Over the past 12 months, the majority of the critical infrastructure (CI) sector has suffered an email-related security breach.
A study by Osterman Research, commissioned by CI security vendor OPSWAT, revealed that 80% of organizations were victims of an email-based security breach.
Even as criminal hackers target the sector, CI businesses fail to protect their systems. Osterman Research found that 75% of cyber threats to critical infrastructure arrived by email.
However, 63.3% of organizations believed their email security needs improving, and 48% “lacked confidence” in their existing email defences.
The researchers found that email was the primary vector for attacking the CI sector, with threats coming via phishing, malicious links, or malware-laden attachments. Yet, over half of organizations assumed that emails contained no threat.
Read More: Highline Public Schools Forced to Close By Cyber-Attack
Connected Systems
Osterman said the risks are made worse because key systems in critical infrastructure, especially operational technology, are now more likely to be connected to general-purpose IT networks and the Internet.
“IT networks and OT (operational technology) networks are increasingly linked. Significantly fewer OT networks are still air-gapped, and the digital transformation activities of the past decade have resulted in OT networks being connected to the Internet,” the researchers wrote.
This allows a successful email attack to spread laterally across the victim’s IT systems and on and into OT networks.
Osterman Research found that phishing attacks, leading to compromised credentials, were the most common incident, followed by compromises of Microsoft 365 credentials. Data leakage was the third most common problem.
In addition, the researchers uncovered high levels of non-compliance among CI organizations. Only just over one in three organizations (34.4%) believed they were fully compliant with GDPR, and only 28% of EMEA organizations thought they were fully compliant.
Rising Threats
The research comes as critical infrastructure organizations expect threats against them to rise. Two-thirds of respondents expect phishing attacks to increase in the next year, and 40% expect to see more nation-state-backed attacks.
“Email attacks have continued to rise over the past few years, particularly targeting critical infrastructure organizations. Attacks are more frequent and evolving to bypass traditional security measures, making it clear that email remains the primary attack vector for cybercriminals,” Itay Glick, VP of products at OPSWAT, told Infosecurity.
“Email security often gets overlooked because many organizations operate under the assumption that basic protections, like spam filters or standard anti-malware, are sufficient,” Glick explained.
“It is often only after a successful breach that email security receives the attention it deserves, by which time the damage is already done.”
Source: https://www.infosecurity-magazine.com/news/critical-infrastructure-email/
Latest News:
- #CyberMonth: Software Updates, A Double-Edged Sword for Cybersecurity Professionals
Software updates are critical in protecting systems from cyber threats and providing new and improved functionality to software products. They are necessary to patch vulnerabilities that can be exploited by malicious actors, ensuring that systems remain secure. Software updates are one of the four pillars of the 2024 International Cybersecurity Awareness Month campaign. As part … - Universal Music Group Admits Data Breach
Universal Music Group (UMG), one of the world’s largest music corporations, disclosed a data breach in mid-July 2024. According to a filing with the Maine Attorney General’s Office, the breach may have exposed the personal information of 680 US residents. In the filing, UMG said it detected unauthorized activity in one of its internal applications on July 15, … - Sellafield Fined for Cybersecurity Failures at Nuclear Site
Sellafield Ltd. has been fined £332,500 ($437,440) for cybersecurity failures at the Sellafield nuclear facility in Cumbria, North-West England. Westminster Magistrates Court issued the fine following a prosecution brought by the Office for Nuclear Regulation (ONR), the UK’s independent nuclear regulator. Sellafield Ltd has also been ordered to pay prosecution costs of £53,253.20 ($70,060). The offences …
