Two-thirds of energy firms at risk from Stuxnet-like Scada attack

Over 75 per cent of global energy companies have suffered from at least one data breach over the past 12 months, with two-thirds potentially exposing themselves to a Stuxnet-like attack because they do not employ state-of-the-art supervisory control and data acquisition (Scada) security, according to a new study from Q1 Labs.

The State of IT Security: Study of Utilities & Energy Companies report was carried out by the Ponemon Institute, and showed a worrying disconnect between the attitudes of C-level executives and those involved in day-to-day IT security.

Nearly three-quarters of information security executives interviewed said that their executive management team does not understand or appreciate the value of IT security.

"One of the scariest points that jumped out at me is that it takes, on average, 22 days to detect insiders making unauthorised changes, showing just how vulnerable organisations are today," said Larry Ponemon, founder of the Ponemon Institute.

"These results show that energy and utilities organisations are struggling to identify the relevant issues that are plaguing their company from a security perspective. They have to bridge the gap between operations and IT, and make IT security a top priority within the organisation."

Some 43 per cent of respondents said that malicious insiders were the number one cause of data breaches, but the more worrying statistic was the 67 per cent who are not using what would be considered "state-of-the-art" technologies to minimise risks to Scada networks.

Scada systems are commonly found in energy stations, factories and manufacturing plants where they play a key role in controlling machinery.

Since the discovery of the Stuxnet worm in 2010, which was thought to have targeted specific nuclear plants in Iran, the potential security risks posed by Scada systems have come under the spotlight.

These were further accentuated after security researcher Luigi Auriemma last month released details of 34 vulnerabilities in the Scada systems of four separate manufacturers.