Vendors, contractors, consultants, and integrators are vital parts of the supply chain. These relationships must be assessed and better managed for the risks they pose to the overall risk profile of an organization. Yet many organizations fail to adequately manage the risk posed from these trusted third party relationships.
CISA has published an advisory on an inadequate encryption strength vulnerability in Emerson OpenEnterprise. All versions through 3.3.5 are affected. Successful exploitation of this vulnerability could allow an attacker access to credentials held by OpenEnterprise used for accessing field devices and external systems. Emerson recommends all users upgrade to OpenEnterprise 3.3, Service Pack 6 (3.3.6), to resolve this issue. CISA also recommends a series of measures to mitigate the vulnerability.
CISA has published an advisory on a path traversal vulnerability in Advantech iView. iView Versions 5.7 and prior are affected. Successful exploitation of this vulnerability could allow an attacker to read/modify information, execute arbitrary code, limit system availability, and/or crash the application. Advantech has released Version 5.7.02 of iView to address the reported vulnerability. CISA also CISA also recommends a series of measures to mitigate the vulnerability.
The Avaddon ransomware operators claimed to have breached and leaked stolen data from a concrete formwork construction company involved in water infrastructure projects, including water treatment plants and reservoirs. Through information provided by a trusted third party, WaterISAC is aware that Avaddon is claiming on its darkweb site to have leaked 25% of the data reportedly stolen from EFCO (www[.]efcoforms[.]com). Avaddon is a relatively new ransomware-as-a-service (RaaS) malware and has recently jumped on the data breach bandwagon.
Brian Harrell, the Assistant Secretary of Infrastructure Protection at DHS CISA, has submitted his resignation to the President. The former director of Electricity ISAC, Harrel joined the agency in 2018, where he oversaw the transition of multiple critical infrastructure protection services provided by DHS underneath the umbrella of the Cybersecurity and Infrastructure Security Agency after the signing of the CISA Act. In his resignation letter, Harrell praised the agency’s work providing assistance to the private sector during multiple incidents, including the COVID-19 pandemic.
On Monday, the Cybersecurity and Infrastructure Security Agency (CISA) released its strategy to ensure the security and resilience of fifth generation (5G) technology in the United States. According to the release, CISA’s 5G Strategy seeks to advance the development and deployment of a secure and resilient 5G infrastructure, one that promotes national security, data integrity, technological innovation, and economic opportunity for the United States and its allied partners.
The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security (DHS) and operated by MITRE, has released the 2020 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list. The Top 25 uses data from the National Vulnerability Database (NVD) to compile the most frequent and critical errors that can lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.
August 20, 2020
CISA has updated this advisory with additional information on mitigation measures. Read the advisory at CISA.
August 4, 2020
CISA has updated this advisory with additional information on mitigation measures. Read the advisory at CISA.
July 21, 2020
Researchers from the University of California have announced the discovery of a method to spoof solar inverters, which are a critical part of the solar electrical generation process. This technique depends on exploiting electromagnetic sensors that are based upon older, less secure technologies and that are often used in commercial solar inverters. The attack requires a device, smaller than a coffee cup, to be placed within range of the inverter, which then can be activated remotely to cause surges in the attached grid.
1620 I Street, NW, Suite 500
Washington, DC 20006
1-866-H2O-ISAC (1-866-426-4722)
© 2025 WaterISAC. All Rights Reserved.
