Report calls critical infrastructure cybersecurity ‘abysmal’

October 20, 2021

Tyson Fisher

|

A new report is calling security of critical infrastructure “abysmal” as cyberattacks continue to increase.

On Monday, Oct. 18, digital security company CloudSEK published a report titled “Abysmal State of Global Critical Infra Security: Supply of Gas, Water, & Govt. Services at High Risk.” As the title suggests, critical infrastructure across the globe is at risk of crippling cyberattacks.

Specifically, both the private and public sectors are vulnerable to attacks on operational technology. CloudSEK points out that most cybersecurity has focused on information technology as remote work and online businesses increase. However, recent attacks on operational technology within the critical infrastructure sectors have highlighted the need to shift that focus.

Despite access to resources, some of the factors allowing cyberattacks to happen are simple human errors. Common weaknesses cybercriminals look for in critical infrastructure systems are:

  • Weak, default and/or obvious passwords.
  • Outdated versions of installed software.
  • Third-party vendor data leaks.
  • Leaked source code.
  • Shadow IT (IT systems, devices, software, apps, etc. not sanctioned by IT department).
  • Phishing.

Although the study focuses on systems based in India, a cyberattack on those systems can affect critical infrastructure operational technologies globally. For example, CloudSEK found vulnerabilities within the online water quality monitoring dashboard of an Indian fast-moving consumer goods company. The dashboard was using default manufacturer credentials, allowing cybercriminals to more easily access the system to edit water supply calibrations, stop water treatment operations and change water chemical composition.

CloudSEK found three U.S. installations of the same system also using default credentials. Of the 47 vulnerable systems found globally, 30 belong to major water sources that supply drinking water to major cities.

Attacks on critical infrastructure can have major consequences for the trucking industry.

Doug Morris, director of safety and security operations for the Owner-Operator Independent Drivers Association, said the U.S. government has had difficulty protecting its own agencies, let alone protecting the critical infrastructure private sector.

“Roughly 85% of the infrastructure is owned by the private sector,” Morris said. “Congress and government agencies have failed to assist the private sector in securing their cyber vulnerabilities, especially considering the sophisticated attack methods that have been used by hackers and again many assisted directly or indirectly by nation states.”

In May, a ransomware attack shut down the 5,500-mile Colonial Pipeline. According to the pipeline’s website, it is the largest refined products pipeline in the United States, transporting more than 100 million gallons of fuel daily to meet the energy needs of consumers from Houston to the New York Harbor.

Consequently, the Federal Motor Carrier Safety Administration issued a temporary hours-of-service exemption to fuel haulers. Numerous truck stops in the East reported fuel shortages, causing some truckers to stay put until more fuel arrived.

“Within the past few years the Department of Homeland Security has stood up the Cybersecurity and Infrastructure Security Agency, which is going through each critical sector to assist the private industries in hardening their cyber networks,” Morris said. “This agency has let it be known that the ransomware attacks will be dealt with harshly and the actors will be brought to justice with the assistance of the FBI.”

Other cybersecurity concerns within the trucking industry include attacks on ELDs, speed limiters and various forms of automated technology.  LL