The number and sophistication of cyber attacks directed at power, water and other utility companies continued to grow in 2021, according to a new report from state regulators.
Findings released by the Public Utilities Regulatory Authority on Friday called attention to a number of notable and disruptive hacks last year, including the Colonial Pipeline ransomware attack, exploitation of software and server vulnerabilities by criminals and foreigh government agents and a hack that compromised the supervisory control system at an unnamed U.S. water treatment plant.
“While the types of cyber-attacks have remained fairly consistent with last year, the quantity has continued to grow,” the report states.
Phishing attacks — in which employees of targeted companies are tricked into disclosing sensitive information or introducing malware into their systems via seemingly credible emails — remain the top threat and “main vector” of successful cyber intrusions, according to PURA. The agency said the continued danger of phishing, and the fact that phishing attacks are now easier to automate and direct, underscore the need for employee training on responding to suspicious emails, especially those that would seem to pertain to things workers are most likely to be interested in, such as pay, vacation time or COVID-19 response measures.
Hacks from over the last year also show that cyber criminals are continuing to target IT supply chains and third-party vendors as a means to infiltrate their intended target’s network.
“The associated risk will likely increase as these types of services are relied on more and more by critical infrastructure companies,” PURA noted.
Additionally, the report called attention to cyber attacks in which hackers use legitimate credentials — likely stolen during a prior phishing attack or guessed based on stolen data — to gain access to critical networks.
In response, the study said, companies should implement multi-factor authentication and other security controls as a way to mitigate their risk. The analysis also recommended performing regular patch management, creating protected system backups and limiting access to certain resources to employees with a “true need.”
