Email security, Critical Infrastructure Security

Why email attacks still loom as a major threat to critical infrastructure sectors

Email security

While every organization across every vertical faces the risk of experiencing a cyberattack, certain industries are particularly susceptible to being targeted by threat actors—especially those in critical infrastructure sectors.

Organizations that deliver essential services are attractive targets for a few reasons. Attacks on sectors such as energy, transportation, and healthcare can severely disrupt society, making them especially lucrative since these organizations are often more likely than others to pay substantial ransoms to restore operations and minimize downtime. Many critical infrastructure organizations are also understaffed, relying on legacy systems that are vulnerable to criminal exploit, and involve extensive supply chains that attackers can target as initial access points.

Threat actors are using a number of attack tactics to target critical infrastructure organizations, but email compromises still stand as some of the most common and, unfortunately, successful methods.

Because most people still use email, it gives criminals a fairly open channel to target an endless number of users. Email was never designed with security in mind and most people use it to communicate, collaborate, and share information with trusted parties every day, so its blanket of trust extends pretty widely. Attacks like business email compromise (BEC) and vendor email compromise (VEC) purposefully exploit that trust, by impersonating trusted identities and using social engineering to manipulate targets into completing fraudulent transactions or divulging sensitive information.

We recently evaluated how these kinds of attacks impact critical infrastructure industries, including the energy, infrastructure, and automotive sector.

Attacks and suspicious activity targeting U.S. power stations reached a decade-long high in 2022, and concerns about sabotage persist today. FBI Director Christopher Wray warned earlier this year that Chinese hackers might target critical U.S. infrastructure such as water treatment plants, electrical grids, and pipelines.

When looking at the volume of attacks over the last year, energy and infrastructure organizations were a top target for VEC attacks, with 65% in this industry experiencing a VEC attempt between February 2023 and January 2024. That’s a higher rate than organizations in the healthcare, finance, or technology industries, which are often considered the most popular targets for VEC.

The complex supply chains and extensive networks of third-party vendors in energy and infrastructure could be to blame for this high rate of VEC attacks. Cybercriminals know it’s difficult to defend these sprawling networks, and since these organizations regularly transfer significant sums of money, they are high-value targets for cybercriminals.

This sector also experienced an 18% year-over-year increase in BEC attacks. While BEC may not account for a large percentage of all advanced attacks, they pose a significant risk. Cybercriminals only need one BEC attack to succeed and ultimately acquire funds or sensitive information.

The Cybersecurity and Infrastructure Security Agency (CISA) defines the manufacturing sector, including automobile manufacturing, as one of the critical infrastructure sectors. When looking at how email compromises affect this industry, we found that BEC attacks against automotive businesses increased 70% between September 2023 and February 2024. VEC attacks were similarly elevated during the same six-month time period, with 63% of automotive customers experiencing at least one VEC attack. It’s a higher rate than other vulnerable industries, including energy and infrastructure, hospitality, and finance, during the same timeframe.

Why are automotive companies such attractive targets? For one, automotive groups rely on complex supply chains and vast vendor ecosystems – offering attackers with plenty of third parties to impersonate through VEC attacks. Second, high-value transactions for parts and inventory are common, and threat actors are always looking for the most lucrative opportunities.

A notable attack that targeted auto parts supplier Toyota Boshoku a few years ago, involved threat actors using an email scam to manipulate an employee into changing bank account information for a wire transfer, resulting in a loss of $37 million.

Traditional phishing attacks are alive and well in this sector, too. The infamous cybercrime syndicate known as FIN7 has recently been linked to a spear-phishing campaign targeting the U.S. automotive industry, targeting individuals in the IT department with higher levels of administrative rights, to install a backdoor and gain an initial foothold.

How to protect against email attacks in critical infrastructure

Regardless of the industry, CISOs need to secure email because it’s still a major threat vector. There are some foundational protections that every organization should have in place, including continued security awareness training. Employees should always stay vigilant for urgent requests for sensitive information, poor spelling and grammar, or malicious links.

Companies also need to offer awareness training that’s specific and tailored to each individual, including helping them specifically understand why, or why not, an email is malicious. Since it only takes one successful attack to create a significant event, organizations shouldn’t just rely on having savvy users who can spot phishing emails.

Email remains one of the easiest ways to infiltrate an organization, and for critical infrastructure sectors, the consequences of an email attack are often devastating. By having the right tools and training, companies can protect their employees and data from this dangerous threat.

Mike Britton, chief information security officer, Abnormal Security

Mike Britton

Mike Britton, chief information security officer at Abnormal Security, leads the company’s information security and privacy programs. Mike builds and maintains Abnormal Security’s customer trust program, performing vendor risk analysis, and protecting the workforce with proactive monitoring of the multi-cloud infrastructure. Mike brings 25 years of information security, privacy, compliance, and IT experience from multiple Fortune 500 global companies.



Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.