Advertisement

Moody’s Rating adds telecoms, airlines, utilities to highest risk category

The financial ratings service says industry digital reliance increases cyber risk.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
Telecommunication tower during sunset. (Getty Images)

The telecommunications industry, airlines, and some power generation utilities have elevated cyber risks due to digitization and lax security practices, according to a new report from Moody’s Rating that places the sectors in the “high risk” category.

The financial ratings service released a cyber heat map Tuesday that looks at the risk profiles of 71 sectors globally and compares them to 2022. Moody’s analysts found that the increasing reliance on digitization is a major factor for the increased cyber risk, as adoption adds new methods of attack for malicious hackers. 

“Across the board, two main factors are driving these higher cyber risk scores: increased sector digitization, which introduces a more extensive digital footprint potentially more vulnerable to cyberattacks, and/or below-average cyber risk mitigation practices,” Steven Libretti, assistant vice president for Moody’s Ratings, said in an emailed statement to CyberScoop.

The score is based on an organization’s exposure and ability to mitigate risk and is categorized as low, moderate, high, or very high.

Advertisement

The telecommunications sector moved to the highest risk profile not only because of increased digitization and importance, but because of the “weaker defense practices” compared to other critical sectors.

Telecommunications has been under increased scrutiny in recent years, as successful attacks by both nation-backed and criminal hackers have increased. Earlier this fall, Chinese hackers known as Salt Typhoon were able to dive undetected into sensitive networks of at least three telecoms: AT&T, Verizon, and Lumen. The hackers were reportedly able to view court-ordered wiretaps, and members of Congress have called for briefings on the hacks.

AT&T also announced in July that hackers obtained six months of phone and text message records of “nearly all” of the company’s customers.

Additionally, the Federal Communications Commission forced the telecom giant T-Mobile to pay a $31.5 million fine in September due to the number of repeated breaches that exposed customer information. Half of the fine is mandated to be spent on improving the company’s security.

“The breaches illustrate the critical challenges telecommunications companies face in safeguarding sensitive customer data against increasingly sophisticated cyberattacks,” the report notes.

Advertisement

Moody’s analysts also found that more than two-thirds of the industries scored globally are considered “high or very highly digitized.” While increasing connectivity can add efficiency, the analysts warn that such dependencies are also creating a more complex supply chain, where hackers could access and disrupt essential services.

The airline sector experienced such a disruption in July, when the cybersecurity firm CrowdStrike sent a unintentionally malicious update that effectively bricked the drivers of thousands of Windows machines in the sector. Across the nation, airplanes were grounded as the technical chaos forced United, Delta, and American Airlines to cancel or delay flights.

Moody’s said that incidents like the faulty CrowdStrike update underscores the “critical dependence” of software and the potential “extensive ramifications” when the technology fails for the airline sector. Moody’s said the new “very high risk” sectors “account for $7.1 trillion of debt.”

While some utilities were already considered “very high risk,” power generation projects have also been added to the list due to the increased digitization, the report notes.

Additional sectors that are considered “high risk” are: electric and gas distribution, water and wastewater utilities, regulated and self-regulated entities, power generation projects, unregulated utilities and power companies, and not-for-profit hospitals.

Advertisement

The report also found that 11 industries should be considered in the “high risk” category, including: automobile manufacturers, education, manufacturing, energy, and ports. The increased cyber risks are also due to recent attacks, increased digitization, and lax defenses.

Christian Vasquez

Written by Christian Vasquez

Christian covers industrial cybersecurity for CyberScoop News. He previously wrote for E&E News at POLITICO covering cybersecurity in the energy sector. Reach out:  christian.vasquez at cyberscoop dot com

Latest Podcasts