Report: Cyber attacks pose ‘significant’ risk to utilities
A new report from Connecticut’s Public Utilities Regulatory Authority found that phishing attacks pose “a significant risk” to the state’s utilities.
The method is what’s known as a social-engineering hack, in which people with access to a secure computer system or network are tricked into giving hackers access, often through email or some other communication posing as legitimate.
A report from the Public Utilities Regulatory Authority found that in 2021 “the lack of multifactor authentication was the primary cause of many successful phishing hacks of utility vendors and business partners,” the agency said in a statement.
That authentication method involves confirming a user’s identity through a second means besides a password — usually a one-time code sent to the legitimate user’s phone or email address. It’s a system that’s widely used by social media companies and email providers, and familiar to anyone who’s ever lost their Twitter login.
The report highlighted several prominent hacks last year, including vulnerabilities Microsoft found in its exchange servers “that were being actively exploited by Chinese state actors,” who managed to compromise some 30,000 devices in the U.S. Other hacks involved the energy and utility sector, including a ransomware attack against the corporate IT systems of Colonial Pipeline. That hack resulted in disrupted service.
“First, malicious cyber actors have continued to target the IT supply chain and third-party vendors as a means of gaining access to their intended targets network. The associated risk will likely increase as these types of services are relied on more and more by critical infrastructure companies,” the report states. “Second, malicious cyber actors have been able to gain access into many networks using legitimate credentials that were likely stolen in previous phishing campaigns or easily guessed based on previous data breaches.”
The report recommends that “at a minimum,” utility companies should hold annual training on phishing to prevent employees from clicking on suspicious emails.