Yesterday, CISA released their “Cybersecurity Performance Goals Adoption Report”, highlighting the benefits that the Cybersecurity Performance Goals (CPGs) have incurred on U.S. critical infrastructure. The CPGs are based on 7,791 critical infrastructure organizations enrolled in CISA’s Vulnerability Scanning service between August 1, 2022 and August 31, 2024.
Yesterday, CISA, along with11 domestic and international partners, including the European Commission, released the joint guidance “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products”. The guide outlines how owners and operators should incorporate security measures into their procurement processes when acquiring industrial automation, control systems, and other OT products. The agencies urge organizations to focus on products that include 12 key security elements.
The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS security advisories, along with additional alerts, updates, and bulletins:
ICS Advisories:
The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS security advisories, along with additional alerts, updates, and bulletins:
ICS Advisories:
Additional Alerts, Updates, and Bulletins
The following posts are useful for general awareness of current cyber threats, vulnerabilities, guidance, and other cyber-related news or updates. These resources have been curated by the WaterISAC analyst team as items of broad relevance and benefit that do not need supplemental analysis at this time.
Critical Infrastructure Resilience
In a recent blog post, Nitin Natarajan, Deputy Director at CISA, highlighted the threat to U.S. critical infrastructure by nation-state and cybercriminal organizations around the globe. The world has witnessed increasingly frequent attacks against small and medium sized businesses, including K-12 schools, water utilities, and healthcare organizations over the last several years. Natarajan notes that these specific sectors are at elevated risk as they are generally seen as highly profitable “target-rich, cyber poor” organizations.
This week, the White House launched the U.S. Cyber Trust Mark, an initiative allowing consumers of internet-connected devices to verify if these devices are secure. The FCC decided in a bipartisan and unanimous vote to authorize the U.S. Cyber Trust Mark and adopt final rules for the official label that will be applied to certified products.
Yesterday, Ivanti released security updates for two vulnerabilities affecting multiple products, including Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for Zero Trust Access (ZTA) gateway.
The extent of the Salt Typhoon Campaign targeting telecommunications continues to unfold as additional communications companies have been allegedly breached. Charter Communications, Consolidated Communications, and Windstream have all been reportedly breached by the Chinese attackers. Ann Neuberger, White House deputy national security adviser for cyber and emerging technologies, said that nine U.S.
Over the weekend, industrial networking communications provider Moxa sent a security advisory warning of two high-severity vulnerabilities that impact various models of its cellular routers, secure routers, and network security appliances.
1620 I Street, NW, Suite 500
Washington, DC 20006
1-866-H2O-ISAC (1-866-426-4722)
© 2025 WaterISAC. All Rights Reserved.
