Effective
information and system security is essential for safeguarding both individuals
and organizations. At the individual level, robust security protects personal
data and privacy. For organizations like Tucson Electric Power (TEP), it
ensures the reliability of the electric grid, operational safety, and public
trust. Critical infrastructure operators must guard against disruptions,
reputational damage, and potential harm to the public. One common attack vector
involves using ping commands as part of Denial-of-Service (DoS) or ICMP-based
attacks. Although ping itself is benign, attackers can flood a target system
with ping requests (ping flood), overwhelming network capacity and causing
operational downtime. In utility environments, such latency or outages could
interrupt monitoring systems, delay critical commands, or disable alerts,
risking grid instability.This paper examines two primary security threats:
Phishing/Smishing and Social
Engineering, both of which pose significant risks to TEP.
Phishing
and its mobile equivalent, smishing, exploit human trust through deceptive
messages or links, tricking users into revealing credentials or installing
malware (TechRadar, 2025; Alwan et al., 2021). The energy and utility sector
remains a top target: campaigns have targeted credentials for gaining access,
with phishing accounting for 84% of breaches in energy systems (Cyber Defense
Magazine, 2025). At TEP, a successful phishing attack could allow intruders to
access internal systems, SCADA interfaces, or sensitive technical documentation
via spear-phishing, which comprises 81% of security alerts in utilities. Symptoms
may include unusual login attempts, credential theft, malware installation, or
anomalous network behavior. Consequences range from data exfiltration to
manipulation of control systems, disruptions in distribution operations, and
even potential physical damage to infrastructure. Recommendations include: (1)
Implementing Multi-Factor Authentication (MFA) on every system login, making
credential theft less effective; (2) Conducting regular simulated phishing
exercises to reinforce user awareness and build response readiness; and (3)
Using advanced email filters and machine-learning detection tools to reduce
phishing delivery and identify anomalies before reaching users.
Social
engineering leverages psychological manipulation rather than technical
exploits. Attackers might impersonate trusted vendors, coaxing staff into
granting remote access or divulging sensitive information (Infosec Institute,
2020; Airehrour et al., 2018). The critical nature of utility services and
access to operational systems makes employees valuable targets. Signs include
unusual requests for access, unexpected changes from support personnel, or
anomalies in documentation or procedure. Damage could involve unauthorized
system control, safety system tampering, or misconfiguration of devices threats
with potentially severe physical consequences. Recommendations include: (1)
Enforcing strict access protocols such as “call-back” authorization procedures,
where staff verify unusual requests using trusted contacts before acting; (2)
Conducting frequent awareness training and refreshers to alert staff to tactics
like pretexting or impersonation; and (3) Developing a layered defense model
that combines employee vigilance with technical safeguards.
Security
threats like phishing/smishing and social engineering remain paramount risks
for TEP. Both exploit human factors more than technology. Strong defenses
include robust authentication, proactive phishing training, and strict protocol
adherence. Combining technical solutions (MFA, email filtering) with
human-focused safeguards (simulations, training, verification procedures)
creates a layered defense essential for protecting critical infrastructure and
organizational resilience.
References
Airehrour,
D., Vasudevan Nair, N., & Madanian, S. (2018). Social engineering attacks
and countermeasures in the New Zealand banking system: Advancing a
user‑reflective mitigation model. Information, 9(5), 110.
https://doi.org/10.3390/info9050110
Alwan,
Z., Dhiya, A., & Hasan, M. (2021). A comprehensive study on phishing
attacks: Types, techniques, and prevention. International Journal of Computer
Applications, 183(44), 15-22. https://doi.org/10.5120/ijca2021921700
Cyber
Defense Magazine. (2025, August 13). The looming domino effect of cyberattacks
on energy and utilities.
https://www.cyberdefensemagazine.com/the-looming-domino-effect-of-cyberattacks-on-energy-and-utilities/
Infosec
Institute. (2020, April 29). ICS/SCADA social engineering attacks.
https://www.infosecinstitute.com/resources/scada-ics-security/ics-scada-social-engineering-attacks/
TechRadar.
(2025). Malicious URLs and phishing scams remain a constant threat for
businesses—here’s what can be done.
https://www.techradar.com/pro/security/malicious-urls-and-phishing-scams-remain-a-constant-threat-for-businesses-heres-what-can-be-done
Comments
Post a Comment