Why are email attacks still a major threat to critical infrastructure sectors?

While every organization in every industry is at risk of cyber attack, some industries are particularly vulnerable to attacks by cybercriminals – especially those in critical infrastructure sectors.

Organizations that provide essential services are attractive targets for several reasons. Attacks on sectors such as energy, transportation and healthcare can severely disrupt society, making it particularly profitable because these organizations are often more likely than others to pay significant ransoms to restore operations and minimize downtime. Many critical infrastructure organizations are also understaffed and rely on legacy systems that are vulnerable to criminal attacks and involve extensive supply chains that attackers can use as initial entry points.

Threat actors use a range of attack tactics to target critical infrastructure organizations, but email compromises remain among the most common and unfortunately effective methods.

Since most people still use email, it gives criminals a fairly open channel through which they can reach an infinite number of users. Email was never designed with security in mind and most people use it for everyday communication, collaboration and sharing information with trusted parties, so its trust range is quite wide. Attacks such as business email compromise (BEC) and vendor email compromise (VEC) intentionally exploit this trust by spoofing trusted identities and using social engineering to manipulate targets to conduct fraudulent transactions or reveal sensitive information .

We recently assessed how these types of attacks impact critical infrastructure industries, including the energy, infrastructure and automotive sectors.

Attacks and suspicious activity targeting U.S. power plants reached a ten-year high in 2022, and concerns about sabotage persist today. FBI Director Christopher Wray warned earlier this year that Chinese hackers could attack critical U.S. infrastructure such as water treatment plants, electrical grids and pipelines.

Looking at the number of attacks last year, organizations in the energy and infrastructure industry were the primary targets of VEC attacks, with 65% of the industry experiencing a VEC attempt between February 2023 and January 2024. This is a higher rate than organizations in healthcare, finance and technology industries, which are often considered the most popular VEC targets.

Complex supply chains and extensive networks of third-party energy and infrastructure providers may be responsible for high rates of VEC attacks. Cybercriminals know that it is difficult to defend such vast networks, and because these organizations regularly transfer large sums of money, they represent valuable targets for cybercriminals.

In this sector, the number of BEC attacks increased by 18% year-on-year. While BECs may not constitute a large percentage of all advanced attacks, they pose significant risks. Cybercriminals only need one BEC attack to be successful and ultimately obtain funds or sensitive information.

The Cybersecurity and Infrastructure Security Agency (CISA) defines the manufacturing sector, including automotive manufacturing, as one of the critical infrastructure sectors. Analyzing the impact of email breaches on this industry, we found that the number of BEC attacks on companies in the automotive industry increased by 70% between September 2023 and February 2024. The number of VEC attacks similarly increased over the same six-month period, with a 63% increase At least 70% of automotive customers experienced at least one VEC attack. This is a higher rate than other sensitive industries, including energy and infrastructure, hospitality and finance, over the same period.

Why are automotive companies such an attractive target? First, automotive groups rely on complex supply chains and extensive supplier ecosystems, offering attackers a large number of third parties to impersonate through VEC attacks. Second, high-value transactions for parts and inventory are common, and cybercriminals are always looking for the most lucrative opportunities.

A notable attack that targeted auto parts supplier Toyota Boshoku several years ago involved threat actors using an email scam to manipulate an employee into changing bank account information for a wire transfer, resulting in a loss of $37 million.

Traditional phishing attacks are also doing well in this sector. The infamous cybercrime syndicate known as FIN7 was recently linked to a spear-phishing campaign that targeted the US automotive industry and targeted people in the IT department with higher levels of administrative privileges in order to install a backdoor and gain an initial position.

How to protect against email attacks in critical infrastructure

Regardless of industry, CISOs must secure email as it continues to be a major threat vector. There are some basic safeguards that every organization should have in place, including ongoing security awareness training. Employees should always be alert to urgent requests for sensitive information, incorrect spelling and grammar, or malicious links.

Companies must also offer awareness training that is specific and tailored to each person, including helping them understand in detail why an email is or is not malicious. Because it only takes one successful attack to trigger a significant event, organizations should not rely solely on experienced users to detect phishing emails.

Email remains one of the easiest ways to infiltrate an organization, and for critical infrastructure sectors, the consequences of an email attack are often devastating. With the right tools and training, companies can protect their employees and data from this dangerous threat.

Mike Britton, Chief Information Security Officer, Abnormal Security