Over a dozen utility companies have acknowledged they experience daily attacks as noted in the Bit9 security blog:
QUOTE: A recent report by Reps. Edward Markey (D-Mass.) and Henry Waxman (D-Calif.) referenced more than a dozen utility companies that acknowledged they experience daily persistent cyber attacks. Although statistically similar to companies in other sectors, there is more concern because a cyber attack on the U.S. energy sector has potential to be economically devastating and lead to loss of lives.
Even though North American Electric Reliability Corporation (NERC) compliance standards forbid control systems being connected to consumer-facing or administrative networks, NERC’s reach only goes so far, leaving out oversight on important industries such as oil and gas. We hear regularly about “N” million credit card numbers hacked or “Q” million user credentials stolen, despite the fact that almost all of the affected companies were PCI compliant.
When utilities start thinking that compliance = security, that’s a problem. Compliance is a great place to begin the security conversation, but organizations need to go further than what’s mandated. When we think of legacy hardware out in the field that a) need to be connected to the Internet to receive up-to-date antivirus protection, or b) are not connected to the Internet and therefore have static protection, we have to ask ourselves if these systems are really protected at all.