A biennial report that looks at how well various industries manage risk and guard against cyberattacks has found that critical infrastructure, including the energy and utilities sectors, is among the lowest ranked of the group. This finding comes at a time of heightened debate in Washington surrounding the strengthening of infrastructure security.
The energy and utilities industries had the lowest rating on a number of indicators that are important for enterprise security governance, according to the report, How Boards & Senior Executives Are Managing Cyber Risks.
The data is compiled by Carnegie Mellon University from a survey of senior directors and boards of directors. Among the issues is that infrastructure companies have fewer risk and security committees, separate from audit committees, on their boards of directors. They also place a much lower value on board member IT experience compared to other sectors, “which is puzzling since their operations are so dependent upon complex supervisory and control systems,” the report authors write.
None of the energy and utilities companies in the survey said that they addressed security as it related to vendor management. This compared to rates of 28 percent and 15 percent in the financial and IT/telecom sectors, respectively.
The financial services industry had the highest level of enterprise risk management. When it comes to risk management, energy and utility companies are “just not doing what they’re supposed to be doing,” says report author Jody Westby.
The issue of critical infrastructure protection has been in the spotlight. One leading bill in the Senate, the Cybersecurity Act of 2012, would require infrastructure companies to work with the Department of Homeland Security to develop and meet minimum cybersecurity standards. The bill would also require greater information sharing among companies and the government about cyberthreats and security compromises.