A prior post, Aspiring to CIP Compliance for Water and Wastewater Utilities, included in the Security & Resilience Update for May 6, 2021, discussed the familiarity that many water and wastewater utilities have with NERC CIP and its benefits across all critical infrastructure.
In light of the current barrage of ransomware attacks, the following selections provide alternative (and agreeable) viewpoints and facts about ransomware and the fight we are all facing. From defenders, to policy makers, and cybersecurity advisors, we all have a role in combatting what has become a national security threat – and not compound the problem.
Some of the cybersecurity guidance – do this; don’t do that – may seem frustrating and even irritating to defenders at times. As organizations of all types and sizes are currently dealing with an unprecedented volume and frequency of ransomware attacks, much of “said” guidance is being repeated and amplified. Some pundits have rightfully chided that the guidance isn’t always helpful, practical, or even attainable for most organizations. However, perhaps one thing could arguably be an exception – asset management.
Testimony of Joseph Blount, President and Chief Executive Officer Colonial Pipeline Company
With ransomware having direct and indirect impact on OT environments and industrial operations in recent weeks, there has been no shortage of guidance and resources being posted. To that end, CISA and NIST independently published two resources on June 9, 2021 to help critical infrastructure asset owners and operators bolster their preparedness against this national crisis.
For those of us who still have not made time to delve into the data, details, and drollery that is the 2021 Verizon DBIR, our partners at Flashpoint have dared to dredge the delightful document. After diligent dissection, Flashpoint declares one theme jumps out: compromised credentials are an issue for organizations of all industries, regions, and sizes. Specifically, according to the 2021 DBIR, “We’ve said it before, and we’ll say it again—everyone loves credentials.
In the Security & Resilience Update for May 4, 2021, WaterISAC shared The Ghosts of COVID-Past – Cybersecurity Considerations for Returning to Workspaces as we begin taking up residence in our offices once again.
Always on IoT certainly has its benefits, but typically not without some risk. The key is to understand and weigh the risk versus reward, including the default (enabled or disabled) status of “said” benefits. To that end, Amazon rolled out its Sidewalk feature today across supported Alexa and Ring devices and enabled it by default. Amazon Sidewalk uses Bluetooth Low Energy (BLE) to broadcast low-bandwidth wireless signals, potentially up to a half-mile away.
Misconfigurations of an IT system might shut systems down, misroute traffic, or bring communications to a halt. Those outcomes are frustrating and negatively impact the availability of data, but misconfigurations within OT/ICS networks have the potential to go beyond a little annoyance and inconvenience and could expose industrial operations to hazardous scenarios that threaten the safety of the system, the environment, or human life. Misconfigurations are caused by people, and people make unintentional mistakes.
In July, the American Registry for Internet Numbers (ARIN) plans an unannounced thirty minute test of its Resource Public Key Infrastructure (RPKI). RPKI is a cryptographic framework designed to secure the Internet's routing infrastructure to protect against route hijacks and leaks, primarily for the Border Gateway Protocol (BGP).
1620 I Street, NW, Suite 500
Washington, DC 20006
1-866-H2O-ISAC (1-866-426-4722)
© 2025 WaterISAC. All Rights Reserved.
