Whereas each group throughout each vertical faces the chance of experiencing a cyberattack, sure industries are notably vulnerable to being focused by menace actors—particularly these in crucial infrastructure sectors.
Organizations that ship important providers are enticing targets for just a few causes. Assaults on sectors similar to power, transportation, and healthcare can severely disrupt society, making them particularly profitable since these organizations are sometimes extra doubtless than others to pay substantial ransoms to revive operations and reduce downtime. Many crucial infrastructure organizations are additionally understaffed, counting on legacy techniques which can be susceptible to felony exploit, and contain intensive provide chains that attackers can goal as preliminary entry factors.
Risk actors are utilizing plenty of assault techniques to focus on crucial infrastructure organizations, however electronic mail compromises nonetheless stand as among the most typical and, sadly, profitable strategies.
As a result of most individuals nonetheless use electronic mail, it provides criminals a reasonably open channel to focus on an limitless variety of customers. Electronic mail was by no means designed with safety in thoughts and most of the people use it to speak, collaborate, and share data with trusted events day by day, so its blanket of belief extends fairly extensively. Assaults like enterprise electronic mail compromise (BEC) and vendor electronic mail compromise (VEC) purposefully exploit that belief, by impersonating trusted identities and utilizing social engineering to govern targets into finishing fraudulent transactions or divulging delicate data.
We not too long ago evaluated how these sorts of assaults impression crucial infrastructure industries, together with the power, infrastructure, and automotive sector.
Assaults and suspicious exercise concentrating on U.S. energy stations reached a decade-long excessive in 2022, and considerations about sabotage persist at present. FBI Director Christopher Wray warned earlier this yr that Chinese language hackers would possibly goal crucial U.S. infrastructure similar to water remedy crops, electrical grids, and pipelines.
When wanting on the quantity of assaults over the past yr, power and infrastructure organizations had been a high goal for VEC assaults, with 65% on this business experiencing a VEC try between February 2023 and January 2024. That’s a better charge than organizations within the healthcare, finance, or know-how industries, which are sometimes thought-about the most well-liked targets for VEC.
The complicated provide chains and intensive networks of third-party distributors in power and infrastructure might be in charge for this excessive charge of VEC assaults. Cybercriminals realize it’s troublesome to defend these sprawling networks, and since these organizations often switch important sums of cash, they’re high-value targets for cybercriminals.
This sector additionally skilled an 18% year-over-year enhance in BEC assaults. Whereas BEC could not account for a big proportion of all superior assaults, they pose a big danger. Cybercriminals solely want one BEC assault to succeed and in the end purchase funds or delicate data.
The Cybersecurity and Infrastructure Safety Company (CISA) defines the manufacturing sector, together with vehicle manufacturing, as one of many crucial infrastructure sectors. When how electronic mail compromises have an effect on this business, we discovered that BEC assaults in opposition to automotive companies elevated 70% between September 2023 and February 2024. VEC assaults had been equally elevated throughout the identical six-month time interval, with 63% of automotive clients experiencing no less than one VEC assault. It’s a better charge than different susceptible industries, together with power and infrastructure, hospitality, and finance, throughout the identical timeframe.
Why are automotive firms such enticing targets? For one, automotive teams depend on complicated provide chains and huge vendor ecosystems – providing attackers with loads of third events to impersonate by way of VEC assaults. Second, high-value transactions for elements and stock are frequent, and menace actors are all the time on the lookout for probably the most profitable alternatives.
A notable assault that focused auto elements provider Toyota Boshoku just a few years in the past, concerned menace actors utilizing an electronic mail rip-off to govern an worker into altering checking account data for a wire switch, leading to a lack of $37 million.
Conventional phishing assaults are alive and effectively on this sector, too. The notorious cybercrime syndicate often called FIN7 has not too long ago been linked to a spear-phishing marketing campaign concentrating on the U.S. automotive business, concentrating on people within the IT division with larger ranges of administrative rights, to put in a backdoor and acquire an preliminary foothold.
The right way to shield in opposition to electronic mail assaults in crucial infrastructure
Whatever the business, CISOs must safe electronic mail as a result of it’s nonetheless a serious menace vector. There are some foundational protections that each group ought to have in place, together with continued safety consciousness coaching. Staff ought to all the time keep vigilant for pressing requests for delicate data, poor spelling and grammar, or malicious hyperlinks.
Corporations additionally want to supply consciousness coaching that’s particular and tailor-made to every particular person, together with serving to them particularly perceive why, or why not, an electronic mail is malicious. Because it solely takes one profitable assault to create a big occasion, organizations shouldn’t simply depend on having savvy customers who can spot phishing emails.
Electronic mail stays one of many best methods to infiltrate a company, and for crucial infrastructure sectors, the results of an electronic mail assault are sometimes devastating. By having the appropriate instruments and coaching, firms can shield their staff and knowledge from this harmful menace.
Mike Britton, chief data safety officer, Irregular Safety