estimated that over one billion copies were sold.
Now, I hear you say “does that really matter?” YES it really does. Criminals, bad guys, hackers, malware writers and many more undesirable individuals have written software to manipulate and attack Windows XP over the years. With Microsoft producing patches and updates, this was largely kept at bay as best they could manage, but now no one is patching or fixing any vulnerabilities, exploits, loopholes or backdoors, so the malware users and writers have full reign without worry about being stopped from the Operating System.
I understand the costs involved in moving operating systems is huge, but surely the impact and damage that a full scale malware attack can produce is far worse? Not to mention your very important role of protecting our data. Far too many times when out using retail establishments, I am still seeing Windows XP on POS terminals taking, passing and storing my very important information into its unguarded hardware within.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Tim Erlin, Director of Security and Risk at Tripwire :
“The energy and utility industry has several unique challenges, including a large number of legacy devices that are simply hard to update and patch. As these systems are increasingly connected to modern networks, their previously obfuscated risks surface. The industrial control systems often use non-standard protocols, which current security tools may not handle well. A security administrator for a utility faces a triple threat of challenges: hard to update devices, severe consequences for downtime, and fewer tools in the market to help.
It shouldn’t be surprising that healthcare and energy are closely aligned in their security performance. Both sectors face challenges from networked, embedded devices. Both sectors have primary missions focused on safety and reliability above all else. These two sectors differ in attacker motivation, however. Healthcare is attractive to attackers because of the data available, but energy companies aren’t storing the same types of personal information. For energy, there’s a substantial risk from enemy nation-states, while healthcare has to worry more about organized cybercrime.”[/su_note]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.