The Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the FBI, Environmental Protection Agency (EPA), and Department of Energy (DoE), has issued a joint alert warning that unsophisticated cyber actors are increasingly targeting operational technology (OT) and industrial control systems (ICS) within the United States’ critical infrastructure.
“CISA is increasingly aware of unsophisticated cyber actor(s) targeting ICS/SCADA systems within U.S. critical Infrastructure sectors (Oil and Natural Gas), specifically in Energy and Transportation Systems,” the agency says.
According to the alert, even basic intrusion techniques are proving dangerous due to widespread poor cyber hygiene and internet-exposed systems. These attacks, while technically unsophisticated, can lead to defacement, unauthorized configuration changes, operational disruptions, and potentially even physical damage.
OT systems connected to the internet with default credentials or insufficient remote access protections are soft targets, the agencies warned, saying that bad actors often use publicly available tools and search engines to identify vulnerable systems.
The joint alert urges entities to take immediate action to harden their cyber defenses, including:
- Removing OT systems from the public internet
- Changing default and weak passwords
- Securing remote access with VPNs and phishing-resistant multifactor authentication (MFA)
- Segmenting IT and OT networks
- Maintaining the ability to manually operate OT systems in the event of disruption
The agencies emphasize the importance of working closely with third-party vendors, managed service providers, and system manufacturers to identify misconfigurations and reduce the risk of unintended vulnerabilities.
Review the Attack Surface
Thomas Richards, Infrastructure Security Practice Director at Black Duck, says these alerts are very serious and come from observed actions by these malicious actors who are compromising critical systems. “The motivation of the malicious actors is irrelevant, if an organization’s exposed sensitive systems are exposed to the internet with no security hardening, they are at risk of a compromise. Many times, these systems are provided internet access for remote connectivity from support teams and vendors, but this creates a major security risk without restricting who can access it and adding proper authentication controls. Organizations in this space should conduct a complete review of their external attack surface and identify insecure devices that are exposed. Once these devices are identified, controls should be put in place to prevent unauthorized access.”
This issue also shows that these organizations don’t have proper cyber security governance or reviews put in place to prevent default passwords from being in use or prevent administrative interfaces from being exposed to the entire internet. As every business is a software business, these organizations should look at industry standard frameworks for cyber security controls and implement a strict review process before any new technology is deployed or firewall change is made to be sure they are not introducing more risk to the organization and systems.
Trey Ford, Chief Information Security Officer at Bugcrowd, read the joint alert from two perspectives. “The ICS/SCADA community is, by definition, critical infrastructure, and regularly receive alerts on highly sophisticated and nation state activity targeting their sector. Why should this alert, tied to unsophisticated groups and activists, activate a response for folks facing capable and well-funded attackers?”
The fact that CISA has a need to report on the activities of an unsophisticated threat activity is noteworthy, says Ford. “Their issuing an intelligence product focusing on hygienic cybersecurity foundations like this is a reminder – all security programs are on a journey, and failure in these seemingly obvious controls leads to certain failure and compromise.”
A Growing Concern
Impact to critical infrastructure is a ongoing and a growing concern with the applications of AI-based capabilities for both offensive and defensive teams, adds Nathaniel Jones, Vice President of Threat Research at Darktrace. “Over the past year, the Darktrace Threat Research Team has observed a substantial, global increase in sophisticated threat actors targeting organizations within designated CNI. This trend is informed both by the heightened warnings from national intelligence agencies, as well as an overall focus of threat analysis on activity identified within customers in these industries. The targeting of CNI entities, and the subsequent operations following access, suggest threat actors may be building strategic pathways to yield geopolitical leverage in the event of conflict.”
Malicious groups exploiting CNI networks may have differing aims based on their operating context, Jones adds. “Some APT groups may not have immediate objectives once persistence is obtained within CNI networks. Potentially state-sponsored actors may take a lay-and-wait approach: opting to sit within networks with minimal activity beyond beaconing only increasing activity when outside strategic conditions change. Certain threat actors will also leverage malware aimed at causing immediate disruption to suit their goals. This threat is particularly relevant for organizations with OT and Industrial Control Systems (ICS) environments. Darktrace Threat Research analysts recently noted an uptick in attacks in the energy sector motivated by disruption. The means of disruption observed by Darktrace ranged from an OT specific attack on Canadian energy provider’s PLC motor in the SCADA environment at a field substation, to multiple Fog ransomware attacks that successfully led to encryption.”
As OT becomes increasingly integrated with IT systems, Jones says it presents more opportunities for malefactors. “OT security is strongest when supported by robust IT security, requiring coordination between IT and OT teams to defend the entire network. By adopting good cyber hygiene, proactively securing your digital estate, and addressing any vulnerabilities before they can be exploited, organizations will be much better equipped to defend their networks against increasingly opportunistic threat actors.”
A Top Target
“The latest Global Threat Landscape Report from Fortinet’s FortiGuard Labs found that the OT sector remains one of top targets for attackers, with industrial organizations experiencing almost half (44%) of the ransomware and wiper activity during that timeframe,” adds Derek Manky Chief Security Strategist & Global Vice President of Threat Intelligence at FortiGuard Labs. “The rise of Crime-as-a-Service (CaaS) has made it easier for adversaries to launch attacks, providing them with ready-made tools to breach critical infrastructure. Additionally, state-sponsored actors and financially motivated cybercriminals are focusing on disrupting industrial operations, often leveraging ransomware and advanced persistent threats (APTs).
One of the most significant shifts has been the increasing convergence of IT and OT environments, which expands the attack surface and makes traditional security measures insufficient, Manky adds. “Threat actors are capitalizing on this shift by leveraging new attack methods that were previously impractical to use against air-gapped OT systems and employing reconnaissance-as-a-service to map out OT networks before deploying malicious payloads.”
Manky says the future of OT security will be driven by technologies that enable faster detection, response, and adaptation to evolving threats. Key trends include:
- AI-driven threat detection that continuously learns and adapts to new attack patterns.
- Automated security orchestration (SOAR) to streamline incident response and reduce manual workload.
- Continuous Threat Exposure Management (CTEM) to identify and mitigate risks before they become exploitable.
- Industry-wide intelligence sharing initiatives, such as MITRE ATT&CK for ICS, to improve collective defense strategies.
- Zero Trust security frameworks tailored for OT environments, ensuring strict access controls and network segmentation.
“By adopting these technologies, organizations can move from a reactive to a proactive security posture, significantly reducing the risk of cyberattacks impacting industrial operations,” Manky says. Moving forward, organizations must take a risk-based approach that aligns security efforts with regulatory requirements while ensuring minimal disruption to operations. Implementing automated compliance monitoring and threat intelligence-sharing agreements can help streamline adherence to cybersecurity mandates while maintaining business continuity.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.