New Urgent Guidance for Securing Operational Technology

Cybersecurity
Written By Hosch & Morris

May 8, 2025 

Privacy Plus+ 

Privacy, Technology and Perspective 

This week, the Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, EPA, and DOE, issued an urgent advisory titled "Primary Mitigations to Reduce Cyber Threats to Operational Technology. " This advisory represents the latest in a series of increasingly urgent warnings about threats to operational technology (OT) and industrial control systems (ICS) within America's critical infrastructure.

What Is Operational Technology and Why Does It Matter?

Operational technology refers to hardware and software that monitor and control physical devices, processes, and events in industrial and infrastructure environments. Unlike information technology (IT) systems that manage data, OT systems control physical operations – everything from water treatment plants and electrical grids to manufacturing facilities and transportation systems.

The convergence of OT with internet-connected systems has created significant security vulnerabilities, which threat actors are actively exploiting. Attacks on OT systems can disrupt essential services, cause equipment damage, environmental harm, and even threaten human safety. Examples include recent events in Texas, where hackers accessed the water system's control interfaces and caused water tanks to overflow. You can read more about that incident by clicking on the following article published in the Texas Tribune:

https://www.texastribune.org/2024/04/19/texas-cyberattacks-russia/

The most recent edition of Nicole Perlroth’s excellent podcast, “To Catch a Thief: China’s Rise to Cyber Supremacy,” also addresses the issue, and you can listen to that podcast by clicking on the following link:

https://podcasts.apple.com/us/podcast/to-catch-a-thief-chinas-rise-to-cyber-supremacy/id1798267956?i=1000706331283

In short, incidents like these highlight how cyber threats to OT systems hit close to home, and can have immediate physical consequences that affect public safety and essential services.

The CISA Advisory: Key Recommendations

CISA's latest guidance focuses on five primary mitigations that critical infrastructure owners and operators should implement immediately:

  1. Remove OT connections from the public internet: The advisory emphasizes that internet-connected OT devices are easy targets, often lacking robust authentication and authorization methods. Threat actors actively search for these exposed systems using widely available scanning tools.

  2.  Change default passwords and implement strong authentication: Many compromised systems use default or easily guessable passwords. This basic security measure is especially crucial for devices controlling OT systems.

  3.  Secure remote access to OT networks: If remote access is necessary, CISA recommends upgrading to private IP network connections, implementing VPN functionality with strong passwords, and requiring phishing-resistant multifactor authentication.

  4.  Segment IT and OT networks: Proper network segmentation reduces the potential impact of cyber threats and minimizes disruption risks to essential OT operations.

  5.  Maintain manual operation capabilities: Organizations should maintain and regularly test their ability to operate critical systems manually in case of a cyber incident. 

Our Thoughts

 This advisory doesn't exist in isolation. It builds upon CISA's ongoing efforts to improve critical infrastructure cybersecurity amid escalating threats. In October 2024, CISA and international partners released the "Principles of Operational Technology Cyber Security" guide, which established foundational security principles for OT environments. The full report can be found on the Australian Government Signals Directorate website, and is available by clicking on the following link:

https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/critical-infrastructure/principles-operational-technology-cybersecurity

The timing and urgency of this latest advisory suggest that CISA and its partner agencies are responding to specific intelligence about active threats to OT systems. While the advisory doesn't name specific threat actors, it emphasizes that these attacks use "simple, repeatable, and scalable toolsets available to anyone with an internet browser." We note, with interest, that the CISA email conveying the advisory specifically notes threats posed by “unsophisticated cyber actor(s) targeting ICS/SCADA systems within U.S. critical Infrastructure sectors (Oil and Natural Gas).”

Organizations that operate critical infrastructure should treat this advisory as a top priority. A link to the advisory fact sheet follows:

https://www.cisa.gov/resources-tools/resources/primary-mitigations-reduce-cyber-threats-operational-technology

--- 

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.

 

Hosch & Morris https://hoschmorris.com
Next

Social Media’s International Reach