Cyber attackers are increasingly utilizing malicious emails to breach critical national infrastructure (CNI). A recent report by security solutions provider OPSWAT indicates that up to 80% of CNI organizations faced email-related security breaches within the past year. Compromising CNI sectors—such as utilities, transportation, telecommunications, and now data centers—can result in significant disruptions, making them prime targets for cybercriminals. A separate report from Malwarebytes identified the services industry as the most impacted by ransomware, accounting for nearly a quarter of global attacks.
The OPSWAT research, which surveyed 250 IT and security leaders across global CNI entities, highlighted the effectiveness of email-based attacks for cybercriminals. On average, for every 1,000 employees, CNI organizations reported:
– 5.7 successful phishing incidents annually,
– 5.6 account compromises,
– 4.4 data leakage incidents.
Despite the alarming frequency of email-related attacks, 50.4% of participants still perceive email messages as safe by default, while 52.8% consider attachments to be benign.
### Why Cybercriminals Target Email
Email is a convenient vector for attackers to launch phishing campaigns, distribute malicious links, and send harmful attachments that can compromise target systems. Over 80% of CNI organizations anticipate that threat levels from all email attack types will either increase or remain constant in the upcoming year, with phishing, data exfiltration, and zero-day malware attacks being the most prevalent threats.
The report’s authors emphasized the growing interconnectivity between operational technology (OT) and information technology (IT) systems, underscoring the urgent need to prioritize email security. As they noted, “Fewer OT networks remain air-gapped due to the past decade’s digital transformation, which has integrated OT networks with the Internet. This means that a successful email cyberattack could propagate into an organization’s OT network, leading to damage and enabling further attacks from within.”
With the anticipated increase in email attack threats, CNI organizations aiming to fortify their email security must adopt a comprehensive strategy focused on the prevention and mitigation of email-borne threats.
### UK Government Designates Data Centers as CNI
Last week, the UK government designated data centers as part of CNI, marking the first new classification since 2015. This move aims to enhance national security as data centers become essential for the seamless operation of vital services, highlighted by the CrowdStrike outage in July.
Under this new designation, data centers in the UK will receive increased government assistance for incident recovery and threat anticipation. A dedicated team of senior officials will facilitate access to security agencies, such as the National Cyber Security Centre, and emergency services when necessary. This classification may deter cybercriminals from targeting these facilities.
In contrast, CNI organizations in the UK face intensified regulatory scrutiny. Operators of essential services within the CNI sectors must comply with the Network and Information Systems Regulations, and telecommunications providers are required to adhere to the Telecommunications Security Act. Data centers will likely be subject to closer monitoring in terms of compliance with both existing and forthcoming legislation, which may encompass physical security measures, audits, contingency strategies, risk reporting, and security software.
Unfortunately, compliance is an area where CNI companies are struggling, contributing to the frequency of email-based cyber attacks. According to the OPSWAT report, 65% of CNI leaders indicated that their organizations do not meet regulatory standards, with only 28% non-compliance reported among EMEA respondents.
### Increased Cyber Threats to CNI Organizations
The latest Threat Pulse report from NCC Group revealed that 34% of ransomware attacks in July targeted CNI, representing a 2% increase from June. Experts suggest that attackers may feel emboldened, viewing law enforcement repercussions as less of a deterrent than before. Analysts from WithSecure noted a change in tactics following actions against the DarkSide group after their attack on the Colonial Pipeline, which prompted ransomware collectives to aim for perceived lower-risk targets, such as avoiding attacks on hospitals.
However, the surge in CNI-targeted attacks since 2023 suggests that cybercriminals no longer hesitate to target any western organization, seeing law enforcement action as a given regardless of their chosen victim.
### Legacy Technology Provides Easy Access
The NCSC’s 2023 Annual Review identified that the cyber threat to the UK’s CNI is “highly likely” to have escalated, partly due to its reliance on outdated technology. Organizations managing critical infrastructure frequently operate legacy systems because replacing such technology while maintaining normal operations is costly and challenging. Evidence presented by Thales to a UK government report indicated that it is common for CNI sectors to rely on aging systems that lack regular updates, monitoring, or assessments.
Further findings from NCC Group indicated that “OT systems frequently contain components that are 20 to 30 years old and/or utilize older software that is less secure and no longer supported.” A Microsoft report from May corroborated these concerns, stating that the security measures in place were often inadequate, making OT systems attractive and relatively easy targets for cyber attackers. Notably, attacks targeting water and other critical infrastructure systems have been rising since late 2023.
