Cyber insurance has been in the news a lot lately, especially insurers – some being attacked and subsequently paying millions, to others declaring they will no longer cover ransomware claims and subsequently being attacked.
Much has been said about the new Executive Order (EO 14028), Improving the Nation’s Cybersecurity, released earlier this month (covered in the Security & Resilience Update for May 13, 2021). And if you have had time to read the EO, then feel free to move to the next write-up. However, those of us who haven’t reviewed it and what it could mean beyond federal networks, may find a series by aDolus Inc.
Dragos has finally been able to publicly release its findings from a prior Advisory Alert on February 17, 2021 to customers informing them of the watering hole potentially targeting water utilities along with defensive guidance and indicators.
If you haven’t read the April 2021 NSA Cybersecurity Advisory, Stop Malicious Cyber Activity Against Connected Operational Technology (included in the Security & Resilience Update for May 4, 2021), you are not alone.
We all dread them; we all need them – security audits. They can take multiple forms, but without security audits we are unable to measure cybersecurity improvements and many deficiencies may never be brought to light. Security audits involve evaluating or analyzing people, processes, and technology surrounding the security aspects of an organization. Likewise, as organizational networks and cyber threats are constantly changing, security audits should be performed regularly to assess if current controls and processes sufficiently reduce risk against the ever-changing threat landscape.
If your utility uses Microsoft Windows in a networked environment, there’s a near 100% chance you use Active Directory (AD) to centrally administer domains, machines, users, and groups. And like many legitimate tools, if not securely configured, can be a threat actor’s dream for gaining a foothold and hiding in plain sight within your environment. Using AD tactics is nothing new for threat actors, but two recent very large-scale compromises – SolarWinds and Microsoft Exchange – emphasize the importance of securing AD. When is the last time you reviewed your AD configurations?
Pardon the lack of fanfare that this report deserves, but this serves as an FYI that arguably the most heralded cybersecurity industry report, the Verizon Data Breach Investigation Report, affectionately known as the “DBIR,” was released this morning. According to Verizon, the Verizon Business 2021 Data Breach Investigations Report (2021 DBIR) examines more breaches than ever before. Some of the high-level findings include:
Ransomware attacks have ubiquitous relevance for all organizations, regardless of targeting set/victimology or targeted system (IT or OT) of the attributed ransomware group/family for any given incident. For every cyber threat group that claims they don’t target particular sectors or types of organizations, there are many more groups that do not espouse similar tenets. For example, while Darkside proclaims to only support targeting high-value victims capable of paying outrageous demands, many other ransomware groups are indiscriminate and opportunistic and project no such illusion.
Given cross-sector dependencies with electric utilities, many water and wastewater utilities are familiar with the North American Electric Reliability Corporation (NERC) and its Critical Infrastructure Protection (CIP) Reliability Standards. Some larger and more resourced water and wastewater utilities reference NERC CIP standards as they are applicable to many cybersecurity practices.
1620 I Street, NW, Suite 500
Washington, DC 20006
1-866-H2O-ISAC (1-866-426-4722)
© 2025 WaterISAC. All Rights Reserved.
