You are here

Home

Cybersecurity

OT/ICS Security – Understanding, Differentiating, and Reporting OT Infrastructure Compromises

In the interest of incident reporting it is important to be able to identify and differentiate types of incidents being reported. It is also important to be able to understand the difference between an actual attack and an unintentional incident that may have attack-like consequences. Given cross-sector dependencies, some water and wastewater utilities closely track and apply NERC CIP regulations even though they aren’t required. NERC CIP 008-6 became mandatory on January 1, 2021 and requires bulk power system utilities to report attempts to compromise their infrastructure and operations.

OT/ICS Security – Consequence-driven Cyber-informed Engineering (CCE)

In another reference to WaterISAC's 15 Cybersecurity Fundamentals for Water and Wastewater Utilities, you may recall this topic being discussed at #6 Install Independent Cyber-Physical Safety Systems. Consequence-driven Cyber-informed Engineering (CCE) is an advanced topic for critical infrastructure organizations, but one that shouldn't be overlooked.

OT/ICS Security – Network Segmentation and Asset Management

As stated in #3 Minimize Control System Exposure in WaterISAC's 15 Cybersecurity Fundamentals for Water and Wastewater Utilities, critical infrastructure site assessments performed by CISA for the water and wastewater sector cite the most commonly identified network weakness is a lack of appropriate boundary protection controls. Furthermore, as Armis reminds, per NIST, network segmentation and segregation is one of the most effective architectural concepts that an organization can implement to protect ICS.

Happy Data Privacy Day, Alexa

Today, January 28, 2021 is Data Privacy Day. After this past year, we could all use some data privacy reminders as many of us have willingly acquiesced to greater contactless interactions, often at the detriment of privacy. From smart devices to consumer data, privacy settings and permissions, multifactor authentication, and encryption, there is room for everyone to improve data privacy hygiene.

Security Awareness – Quite Simply, We are ALL Targets and We ALL Fall Victim

If you are still trying to convince staff that EVERY one of us are susceptible to succumbing to a well-crafted socially-engineered cyber attack, then you’ll want them to read this post. The Google Threat Analysis Group (TAG) has identified a recent campaign targeting security researchers. The pretext of the attack involved engaging researchers to collaborate on vulnerability research. Vulnerability research is some of the most technical and complex work in the cybersecurity domain.

CISA Announces Reduce the Risk of Ransomware Campaign

Today the Cybersecurity and Infrastructure Security Agency (CISA) announced the Reduce the Risk of Ransomware Campaign, a focused, coordinated and sustained effort to encourage public and private sector organizations to implement best practices, tools and resources that can help them mitigate this cybersecurity risk and threat. “CISA is committed to working with organization at all levels to protect their networks from the threat of ransomware,” said CISA Acting Director Brandon Wales.

Security Awareness – Stolen Credentials from Xerox-themed Phishing Campaign Publicly Exposed

If your organization uses Xerox multifunctional devices (and even if it doesn’t) this incident may be of interest. It seems attackers inadvertently exposed more than 1,000 stolen corporate credentials obtained through a Xerox-themed phishing campaign. While 1,000 credentials may not seem significant, this incident represents a typical lure that staff are likely to fall for, especially if your organization uses Xerox devices.

Security Awareness – Do Three Words Pass the Crack?

PenTestPartners (PTP) is known for straightforward posts and practical analysis. This cyber hygiene article respectfully challenges some authoritative guidance (from the National Cyber Security Centre) – whether or not three random word passwords are strong enough. This is another good candidate for security awareness reminders on the importance of creating less crackable passwords.

Pages

Subscribe to Cybersecurity