Wednesday, December 18, 2024

Moody’s Cyber Heat Map flags extreme cyber risks for critical infrastructure, impacting telecommunications and airlines

Must read

Moody’s new cyber heat map report reveals that telecommunications, airlines, and other critical infrastructure sectors now face extremely high cyber risk. The agency’s latest cyber heat map underscores this shift to the highest risk level for telecommunications, airlines, and power generation industries. This comes as major telecom companies have suffered significant cyberattacks recently, and airlines’ reliance on digital technology has increased their vulnerability to operational disruptions. It also identified that new high-risk sectors include automobile manufacturers and suppliers, education, manufacturing, energy, and ports

The research also flagged that eleven new industries have shifted to the high-risk category representing US$28 trillion in debt; growing digitization is driving increasing exposure to cyber risk; and the cyber heat map assesses both exposure to cyber risk and cyber defense.

“Numerous other sectors, including manufacturing, education, medical products, mass transit, and ports, also show more acute risk than in our 2022 heat map, either due to rising exposure or weaker oversight than in other industries,” according to Moody’s cyber heat map. “Together, these sectors account for $7.1 trillion of debt. Our heat map uses both data and analytical insights to assess cyber risk in 71 industries globally. It shows rising risk across 16 industries. We score sector-level cyber risk on a four-level scale: Low, Moderate, High, or Very High.”

The Moody’s report detailed that electric, gas and water utilities and not-for-profit hospitals are also at the highest risk level. “All these industries are highly digitized and play a crucial role in the functioning of society and the economy. Eleven new industries shift to High risk. High-risk and Very High-risk sectors now represent $28 trillion in debt. New High-risk sectors include automobile manufacturers and suppliers, education, manufacturing, energy, and ports.” 

Additionally, greater risk at ports is illustrated by a slew of recent multi-day disruptions in Japan and Australia. Higher education institutions have become more vulnerable due to comparatively weak defenses while manufacturing sectors face rising risk due to the increasing digitization of their production processes.

The cyber heat map noted that the telecommunications sector rises to the highest cyber risk category due to its systemic importance and broad digitization, along with weaker defense practices compared with other lower-risk vital sectors. “Costly cyberattacks on companies such as T-Mobile USA (Baa2 stable), AT&T Inc. (Baa2 stable), and Optus Australia, a subsidiary of Singtel Optus Pty Limited (A3 stable) underscore the industry’s Very High-risk designation. These firms have experienced numerous and severe attacks in recent years that have resulted in the theft of personal information from millions of current and former customers and led to substantial financial settlements with regulators.” 

These breaches also showcase the critical challenges telecommunications companies face in safeguarding sensitive customer data against increasingly sophisticated cyberattacks.

Although telecommunications companies are investing heavily in cybersecurity, their efforts have yet to counteract their heightened risk exposure. 

“Airlines operate within a highly digital and increasingly interconnected ecosystem, rendering them susceptible to a range of cyber threats targeting sensitive customer data,” according to Moody’s cyber heat map. “Cybersecurity concerns include the potential for unauthorized access to flight control systems—despite high levels of security—and disruption to operational systems, such as aircraft and crew assignments, flight tracking, and/or ticketing. Such incidents could inflict significant financial damage and tarnish a company’s reputation. The industry’s reliance on third-party software for many services introduces further vulnerabilities.”

Data from BitSight indicates that this sector is among those most likely to display signs of networks compromised by potentially malicious programs or applications, leaving them more vulnerable to exploitation. Airlines also rank in the bottom third of sectors based on our assessment of their exposure to KEVs.

The Moody’s cyber heat map identified that utilities, including electric and gas transmission and distribution, regulated and unregulated utilities, water and wastewater utilities also remain at Very High cyber risk. “This is due to their role in critical infrastructure, making them attractive targets for sophisticated cyberattacks aimed at causing widespread disruption.” 

It added that a recent spate of cyberattacks on water and wastewater utilities, including American Water Works Company, Southern Water Services, and South Staffordshire Water plc, point to their vulnerability. “The integration of digital technologies and the presence of legacy systems increase vulnerabilities, while interconnected utility networks amplify the potential impact of any attack. Most utilities are very highly digitized. They are increasingly leveraging advanced technologies such as smart grids, Internet of Things (IoT) devices, and automated control systems to enhance operational efficiency and reliability. 

The report observed that this digitization facilitates real-time monitoring and management of utility assets, but also introduces new cyber vulnerabilities. Utilities attempt to offset these risks by deploying robust cyber governance and management programs, but due to large differences in scale and regulatory support for cybersecurity cost recovery, there is wide variability in individual utilities’ ability to maintain the same level of investment as other corporations and financial institutions. 

Moody’s cyber heat map revealed that not-for-profit hospitals remain exposed to Very High cyber risk due to their reliance on digital technologies for patient care and the high value of sensitive health information they handle. “Their essential role in patient care, with human lives at risk, underscores their systemic importance. Hospitals are more likely to pay ransoms to ensure their systems stay operational. The combination of potential loss of life and valuable patient data makes them attractive targets for cybercriminals. The increasing complexity of hospital networks, with a multitude of interconnected devices and systems, further compounds these vulnerabilities. 

The research also pointed to the rapid digital transformation in healthcare, often outpacing the implementation of corresponding cybersecurity measures, exacerbating the situation. Consequently, the combination of valuable data, expanding attack surfaces, and the critical nature of hospital services contributes to the Very High cyber risk in this sector.

Two recent cyber event-related credit rating actions, Mount Sinai Hospital NY’s downgrade from Baa1 to Baa3 with a negative outlook, and Ascension Health Alliance’s (Aa2) outlook revision from stable to negative, highlight the credit risks they face.

“The manufacturing sector has increased its reliance on Industrial Control Systems and operational technology. These systems, which automate and operate industrial processes, were traditionally isolated but are now more connected,” according to Moody’s cyber heat map. “Many, however, were not designed with cybersecurity as a priority, rendering them susceptible to cyber threats. The sector’s complex global supply chain introduces further vulnerabilities, as each vendor or partner can potentially bring new risks, allowing attackers to exploit weaker links to access more secure networks.” 

Furthermore, it added that the manufacturing sector is a repository of valuable intellectual property, making it an attractive target. “Our assessment shows that manufacturing organizations rank in the bottom 20% for perimeter integrity, leaving them exposed to known, exploitable software vulnerabilities. Additionally, our cyber survey responses indicate that, while large manufacturers have established strong cyber diligence practices, many small and mid-sized organizations lack adequate cybersecurity measures due to budget constraints or a shortage of specialized personnel.”

Moody’s cyber heat map also identified that ports are crucial to global trade and logistics, serving as key nodes in supply chains worldwide. The adoption of technologies like IoT devices for tracking containers, automation in loading and unloading processes, and digital platforms for managing shipping documentation have enhanced efficiency, but they also expand the attack surface for cybercriminals. 

“Vulnerabilities in these systems can disrupt port activities, leading to significant financial losses and supply chain delays. The complexity of port operations, involving multiple stakeholders, and their essential role in national economies further complicate cybersecurity efforts,” the report pointed out. “A combination of increased digitization and weak cyber governance practices makes ports highly vulnerable, as highlighted by recent multi-day disruptions in Japan and Australia.”

Moody’s heat map shows increased digitization across 16 industries, making two-thirds of industries now either highly or very highly digitized. “Total debt classified under High or Very High digitization has risen to 87%, from 74% in 2022 Digitization has also increased to High in six sectors without raising their overall cyber risk score. Those sectors include Airports, Chemicals, Shipping, Surface Transportation and Logistics, Toll Roads, and Structured Finance.”

It identified that airports have integrated advanced technologies to improve efficiency, security, and passenger experience. Digital systems now assist with check-in, security screening, and boarding, while RFID tags and barcodes have transformed baggage handling, enabling accurate tracking and automated sorting to minimize mishandling.

In the chemicals industry, increased digitization involves using IoT devices and sensors for real-time monitoring and control in production facilities. In the realm of chemical distribution, digitization extends to customer interactions through online platforms and mobile apps, offering customizable products and easier ordering. Digitization presents clear benefits for chemical companies, enhancing competitiveness, sustainability, and innovation in a complex global market.

The shipping industry has significantly ramped up its digitization efforts, integrating advanced technologies across various aspects of its operations to boost efficiency, enhance customer service, and streamline logistics. This digital transformation is evident through the adoption of automation and robotics for cargo handling, which not only minimizes human error but also ensures continuous operation, thereby increasing throughput.

In surface transportation and logistics, the embrace of digital technologies is multifaceted, incorporating advanced tracking and routing systems, cloud-based logistics platforms, and data analytics. GPS and IoT devices now enable real-time tracking of vehicles and cargo, providing up-to-the-minute updates on location, condition, and estimated arrival times, improving the precision of logistics operations. 

Toll roads have seen increasing adoption of electronic toll collection (ETC) systems, such as RFID tags or transmission devices tied to accounts and license plate recognition technology, which eliminate the need for manual toll booths, reducing traffic congestion and lowering emissions from idling vehicles. 

Earlier this week, U.S. and international partners published a joint cybersecurity advisory detailing the most commonly exploited Common Vulnerabilities and Exposures (CVEs) by malicious cyber hackers and their related Common Weakness Enumerations (CWEs). In 2023, malicious cyber adversaries exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, most of the most frequently exploited vulnerabilities were initially exploited as a zero-day, an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day.

Latest article