Archives

Those incendiary words are courtesy of a recent Pike Research (now called Navigant Research) study.  Bottom line: It suggests that a dirt cheap smartphone app could wirelessly communicate with a targeted command-and-control computer system — one that utilities rely upon — to cause unimaginable havoc.

What kind of catastrophe are we talking about?  Some U.S. officials foresee cyber-attacks that could take down a utility servicing millions of people and render them powerless. For months.

The way PG&E’s Chief Information Security Officer James Sample, sees it, “We will see catastrophic outages.  We are dealing with a very intelligent adversary.”

But despite the doomsday warnings, have utility companies stepped up their security measures?  Not according to many security specialists.

Why not? Looking at the issue from a purely monetary standpoint, some estimates for upgrading utility security could cost upwards of $14 billion. But from a preparedness standpoint, are utilities in a serious state of denial about the realities and potential impact of cyber-terrorism?

Some vocal critics say yes. Consider what Dale Peterson, CEO of Digital Bond, a firm that evaluates the security posture of utilities and other companies, told the San Jose Mercury News: “[Utilities] just want to kind of pretend the problem doesn’t exist.  So it might take some really tragic thing with some huge disruption of peoples’ lives before something gets done.”

So how many wake-up calls are needed to compel utilities to step up their security act?  The U.S. Department of Homeland Security has already reported infiltrations of oil and natural gas pipelines and electric power organizations.  Out of 198 cyber-incidents reported, 41% targeted energy companies, 15% were aimed at water-related firms and six included the “nuclear sector”.  Yes, it is that scary.

The California Public Utilities Commission warns that utilities are increasingly vulnerable by way of smart meters and the smart grid.  The same CPUC study reports: “(Eighty) to 90 percent or more of the electric infrastructure currently does not fall under any required standards and that cyber-security practices of the utilities are not monitored.”

If this doesn’t scare the hell out of you, consider the sobering findings from a survey conducted by risk management specialists nCircle who asked 104 energy security professionals if their smart meter installations were adequately protected from hackers, 61% said, “No.”

As content specialists in security, Write Angle would like to hear why security companies aren’t making more noise about the vulnerability of utilities.  We’d love to hear from you.

It’s an interesting question we were asked to address in developing a recent white paper on behalf of our client AppSense .

While first-generation solutions to the BYOD problem have focused on locking down personal and corporate-owned devices, it’s become increasingly clear that IT departments have been mostly unprepared for the explosion of mobile computing and the avalanche of apps coinciding with the mobile revolution.

Recent studies estimate that 200 million workers are using mobile apps for business today. This strongly suggests that the consumer mobile experience has paved the way for the mobile workforce not only to expect, but demand access to data and apps from anywhere.

What does this all mean in the grand scheme of things?  Forward-looking organizations are moving from a lock-down approach to providing users access to apps and data they demand and require, anytime and anywhere.

AppSense dubs this new approach “BYOX” –  providing security and control anywhere they’re needed, regardless of device, without adversely affecting the user experience.

Check out our “nine big ideas” that will be instrumental in driving the next generation of mobility management solutions.

We do a lot of work for IT security clients. And the numbers we hear numb the brain. Security researcher Ponemon Institute LLC, (not a client) says that almost nine out of ten U.S. companies have suffered at least one security breach.  Many don’t even know if or when they’ve been hit.  The cost to businesses of exposing data like Social Security and credit-card numbers climbed seven percent between 2010 and 2011 to an average of more than $7 million per incident, according to a study of victim companies.  The most expensive attack of 2010 cost an unidentified company $35.3 million, an increase of 15 percent from the costliest breach a year earlier.  It was so bad the name of the company remains confidential so as not to alarm customers. While government agencies must be notified, attacks on and losses by many large corporations are never publicly revealed.  Costs rise as more states pass laws requiring companies to disclose whenever customers’ personal information is exposed. As of 2011, 46 U.S. states passed such measures, with varying definitions of a breach, deadlines for notifying customers and punishments for failing to comply.  Still, the attacks and the cost of fending them off grow unabated. What’s going on here?

Happily for our clients, business is brisk. Still, one of them admits that the seemingly low return on corporate America’s security dollar is being seen with growing frustration and alarm at the board level.  “Companies who question their return on the millions of dollars they’ve invested in IT defenses have every right to be angry,” he said. Of course, our clients have a vested interest in encouraging the upgrade of aging defenses so easily overcome by cyber-criminals today.

We can’t help noticing the irony here. Computer security is a multi-billion industry employing some of the most brilliant technologists on the planet.  They labor hard to stay a step ahead of the bad guys who, just like terrorists, only have to be successful once, while techno-sleuths and defenders must succeed 100% of the time.  Yet, as found by Verizon and reported yesterday in Network World , in 97% of breaches last year, attackers used remarkably simple methods to break in.  In other words, many organizations are overlooking basic precautions even as their security systems grow more complex. In four out of five attacks on businesses last year, bad guys preyed on so-called victims of opportunity.  Like muggers who look for an unsuspecting or distracted target in crimes of opportunity, cyber-attackers scan for companies who may not be properly utilizing the defenses they have or whose passwords fail the tough-to-guess test.

To us in the business of marketing some truly amazing preventive technology, Verizon’s findings are a real eye-opener.  Here’s hoping they can open more corporate-security eyes as well.  The chain around the company’s digital assets is only as strong as the weakest link.  And the bad guys know how to find it.