Only 28% of firms feel security is a strategic priority.
Utility are unprepared deal with both internal and external threats, despite nearly 70% of them having reported a security breach in past year, according to a report.
In the survey conducted by the Ponemon Institute on behalf of IT services company Unisys, only 28% of utilities companies said that security is in the top five strategic priorities for their organisation, while the majority of them consider minimising downtime as priority.
Among those surveyed, 64% anticipate that their organisations could face one or more serious attacks in the coming year.
Ponemon Institute chairman and founder, Dr. Larry Ponemon, said: "The findings of the survey are startling, given that these industries form the backbone of the global economy and cannot afford a disruption."
"While the desire for security protection is apparent among these companies, not nearly enough is actually being done to secure our critical infrastructure against attacks."
The survey sampled 599 security executives from utility, oil and gas, energy and manufacturing companies, and it found that only one in six organisations' IT security programme is mature.
Out of those who have reported a data breach inthe past year, most blamed it on an internal accident or mistake, and negligent insiders.
However, despite the looming threat within, only 6% said that they have a mechanism in place to provide training to employees.
Unisys chief information security officer, Dave Frymier, said: "Whether malicious or accidental, threats from the inside are just as real and devastating as those coming from the outside.
"We hope the survey results serve as a wake-up call to critical infrastructure providers to take a much more proactive, holistic approach to securing their IT systems against attacks. Action should be taken before an incident occurs, not just after a breach."
About 78% of the firms said that there is a good chance of a successful attack on the ICS and SCADA system within the next 24 months.