India's critical infrastructure systems like water and gas supply and government services are vulnerable to cyber-attacks, according to a recent report published by CloudSEK, a global AI-driven Digital Risk Management Enterprise.
Highly Vulnerable To Cyber Attack
The study titled 'Abysmal State of Global Critical Infra Security: Supply of Gas, Water&Govt.Services at High Risk' points out that ignoring the security of operational technology (OT) systems could make industrial control systems (ICS) and critical infrastructure highly vulnerable to cyber-attacks and thus, proving to be a severe threat to nations and their economies.
The report, authored by Senior Security Analyst, CloudSEK, Sparsh Kulshrestha, cited the vulnerabilities of the water quality management software of an Indian conglomerate, the Central View Dashboard, the Union Government's mail server, and a private gas transport company as examples of the potential extent and impact of cyber attacks on ICS.
The water quality management was configured using a default manufacturer's credentials, thus enabling attackers to modify water supply calibrations and stopping necessary operations treating the water, and even manipulate the chemical composition of the water.
"India topped the list of 20 nations with critical installations using default credentials, making them highly vulnerable. OT systems are not supposed to be accessible through the Internet, exposing them to cyber attacks. We carried out the study in the view of the frequent attacks on critical installations and conveyed the findings to organizations concerned," said Rahul Sasi, the founder of CloudSEK, as reported by The Hindu.
Human error is the main reason
The main reason behind this vulnerability of critical installations is human error. Out of the 47 instances of using default credentials, 30 of them were related to some of the major dams and water sources across the globe, responsible for supplying drinking water to major cities across the globe. In another significant security lapse, the Indian government's mail server credentials were found hard-coded into source code. This enabled the hackers to send emails impersonating government entities and to spread misinformation. This could also lead the victims to fall for phishing attacks.
Weak, default, or obvious passwords, outdated versions of installed software, third-party vendor data leaks were some of the other common follies that invited cyber attacks.
Similarly, the vulnerability of a transport gas company exposed sensitive about trucks and drivers, including the exact location of the trucks via GPS, driver's phone number, license plate number, and other such details. The threat perception was even more added, considering the gas trucks could be targeted using the leaked information, leading to disastrous activities.
The Union Government's Central View Dashboard also exposed real-time CCTV footage of critical services across all Indian States, giving the attackers a vital tool to surveil their targets.