The Associated Press had its Twitter account hacked earlier this week after a sophisticated phishing scheme by the Syrian Electronic Army.
For utilities, a hacked Twitter account might not pose the same threat as it does for a major news organization, but this method of attack should not be ignored.
A new report from Verizon, 2013 Data Breach Investigations Report, found that social tactics increased, with phishing and pretexting being the most widely used tactics. For the 2013 report, Verizon worked with nineteen other contributors to get a more comprehensive look at the types of attacks that hit corporations.
Nearly all of the attacks organized by state-affiliated actors used phishing as a way to gain a foothold in the system.
Recently, Jon Wellinghoff, chairman of FERC, said that utilities should probably be more concerned about more traditional, physical attacks, but that doesn’t mean cybersecurity measures should be minimized.
Utilities had relatively few attacks compared to other industries, comprising 1.7 percent of the sample, compared to 21.7 percent for retail, which was the most hacked industry. The bulk of the utility breaches were trying to get financial information, potentially customer information, said Marc Spitler, senior analyst, RISK team for Verizon.
U.S. utilities will reportedly spend more than $7 billion on cybersecurity by 2020, but those funds have to be carefully spent not only on security technology, but also on employee education and having someone close to the CEO, such as a chief risk officer, who manages all security aspects of the organization.
“You need to understand what your adversary is likely to be after,” said Spitler. “What’s going to cause you the most harm or provide them the most gain?”