An overwhelming majority of the critical infrastructure (CI) sector has suffered an email-related security breach over the past 12 months.
A study, by Osterman Research and commissioned by CI security vendor OPSWAT, revealed that 80% of organizations were victims of an email-based security breach.
Even as criminal hackers target the sector, CI businesses appear to be failing to protect their systems. Osterman Research found that 75% of cyber-threats to critical infrastructure arrived by email.
However, 63.3% of organizations said they believed their email security needs improving, and 48% “lacked confidence” in their existing email defenses.
The researchers found that email was the primary vector for attacking the CI sector, with threats coming via phishing, malicious links or attachments with malware. Yet, over half of organizations assumed that emails contained no threat.
Connected Systems
The risks are made worse, Osterman said, because key systems in critical infrastructure, especially operational technology, are now more likely to be connected to general-purpose IT networks and to the internet.
“IT networks and OT (operational technology) networks are increasingly linked. Significantly fewer OT networks are still air gapped, and the digital transformation activities of the past decade has resulted in OT networks being connected to the Internet,” the researchers wrote.
This allows a successful email attack to spread, not just laterally across the victim’s IT systems but also on and into OT networks.
Osterman Research found that phishing attacks, leading to compromised credentials, were the most common incident, followed by compromises of Microsoft 365 credentials. Data leakage was the third most common problem.
In addition, the researchers uncovered high levels of non-compliance among CI organizations. Only just over one in three organizations (34.4%) believed they are fully compliant. Only 28% of EMEA organizations thought they were fully compliant with GDPR.
Rising Threats
The research comes as critical infrastructure organizations expect the threats against them to rise. Two thirds of respondents expect phishing attacks to increase in the next year, and 40% expect to see more nation-state backed attacks.
Read more about CI threats: CISA Warns Critical Infrastructure Leaders of Volt Typhoon
“Email attacks have continued to rise over the past few years, particularly targeting critical infrastructure organizations. Not only are attacks more frequent, but they are evolving to bypass traditional security measures, making it clear that email remains the primary attack vector for cybercriminals,” Itay Glick, VP of products at OPSWAT, told Infosecurity.
“Email security often gets overlooked because many organizations operate under the assumption that basic protections, like spam filters or standard anti-malware, are sufficient,” Glick explained.
“It is often only after a successful breach that email security receives the attention it deserves, by which time the damage is already done.”