In the Security & Resilience Update for May 4, 2021, WaterISAC shared The Ghosts of COVID-Past – Cybersecurity Considerations for Returning to Workspaces as we begin taking up residence in our offices once again.
Always on IoT certainly has its benefits, but typically not without some risk. The key is to understand and weigh the risk versus reward, including the default (enabled or disabled) status of “said” benefits. To that end, Amazon rolled out its Sidewalk feature today across supported Alexa and Ring devices and enabled it by default. Amazon Sidewalk uses Bluetooth Low Energy (BLE) to broadcast low-bandwidth wireless signals, potentially up to a half-mile away.
Misconfigurations of an IT system might shut systems down, misroute traffic, or bring communications to a halt. Those outcomes are frustrating and negatively impact the availability of data, but misconfigurations within OT/ICS networks have the potential to go beyond a little annoyance and inconvenience and could expose industrial operations to hazardous scenarios that threaten the safety of the system, the environment, or human life. Misconfigurations are caused by people, and people make unintentional mistakes.
In July, the American Registry for Internet Numbers (ARIN) plans an unannounced thirty minute test of its Resource Public Key Infrastructure (RPKI). RPKI is a cryptographic framework designed to secure the Internet's routing infrastructure to protect against route hijacks and leaks, primarily for the Border Gateway Protocol (BGP).
In a seeming continuously growing list of attacks on critical infrastructure, two major passenger transportation entities reported yesterday they had fallen victim. The Steamship Authority, the largest ferry service to the Massachusetts Islands of Martha’s Vineyard and Nantucket from Cape Cod, reported that ransomware disrupted its services causing delays and taking the web-based and phone-based reservation systems offline. According to a tweet by The Steamship Authority, there was no impact to the safety of vessel operations, as the issue did not affect radar or GPS functionality.
The Domain Name System (DNS) is the backbone of the internet and is what makes navigating to websites and sending emails seamless to humans. Unfortunately, like many internet protocols, DNS is also abused by threat actors – from exploiting user domain name typos to transmitting malicious data over what appears to be legitimate and expected DNS network traffic. The U.S. National Security Agency (NSA) Central Security Service has released an InfoSheet on adopting encrypted (protective) DNS in enterprise environments.
While cyber insurance has matured during the past few years, there are still many lesser understood facets, especially OT needs and requirements. In a recent post, Verve Industrial poignantly states, even as threats to critical controls systems grow exponentially, cyber insurance underwriters have been slow to update rating tables to incorporate growing cyber-physical risks. Organizations, likewise, often fail to adequately account for OT/ICS risks and basic controls in their overall assessment strategies.
Another exploitation opportunity is taking advantage of still unpatched on-premise Microsoft Exchange servers. Last week, Sophos discovered a new ransomware strain, calling itself Epsilon Red that was observed targeting a U.S.-based company in the hospitality sector. According to Sophos, it isn’t clear whether the attack was enabled by the ProxyLogon exploit or another vulnerability, but it seems likely that the root cause was an unpatched server.
A recent threat research post by Mandiant Threat Intelligence highlights the increasing frequency of OT compromises by low sophistication threat actors. The majority of these compromises occur due to insecure OT systems exposed to the internet. According to Mandiant’s report, the compromises appear to be driven by threat actors who are motivated to achieve ideological, egotistical, or financial objectives by taking advantage of an ample supply of internet-connected OT systems.
According to countless reports of risk assessments, vulnerability assessments, penetration tests, and disclosed incidents, organizations of all sizes and sectors are not doing well with basic cybersecurity. The reasons why (excuses) vary from entity to entity, but what shouldn’t be an excuse is cost. Cybersecurity doesn’t have to cost a lot of money. Granted, at some point you’ll want/need or have the budget for the next shiny thing, but that currently elusive shiny thing should not stop anyone from embracing a lot of the best practice guidance already out there – for no cost.
1620 I Street, NW, Suite 500
Washington, DC 20006
1-866-H2O-ISAC (1-866-426-4722)
© 2025 WaterISAC. All Rights Reserved.
