by Barbara Vergetis Lundin – Smart Grid News – April 15, 2015:

Although utilities cannot predict a cyberattack, there is no question that they should at least be ready.

Security rating company BitSight Technologies has released a report in which utilities rank the worst — warning of the threat of botnets and examining the link between botnets and publicly disclosed data breaches in various industries. The study focused on publicly-disclosed breaches because these have the greatest impact to organizations in terms of personally identifiable information (PII) loss, subsequent customer notification, forensic investigation, and damage to reputation.

In particular, the report revealed that companies with a botnet grade of ‘B’ or lower are more than twice as likely to experience a publicly disclosed data breach.


Information security systems are complex in any application – and smart grid security is no exception.


A big part of making the right choice is asking the right questions. What needs protection? From what or whom? Learn about questions and other considerations that should be addressed in this brief video from Elster. Click to watch the video now. 


“The implications for organizations across industries are that botnet infections cannot be ignored. Companies with lower botnet grades are clearly at greater risk for a publicly disclosed breach than those with the highest grade,” said Stephen Boyer, co-founder and chief technology officer of BitSight.


For the report, BitSight examined the ratings and risk vectors of 6,273 companies with 1,000 or more employees, of which 199 (3.3 percent) had experienced at least one recent publicly-disclosed breach. BitSight Security Ratings range between 250 and 900, with higher ratings indicating better performance. These ratings are comprised of risk vectors, which include security events (observed compromises on a company’s network) and diligence risk vectors (steps a company has taken to prevent attacks). For each risk vector, an overall letter grade (A-F) is assigned, indicating the company’s performance relative to others. The grade takes into account factors such as frequency, severity, and duration (for events) as well as record quality, evaluated based on industry-standard criteria (for diligence).


The companies analyzed were divided into two groups — those that had suffered publicly-disclosed breaches, and those that had not. Among companies with botnet grades of A, the percentage having breaches was 1.7 percent; for those with a B or lower, the incidence was 3.7 percent. Thus, companies with a botnet grade of B or lower experienced a publicly disclosed breach more than twice as often (2.2 times) than those with As.


Specific to utilities, 52 percent experienced a botnet grade of B or lower — more than any other industry reviewed. With critical infrastructure at stake, this data has probabilistic indications that should not be ignored.


The worst-case scenario would likely be a cyberattack that caused physical damage to critical infrastructure. Such an attack could have widespread consequences for the safety and reliability of something as crucial as the electric grid,” Boyer explained to Smart Grid News. “Although not a utility, there was a recent attack on a German steel mill that caused physical damage to a plant. Such an attack could have broad reaching effects across the economy.”


One particularly malicious botnet observed in utility companies is TDSS, widely considered one of the largest and most complex botnets on the planet. Another botnet observed in the utility industry, but less frequently in others, is Carufax, a Trojan program designed to steal personal data and information.


The issue with utilities is that IT operations in the utility industry have largely focused on reliability and safety — not security – but there are ways that utilities can better arm themselves against malicious botnets.


“Continuous monitoring of control and public-facing systems can help utilities address serious vulnerabilities and threats. It can also prepare them for future security events by helping inform strategic planning of cyber security operations while also considering historical performance,” Boyer told SGN.


Regardless of industry sector, executives, board members and security teams should all be involved in the cyber security planning of an organization.


“As operational systems begin to become Internet-connected, it is increasingly important that stakeholders, from board members to IT professionals, be involved in the planning and execution of a cybersecurity strategy,” Boyer added.


Although they are graded the lowest, utilities are certainly not alone when it comes to cyber threats. For comparison, in the retail industry, 43 percent of companies fall under the A threshold and are at risk of targeted attacks by Botnets Zeus, Dipverdle and ZeroAccess. In healthcare, where Anthem recently made headlines for a major cyber breach, 48 percent of organizations are at risk. In education, including colleges and universities, less than 23 percent have a grade of A; more than 33 percent have an F. BitSight reports that higher education institutions are dealing with a large volume of infections, due to unique challenges such as a multitude of access points and devices running on college networks and a lack of security-focused leadership.


The financial industry — targeted by botnets like Zeus, Sality and Viknok — seems to be most effective at preventing new infections and the best at quickly addressing existing network infections. In fact, 74 percent of finance firms reviewed had an A grade.


For more:
– download the report  [Is Your Company at Risk for a Data Breach? Learn how botnet grades correlate to data breaches by BitSight Insights:



Related articles:
Protecting mission-critical utility customers in an increasingly digital age [-]
Smarter Grid… Struggling SCADA?



Original Article at: