The Cybersecurity & Infrastructure Security Agency (CISA) — in partnership with the Federal Bureau of Investigation (FBI), the Environmental Protection Agency (EPA), and the Department of Energy (DOE) — has issued a warning about cyberattacks targeting the nation’s critical oil and natural gas infrastructure. 

According to the warning, these attacks are focusing on the operational technology (OT) and industrial control systems (ICS) of these critical infrastructure entities. CISA urges organizations to evaluate and bolster their cybersecurity posture against threat actors targeting OT and ICS. 

Key recommendations include: 

• Disconnect OT connections from the public internet. 
• Upgrade current passwords to stronger, more unique passwords. 
• Secure OT network remote access. 
• Segment OT and IT networks.

Security Leaders Weigh In 

Thomas Richards, Infrastructure Security Practice Director at Black Duck:

These alerts are very serious and come from observed actions by these malicious actors who are compromising critical systems. The motivation of the malicious actors is irrelevant, if an organization’s exposed sensitive systems are exposed to the internet with no security hardening, they are at risk of a compromise. Many times, these systems are provided internet access for remote connectivity from support teams and vendors, but this creates a major security risk without restricting who can access it and adding proper authentication controls. Organizations in this space should conduct a complete review of their external attack surface and identify insecure devices that are exposed. Once these devices are identified, controls should be put in place to prevent unauthorized access.  

This issue also shows that these organizations don’t have proper cybersecurity governance or reviews put in place to prevent default passwords from being in use or prevent administrative interfaces from being exposed to the entire internet. As every business is a software business, these organizations should look at industry standard frameworks for cyber security controls and implement a strict review process before any new technology is deployed or firewall change is made to be sure they are not introducing more risk to the organization and systems.

Trey Ford, Chief Information Security Officer at Bugcrowd:

I read this joint alert from CISA, FBI, EPA and the DOE from two perspectives:

1. The ICS/SCADA community is, by definition, critical infrastructure, and regularly receive alerts on highly sophisticated and nation state activity targeting their sector. Why should this alert, tied to unsophisticated groups and activists, activate a response for folks facing capable and well-funded attackers?
2. The fact that CISA has a need to report on the activities of an unsophisticated threat activity is noteworthy. Their issuing an intelligence product focusing on hygienic cybersecurity foundations like this is a reminder: all security programs are on a journey, and failure in these seemingly obvious controls leads to certain failure and compromise.

I also dream of a day where OT technologies can be safely (whether willfully or accidentally) exposed to the internet with resilience and confidence.

Dave Gerry, CEO at Bugcrowd:

This alert ties back into the broader theme that AI is enabling less sophisticated threat actors to operate in a more sophisticated fashion. For years, critical infrastructure has been viewed as a ‘top target’ for threat actors — across hacktivist, cybercriminal gangs, and nation-state actors.

Nathaniel Jones, Vice President of Threat Research at Darktrace:

Impact to Critical National Infrastructure (CNI) is a continued and growing concern with the applications of AI-based capabilities for both offensive and defensive teams. Over the past year, the Darktrace Threat Research Team has observed a substantial, global increase in sophisticated threat actors targeting organizations within designated CNI. This trend is informed both by the heightened warnings from national intelligence agencies, as well as an overall focus of threat analysis on activity identified within customers in these industries. The targeting of CNI entities, and the subsequent operations following access, suggest threat actors may be building strategic pathways to yield geopolitical leverage in the event of conflict.

As OT becomes more integrated with IT systems, it presents more opportunities for attackers. OT security is strongest when supported by robust IT security, requiring coordination between IT and OT teams to defend the entire network. By adopting good cyber hygiene, proactively securing your digital estate, and addressing any vulnerabilities before they can be exploited, organizations will be much better equipped to defend their networks against increasingly opportunistic threat actors.

Derek Manky, Chief Security Strategist & Global Vice President of Threat Intelligence with Fortinet’s FortiGuard Labs:

OT cyber threats have evolved dramatically as attackers increasingly target industrial environments with more sophisticated techniques. In fact, the latest Global Threat Landscape Report from Fortinet’s FortiGuard Labs found that the OT sector remains one of top targets for attackers, with industrial organizations experiencing almost half (44%) of the ransomware and wiper activity during that timeframe. The rise of Crime-as-a-Service (CaaS) has made it easier for adversaries to launch attacks, providing them with ready-made tools to breach critical infrastructure. Additionally, state-sponsored actors and financially motivated cybercriminals are focusing on disrupting industrial operations, often leveraging ransomware and advanced persistent threats (APTs). 

One of the most significant shifts has been the increasing convergence of IT and OT environments, which expands the attack surface and makes traditional security measures insufficient. Threat actors are capitalizing on this shift by leveraging new attack methods that were previously impractical to use against air gapped OT systems and employing reconnaissance-as-a-service to map out OT networks before deploying malicious payloads. 

The future of OT security will be driven by technologies that enable faster detection, response, and adaptation to evolving threats. Key trends include: 

• AI-driven threat detection that continuously learns and adapts to new attack patterns. 
• Automated security orchestration (SOAR) to streamline incident response and reduce manual workload. 
• Continuous Threat Exposure Management (CTEM) to identify and mitigate risks before they become exploitable. 
• Industry-wide intelligence sharing initiatives, such as MITRE ATT&CK for ICS, to improve collective defense strategies. 
• Zero Trust security frameworks tailored for OT environments, ensuring strict access controls and network segmentation. 

By adopting these technologies, organizations can move from a reactive to a proactive security posture, significantly reducing the risk of cyberattacks impacting industrial operations.