The Critical Need to Protect Critical Infrastructure: Spotlight on Utilities

Sunset over a water treatment plant

Critical infrastructure is what keeps countries running – from transportation to energy to manufacturing, these sectors are vital to a nation’s economy and national security. Protecting these organizations is a great responsibility as the consequences for negative impacts or outages can put public safety and health at risk.

CISA describes critical infrastructure as “the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety. The Nation’s critical infrastructure provides the essential services that underpin American society.”

The State of Securing Critical Infrastructure Sectors

In the U.S., the mission of the Cybersecurity and Infrastructure Security Agency (CISA) includes collaborating with businesses, communities, and government at every level to make the nation’s critical infrastructure more secure, functioning, and resilient to defend against today’s threats as well as those “just over the horizon.”

CISA recently put out an advisory regarding malware targeting the energy sector, deployed by advanced persistent threat groups (APTs) intent on disrupting key infrastructure. The agency provided recommendations on how organizations can protect their data, networks and devices. Included in the guidance was changing passwords on a regular schedule and monitoring systems to identify potential threat actors. While CISA already has security standards in place, its latest recommendations reinforce the need for heightened security for critical infrastructure sectors to prevent bad actors from disrupting service and potentially threatening national security.

Recently, the U.S. government has strengthened its stance on cyber incident reporting laws and passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which puts stricter guidance on reporting cybersecurity incidents and disclosing ransomware payments to the government. Other key aspects of the legislation include the creation of a Joint Ransomware Taskforce and a Cyber Incidence Reporting Council to increase cybersecurity efforts across public and private sectors.

The current state of global affairs also illuminates the need for securing critical infrastructure, with public and private organizations working together to monitor potential threats. For example, as potential attacks on critical infrastructure become more of a concern for state and local CISOs, the Commonwealth of Virginia is partnering with private sector enterprises on enhanced threat intelligence and monitoring of its energy grid as the threat of cyberattacks looms.

Spotlight On Utilities

From coast to coast, local governments are being attacked, causing significant impacts on utilities.

In Florida, a threat actor breached a city’s water treatment system and adjusted chemical levels to such a degree that the public could have been harmed. Luckily, the fraudulent and dangerous adjustment was caught and changed before any damage was done. Ultimately, the investigation concluded that a computer at the plant visited a contractor’s website that had been injected with malicious code which siphoned data including the operating system, browser type, and other kinds of information used by malware to impersonate legitimate web activity.

After the highly publicized attack in Florida, three other water treatment plant breaches in Maine, Nevada, and California came to light. Previously unreported, the attacks were included in an advisory by CISA, the FBI, National Security Agency (NSA) and the Environmental Protection Agency (EPA) about how bad actors took over the plants’ supervisory control and data acquisition systems (SCADA). The agencies warned water treatment plant leaders to be vigilant for suspicious activity and to prevent fraudulent logins by enabling multi-factor authentication (MFA) on devices with remote access to facilities.

And in March, the Brownsville Public Utilities Board (BPUB), which provides water and power to Brownsville, Texas, announced that its systems were impacted by a data security incident in which it was listed as a victim of the LockBit ransomware known for gaining access to systems via phishing emails. The attack caused a delay in showing accurate balances in customer accounts.

Attacks can not only impact operations, but also the systems that support the utility companies. For example, a ransomware attack on Baltimore city government systems disrupted customer service options including water bill payment, creating not only an organizational headache, but also causing confusion and frustration for citizens.

Unfortunately, there is a seemingly endless stream of news stories of state and local organizations that find themselves scrambling to pick up the pieces after a breach – leaving no doubt that the number of attacks on utilities (and critical infrastructure as a whole) is a major (and ongoing) concern.

How To Protect Critical Infrastructure Against Cyberattacks

CISA reported that 14 of 16 critical infrastructure sectors were hit with ransomware in 2021. It called for essential mitigations, including:

  • Restricting RDP unless operationally necessary, and if so, requiring MFA “to mitigate credential theft and reuse”
  • Reviewing the security posture of third-party vendors
  • User training to limit clicking on suspicious links and and opening suspicious attachments
  • The use of strong, unique, and safely stored passwords

On this last point, it truly is simple bad habits like employees maintaining poor password hygiene that make organizations vulnerable to ransomware attacks and the account takeovers that often precede them.

Because despite most organizations having strong password policies in place, SpyCloud’s analysis of exposed data tied to Fortune 1000 companies found that 64% of employees are reusing passwords. Critical infrastructure companies topped the list of industries with poor password hygiene; we identified four critical infrastructure industries where company names are one of the top 3-5 most popular passwords:

  • Aerospace & defense
  • Chemicals
  • Energy
  • Industrials

It’s too soon to forget that one of the worst cyberattacks in history stemmed (in part, at least) to the use of a company name in a critical password.

Weak passwords make enterprises susceptible to ATO and ransomware, and with the stakes so high with critical infrastructure, ensuring strong password hygiene is of the utmost importance. However, keeping tabs on employees’ account security poses a substantial burden for security and IT teams.

SpyCloud’s expertise is in recapturing compromised data from the criminal underground – data from breaches, malware-infected devices, and other covert sources that no other provider has access to – and transforming that data into actionable insights for organizations to protect themselves from cyberattacks.

In our Ransomware Defense Survey of enterprises late last year, 79% of security leaders agree that news of major attacks like the one on Colonial Pipeline (which stemmed from 1 compromised password) have “significantly elevated” their organization’s concerns about weak or stolen credentials. The magnitude of the problem is huge, but there is increasing recognition of one key way to prevent ransomware: remediating credentials that have been exposed through data breaches and malware infections.

With access to exposed data from the criminal underground, SpyCloud provides the critical difference in proactively protecting infrastructure and national security. This information levels the playing field against cybercriminals who are determined to wreak havoc on the services we rely on the most.

Learn more insights about the threat of exposed employee data on critical infrastructure organizations in SpyCloud’s 2022 Fortune 1000 Identity Exposure Report.

Transforming recaptured data to protect your business.