Over two fifths of critical infrastructure organisations have suffered a cyber breach, report finds

The study targeted respondents in key critical infrastructure industries – energy and utilities, telecommunications, transportation and trucking/shipping – and is reflective of 367 organisations across 18 countries.

Thales found that 42 per cent of these CI organisations suffered a data breach, with 93 per cent observing an increase in attacks.

The most common threats encountered were malware, phishing and ransomware. Nearly a quarter (24 per cent) of organisations reported to have fallen victim to a ransomware attack in the past year, with 11 per cent paying the ransom. 

The leading cases of cloud-based breaches were found to include human error, accounting for 34 per cent of all attacks, and exploiting a known vulnerability, accounting for 31 per cent.

Failure to apply multifactor authentication (MFA) to privileged accounts was found to have led to 20 per cent of attacks, and almost a third (30 per cent) of CI organisations also experienced an insider threat incident.

With this, Thales reported a strong correlation between compliance achievement and reduced breaches. Of those who failed a compliance audit in the last 12 months, 84 per cent reported having experienced a breach in their history. For those that have not failed a compliance audit, only 17 per cent had any breach history, with two per cent having a breach in the last year.

Despite 93 per cent reporting an increase in attacks, limited planning and compliance continues to plague CI organisations: ransomware attacks are up four per cent since 2022, but the report found that only 15 per cent had a formal ransomware plan in place.

In addition, Thales found that 69 per cent of CI respondents were worried about the risk of encryption compromise when quantum computing becomes a reality. Despite this, only half planned to create resilience contingency plans to satisfy quantum computing security concerns in the next 18-24 months.

The shift to cloud environments has also proved problematic for CI organisations, as 51 per cent agreed that managing security in the cloud is more complex than managing security on-premise. In total, 55 per cent also stated they are concerned about the security of their data in the cloud, highlighting the need for robust cloud security measures.

“Critical National Infrastructure operates across countless industries – from the utilities that households and businesses rely upon, to the telecommunications and transport systems that keeps society running. Needless to say, CI organisations face very tangible consequences should a breach be successful,” Tony Burton, managing director of Cyber Security and Trust at Thales UK, said in a statement.

“By operating complex, highly diverse, and inter-dependent technologies, the range of risks on the table is also diverse. This report highlights the need for CI organisations to take proactive measures to build cyber resilience across their distributed operations, addressing human error, ransomware, compliance, and access management concerns. Emerging technologies, if leveraged appropriately, will ultimately provide greater efficiencies and security on these fronts.”

The ’2024 Data Threat Report’ can be downloaded and read in full here.