Cyberattacks on critical infrastructure are no longer hypothetical—they’re a growing reality. From manufacturing and energy to water and healthcare, the systems we rely on most are under siege. The recently published CISA Sectors Critical Infrastructure 2024 Report by Securin dissects over 1,700 cyber incidents, revealing over 3,000 vulnerabilities in manufacturing, a 30% increase in energy sector risks, and 800 vulnerabilities affecting water and waste systems.

In a recent episode of Secure by Design, Kiran Chinnagangannagari, Co-Founder and Chief Product & Technology Officer at Securin, Inc., talks about the report’s most pressing findings. Threat actors are increasingly targeting smaller entities, with geopolitical tensions shaping attack strategies. The findings emphasize the need for proactive security, early warning systems, and stronger incident response capabilities. Securin’s solutions aim to enhance visibility into attack surfaces, promote secure coding, and provide adversarial intelligence to help organizations defend against today’s evolving threats.

“We’re seeing a steady increase in vulnerabilities in the manufacturing sector, and it’s not just limited to just that,” Chinnagangannagari notes. “There’s also a significant jump in vulnerabilities in the energy sector, and that’s a concern because these are critical systems we rely on every day.”

The Origins of Securin: A Focus on Proactive Protection

Chinnagangannagari shares the story behind Securin’s founding, explaining that while the cybersecurity industry is crowded, Securin identified a crucial gap: the need for proactive defense.

Securin’s foundation is rooted in research, working closely with universities like Arizona State University and New Mexico State. Some of their early work was funded through grants from DARPA and Naval Intelligence, reinforcing their deep ties to the federal government. The core goal is to give customers an early warning—30 to 45 days before a vulnerability is likely to be weaponized, enabling them to implement patches or other protective measures before an attack occurs.

Key Findings from the 2024 Report

Securin’s latest report marks the first time they’ve analyzed cyber threats on a sector-by-sector basis. While past reports took a holistic view, this year’s research focused on the 16 Critical Infrastructure Sectors as defined by the U.S. government.

Most Vulnerable Sectors

The report identifies manufacturing as the most vulnerable sector, followed by energy, water, and waste. Chinnagangannagari notes that ransomware groups and state-sponsored threat actors are shifting their focus to smaller organizations, which often lack the resources for comprehensive cybersecurity defenses. The rise in geopolitical conflicts is also influencing cyberattack patterns, making critical infrastructure a growing target.

Biggest Attack Vectors

The report outlines the primary methods cybercriminals are using to breach infrastructure. Legacy systems remain a major weak point. Outdated IT and OT (operational technology) systems often lack patch management and modern security controls. Hard-coded passwords and the absence of multi-factor authentication (MFA) leave these systems exposed.

The report finds that phishing attacks have become more sophisticated, with the average time to fall for a phishing scam now around 60 seconds. The convergence of IT and OT means previously isolated systems are now more connected, creating new entry points for attackers.

The Challenge of Legacy Systems and Limited Resources

Legacy infrastructure—sometimes decades old—remains a significant challenge. Chinnagangannagari notes that many organizations, especially in the public sector, lack the resources to patch and upgrade these systems.

Moreover, smaller organizations often lack the manpower and expertise to monitor and respond to threats effectively. This creates an uneven playing field where attackers—often better resourced and more patient—have the upper hand.

Practical Steps to Strengthen Defenses

So, what can organizations do to protect themselves against these growing threats? Chinnagangannagari recommends that organizations prioritize resilience and incident response. “Most organizations should be prepared for the day when they will either get breached or attacked,” he advises. “Having a mechanism to understand and detect these threats is crucial.”

He also emphasizes the importance of basic cyber hygiene, such as keeping backups off-site and conducting regular disaster recovery exercises. “Just the bare minimum cyber hygiene, like making sure that my backups are kept off-site, and doing a disaster recovery (DR) exercise every year or so, can make a big difference,” Chinnagangannagari says.

Securin’s platform helps organizations gain a comprehensive view of their attack surface, correlating signals from multiple sources to provide an adversarial perspective on security risks.

Securin plans to expand its research in the future, with an upcoming ransomware report and an in-depth analysis of security risks associated with large language models (LLMs). Chinnagangannagari introduces the concept of AI risk facts, a standardized way to assess AI security risks. By helping organizations better understand these risks, Securin aims to support more informed cybersecurity decisions in an increasingly AI-driven landscape.

Guest: Kiran Chinnagangannagari
Company: Securin
Show: Secure by Design

This summary was written by Emily Nicholls.