Pardon the lack of fanfare that this report deserves, but this serves as an FYI that arguably the most heralded cybersecurity industry report, the Verizon Data Breach Investigation Report, affectionately known as the “DBIR,” was released this morning. According to Verizon, the Verizon Business 2021 Data Breach Investigations Report (2021 DBIR) examines more breaches than ever before. Some of the high-level findings include:
Ransomware attacks have ubiquitous relevance for all organizations, regardless of targeting set/victimology or targeted system (IT or OT) of the attributed ransomware group/family for any given incident. For every cyber threat group that claims they don’t target particular sectors or types of organizations, there are many more groups that do not espouse similar tenets. For example, while Darkside proclaims to only support targeting high-value victims capable of paying outrageous demands, many other ransomware groups are indiscriminate and opportunistic and project no such illusion.
Given cross-sector dependencies with electric utilities, many water and wastewater utilities are familiar with the North American Electric Reliability Corporation (NERC) and its Critical Infrastructure Protection (CIP) Reliability Standards. Some larger and more resourced water and wastewater utilities reference NERC CIP standards as they are applicable to many cybersecurity practices.
In 2004, Bill Gates prematurely postulated that passwords were dead. According to a recent DarkReading post, in 2005 security expert Mark Burnett wrote a book called Perfect Passwords, in which he floated the idea of dedicating one day in the calendar each year when everybody should change their passwords. Here we are in 2021 and passwords are still pertinent today and for the projected future.
In a heroic feat to maintain operations at a record-setting pace, countless IT and security teams rushed to provide accommodations for a new remote workforce leaving the office behind over one year ago. As we begin inhabiting those abandoned buildings there are bound to be some ghosts lurking around the office due to unintentional oversights when we left. If IT and security staff haven’t been on the premises during the past year, now is a good time to exorcise those ghosts before the masses return.
On Tuesday, administration of the “.gov” top-level domain (TLD) was officially transferred to CISA. Organizations that qualify as a government entity but do not currently use a .gov TLD can be confusing to the public as to whether the website is legitimate. Reasons vary for why some government entities do not use a .gov. Often that reason is due to the cost of registering and maintaining .gov, especially for small municipalities.
The uninstall code planted by the German Bundeskriminalamt (BKA) federal police agency instructing Emotet to uninstall from roughly one million remaining infected systems executed on Sunday. This action cleans up the Windows registry key that enabled the Emotet modules to run automatically and stops and deletes associated services, but does not remove other files, nor does it erase additional malware that might have been installed through the botnet.
It is certainly not impossible to maintain an air gapped control system network, but all too often risk assessments and penetration tests reveal they are a dying breed. Likewise, numerous case studies and research into ICS-focused adversaries reveal many threat groups leveraging IT exploits to traverse into the OT network. Both scenarios confirm the fact that OT and IT cybersecurity need each other for a holistic security posture.
On Tuesday, Siemens released five advisories related to vulnerabilities in its products used in industrial environments regarding the NAME:WRECK vulnerability disclosed by Forescout that same day.
1620 I Street, NW, Suite 500
Washington, DC 20006
1-866-H2O-ISAC (1-866-426-4722)
© 2025 WaterISAC. All Rights Reserved.
