A recent study conducted by CloudSEK, a global AI-driven Digital Risk Management Enterprise, shows that Indian critical infrastructural systems like gas and water supply, and governemnt services are vulnerable to cyber attacks.
The report titled ‘Abysmal State of Global Critical Infra Security: Supply of Gas, Water, & Govt. Services at High Risk’ points out that overlooking the security of operational technology (OT) system could make critical infrastructure systems or industrial control systems (ICS) highly vulnerable to cyber attacks and thus, proving to be a serious threat to nations and their economies.
The study, authored by Sparsh Kulshrestha, Senior Security Analyst, CloudSEK, cited the vulnerabilities of the water quality management software of an Indian conglomerate, the Union Government’s mail server and the Central View Dashboard, and a private gas transport company as examples of the potential extent and impact of cyber attacks on ICS.
The water quality management software was found to be configured using a default manufacturer’s credentials, and thus enabling attackers to modify water supply calibrations, and stopping multiple pivotal operations treating the water, and even manipulating the chemical composition of the water.
“In fact, India topped the list of 20 countries with 13 critical installations using default credentials making them highly vulnerable. OT systems are not supposed to be accessible through Internet exposing them to cyber attacks. We carried out the study in view of the frequent attacks on critical installations and conveyed the findings to organisations concerned,” said Rahul Sasi, the founder of CloudSEK.
The leading reason behind this vulnerability of critical installations is human error.
Weak, default, or obvious passwords, outdated versions of installed software, third-party vendor data leaks were some of the other common follies that invited cyber attacks.
Out of the 47 instances of using default credentials, 30 of them were related to some of the major dams and water sources across the world, responsible for supplying drinking water to major cities across the globe.
In another major security lapse, the credentials to the Indian government’s mail server was found hard-coded into the source code.
This enabled the hackers to send emails impersonating government entities, and to spread misinformation. This could also lead the victims to fall for phishing attacks.
Similarly, the vulnerability of a gas transport company exposed sensitive information about the trucks and its drivers, including the exact location of trucks via GPS, licence plate numbers, drivers’ phone number, and other such details.
The threat perception was even more, considering that the gas trucks could be weaponised using the leaked information, leading to disastrous consequences.
The Union Government’s Central View Dashboard also exposed real-time CCTV footage of critical services across all Indian States, giving the attackers a potent tool to surveil their targets.
