In its 2019 Cyber Threat Outlook, consulting company Booz Allen Hamilton dedicates a section of its report to cybersecurity challenges among U.S. water utilities, which it says have made them “The New Target of Cyber Attacks” by nation state threat actors.
The National Security Agency (NSA) has released a Cybersecurity Advisory providing updated guidance for addressing side-channel vulnerabilities that affect Intel, AMD, ARM, and IBM processors. Side-channel vulnerabilities exploit weaknesses in speculative execution to leak information, potentially allowing for account permission protocols, virtualization boundaries, and protected memory regions to be bypassed. Spectre and Meltdown, which were disclosed in January 2018, are an example of this kind of vulnerability.
January 31, 2019
The NCCIC has updated this advisory with information on how this vulnerability was discovered. NCCIC/ICS-CERT.
October 17, 2018
The NCCIC has published an advisory on use of hard-coded credentials, code injection, sql injection vulnerabilities in Schneider Electric EVLink Parking. Versions 3.2.0-12_v1 and prior are affected. Successful exploitation of these vulnerabilities could allow an attacker to stop the device and prevent charging, execute arbitrary commands, and access the web interface with full privileges. Schneider Electric recommends users setup a firewall to restrict remote access to the charging stations by unauthorized users.
The Australian Cyber Security Centre (ACSC) has just released a report of its technical findings and mitigation advice related to the extensive compromise of at least eight Australian web hosting providers, which it discovered through “Operation Manic Menagerie.” The compromises of these providers may have facilitated compromises of their customers’ websites. The goal of this campaign was financial gain: websites running on compromised servers were modified to insert advertising and to support search engine optimization for other websites.
The Center for Internet Security (CIS), which operates the Multi-State Information Sharing and Analysis Center (MS-ISAC), has launched a free assessment tool to enable security practitioners to track and prioritize their implementation of the CIS Controls. Results from the CIS Controls Self-Assessment Tool (CIS CSAT) can be exported per department or organizational unit, or enterprises can take a more holistic view of the entire organization’s security. With cross-mappings to additional security frameworks, users can also track alignment between other best practices and the CIS Controls.
The use of gift cards as a method of payment for imposter scams, like Business Email Compromise (BEC) is not new.
Wednesday, February 6, 2019; 1:00 – 2:00 p.m. ET; webinar
Friday, February 22, 2019; 1:00 – 2:00 p.m. ET; webinar
The NCCIC has published an advisory on an insufficiently protected credentials vulnerability in AVEVA Wonderware System Platform. Update 2 and prior are affected. This vulnerability could allow unauthorized access to the credentials for the ArchestrA Network User Account. AVEVA recommends users using Wonderware System Platform 2017 Update 2 and prior should upgrade to System Platform 2017 Update 3 as soon as possible. The NCCIC also advises on a series of mitigating measures for this vulnerability.
The NCCIC has published an advisory on an unrestricted upload of files with dangerous type vulnerability in Yokogawa License Manager Service. Numerous products and versions of these products are affected. Successful exploitation of this vulnerability could allow an attacker to remotely upload files, allowing execution of arbitrary code. Yokogawa recommends users of affected devices and versions update to the latest available release. The NCCIC also advises on a series of mitigating measures for this vulnerability.
1620 I Street, NW, Suite 500
Washington, DC 20006
1-866-H2O-ISAC (1-866-426-4722)
© 2025 WaterISAC. All Rights Reserved.
