Yesterday, CISA released the Software Bill of Materials (SBOM) Sharing Lifecycle Report to the cybersecurity and supply chain community.
WaterISAC continues to expand its list of Champions with Luminary Automation, Cybersecurity and Engineering, LLC (Luminary A.C.E.). Luminary A.C.E. is a certified minority-owned and veteran-owned cybersecurity consulting, technology, and engineering firm. They act as a vendor-neutral strategic partner for water and wastewater utilities by assessing, implementing, and managing OT infrastructure to increase operational resilience and cybersecurity readiness.
Help Net Security has written an article discussing the merits of wargaming to help build well-practiced data breach response processes. The author argues that drilling a wide variety of “what if” scenarios is an effective way for security teams to add new annexes to their existing incident response playbooks, as well as practice emergency communications in a risk-free environment.
While patching vulnerabilities is challenging for defenders, exploiting vulnerabilities left unpatched is not so challenging for threat actors.
The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:
ICS Vulnerability Advisories:
PasswordManager has written an article discussing a survey of 1000 U.S. workers the site conducted to better understand employee password hygiene after leaving their company. According to the report, 47 percent of respondents still used their employers’ passwords after leaving the company; 56 percent of which did so for their personal use.
Kaspersky’s SecureList has published a blog detailing an observed Nokoyawa ransomware attack utilizing a previously unknown Microsoft vulnerability. While the use of zero-days is mostly associated with nation-state threat groups, the actors behind Nokoyawa ransomware are known for their technical sophistication and tendency to utilize exploits targeting the Common Log File System, of which the zero day was associated with.
WaterISAC convened a special web briefing on April 12. Nushat Thomas, the cybersecurity branch chief at EPA's Water Infrastructure and Cyber Resilience Division (WICRD), presented.
Agenda - What You Need to Know: EPA’s New Operational Technology Cybersecurity Requirement to Help PWSs
In addition to the recording and presentation, WaterISAC provided information on upcoming events and opportunities.
Throughout 2020, multiple attacks occurred against Israeli water infrastructure including what was believed to be large-scale cyber intrusion attempts at wastewater treatment plants, water pumping stations, sewers, and agricultural water pumps.
The Cybersecurity and Infrastructure Security Agency (CISA) has published the following ICS vulnerability advisories, as well as alerts, updates, and bulletins:
ICS Vulnerability Advisories:
Alerts, Updates, and Bulletins:
1620 I Street, NW, Suite 500
Washington, DC 20006
1-866-H2O-ISAC (1-866-426-4722)
© 2025 WaterISAC. All Rights Reserved.
