Study Highlights Infrastructure Risks

By John Wagley

01 August 2012

Print Issue: August 2012

A BIENNIAL REPORT that looks at how well various industries manage risk and guard against cyberattacks has found that critical infrastructure, including the energy and utilities sectors, is among the lowest ranked of the group. This finding comes at a time of heightened debate in Washington surrounding the strengthening of infrastructure security.

The energy and utilities industries had the lowest rating on a number of indicators that are important for enterprise security governance, according to the report, How Boards & Senior Executives Are Managing Cyber Risks.

The data is compiled by Carnegie Mellon University from a survey of senior directors and boards of directors. Among the issues is that infrastructure companies have fewer risk and security committees, separate from audit committees, on their boards of directors. They also place a much lower value on board member IT experience compared to other sectors, “which is puzzling since their operations are so dependent upon complex supervisory and control systems,” the report authors write.

None of the energy and utilities companies in the survey said that they addressed security as it related to vendor management. This compared to rates of 28 percent and 15 percent in the financial and IT/telecom sectors, respectively.

The financial services industry had the highest level of enterprise risk management. When it comes to risk management, energy and utility companies are “just not doing what they’re supposed to be doing,” says report author Jody Westby.

The issue of critical infrastructure protection has been in the spotlight. One leading bill in the Senate, the Cybersecurity Act of 2012, would require infrastructure companies to work with the Department of Homeland Security to develop and meet minimum cybersecurity standards. The bill would also require greater information sharing among companies and the government about cyberthreats and security compromises.

There is opposition to the bill from both sides. On one side are those who support regulation but want stronger privacy protections. The Electronic Frontier Foundation, for example, recently wrote in a statement that the legislation “uses dangerously vague language to define ‘cybersecurity threat indicators' (information that companies can share with the government), leaving the door open to abuse (intentional or accidental) in which companies share protected user information with the government without a judge ever getting involved.”

On the other side are opponents of any additional regulations. For example, Sen. John McCain (R-AZ), speaking at a recent Homeland Security and Government Affairs Committee hearing on the legislation said, “The regulations that would be created under this new authority would stymie job creation, blur the definition of private property rights, and divert resources from actual cybersecurity to compliance with government mandates.” McCain has sponsored legislation, the Secure IT Act, which would rely more on incentives to get businesses to act, but the bill does not seem to have as much support as the Cybersecurity Act.

The Carnegie Mellon study offers 12 main recommendations for improving security governance. One is to establish a standalone risk committee responsible for enterprise risks including IT. Another is to ensure that privacy and security roles in organizations are separated, with appropriately assigned responsibilities. The report also recommends that privacy, IT, and security executives report independently to senior management.

An additional recommendation is to have cross-organizational teams that meet at least monthly to coordinate and communicate on privacy and security issues. Such teams should include senior managers in areas including human resources, public relations, and law as well as senior managers from IT, privacy, security, and financial divisions.