All news with #critical infrastructure tag

🛡️ CISA has published seven new Industrial Control Systems advisories detailing vulnerabilities and guidance for affected products. The advisories cover Güralp Systems, Johnson Controls, Hitachi Energy, Mitsubishi Electric, and Fuji Electric, including updates to previously released notices. Administrators are urged to review technical details, apply vendor mitigations, and implement compensating controls to reduce operational risk.

🔒 CISA warns that multiple vulnerabilities in Johnson Controls PowerG implementations could let attackers read, modify, or replay encrypted wireless traffic. Affected devices include IQPanel 4, legacy IQPanel 2/2+, and IQHub with referenced CVEs CVE-2025-61738, CVE-2025-61739, CVE-2025-26379, and CVE-2025-61740. Vendor fixes (IQPanel 4.6.1, PowerG v53.05+) and secure enrollment practices are recommended, and end-of-life hardware should be replaced.

🔐 Amazon Threat Intelligence details a multi-year, state-sponsored Russian campaign—assessed as GRU-linked—that targeted Western critical infrastructure, especially the energy sector, from 2021 through 2025. The actor shifted from exploiting N-day/zero-day flaws to abusing misconfigured customer network edge devices (including EC2-hosted appliances) to intercept credentials and gain persistent access. Amazon observed packet-capture based credential harvesting and subsequent credential replay attempts, with infrastructure overlaps linked to clusters tracked as Curly COMrades and Sandworm. Recommended mitigations include auditing edge devices, enforcing strong authentication, monitoring for credential replay, and applying AWS-specific controls.

🛳️ A single vessel carrying orange juice concentrate illustrates systemic risk at US ports: one weekly ship supplies millions and a localized outage would ripple across supply chains. Recent policy gaps — a furlough of CISA/FEMA staff and the lapse of the Cybersecurity Information Sharing Act — increase exposure, while nation-state malware is reportedly pre-positioned. New Title 33 CFR mandates and scarce maritime cybersecurity talent create urgent operational shortfalls; facilities must prioritize practical resilience testing, penetration tests, and cross-sector collaboration.

⚠️ The Black Hat Europe 2025 talk by Gjoko Krstic of Zero Science Lab revealed that a widely deployed building management system, evolved through multiple acquisitions, now exposes over 1,000 buildings on public IPs and contains numerous long-standing vulnerabilities. Many issues trace back to an 18-year-old firmware codebase and to fixes that patched symptoms rather than root causes. The vendor recommends securing the platform behind a VPN; organizations should audit, patch and restrict access immediately.

🔒 Johnson Controls disclosed two OS command injection vulnerabilities (CVE-2025-43873, CVE-2025-43874) affecting multiple iSTAR Ultra, iSTAR Ultra G2, and iSTAR Edge G2 door controller firmware versions. Successful exploitation could allow remote attackers to execute OS commands, modify firmware, and gain full device control. Both issues are rated high severity (CVSS v3.1 8.8; CVSS v4 8.7) and are exploitable with low attack complexity. Users are advised to apply vendor firmware updates and reduce network exposure immediately.

🔒 Siemens Energy Services Elspec G5 devices (firmware up to 1.2.2.19) contain an authentication bypass that lets an attacker with physical access reset the Admin password by inserting a USB drive with a documented reset string. The flaw is tracked as CVE-2025-59392 (CVSS v4: 7.0; CVSS v3.1: 6.8) and is not remotely exploitable. Siemens recommends updating to V1.2.3.13 or later and following operational security guidance.

🔒 Johnson Controls disclosed two command-injection vulnerabilities in its iSTAR series (CVE-2025-43875, CVE-2025-43876). Both are classified as CWE-78 and carry high severity (CVSS v3.1 8.8; CVSS v4 8.7), exploitable remotely with low complexity. Johnson Controls and CISA advise upgrading affected devices to the fixed firmware and applying network isolation and secure remote-access controls.

🛡️ CISA released Cross-Sector Cybersecurity Performance Goals (CPG 2.0) providing measurable actions for critical infrastructure owners and operators to achieve a foundational cybersecurity baseline. The update aligns with the latest NIST Cybersecurity Framework revisions and incorporates lessons learned from recent incidents and threats. CPG 2.0 introduces a governance-focused component that emphasizes accountability, risk management, and the integration of cybersecurity into day-to-day operations. The goals are streamlined and outcome-driven to guide investment, benchmark progress, and reduce risk in measurable ways.

⚠ OpenPLC_V3 contains a Cross‑Site Request Forgery (CSRF) vulnerability that can be exploited remotely to modify PLC settings or upload malicious programs. Tracked as CVE-2025-13970, the issue affects versions prior to pull request #310 and results from missing CSRF validation. A CVSS v4 score of 7.0 (and v3 base 8.0) was calculated. Apply pull request #310 or later to mitigate this risk and limit network exposure of control devices.

🔔 CISA released 12 Industrial Control Systems (ICS) advisories detailing vulnerabilities and mitigation guidance across multiple vendors, including Johnson Controls, Siemens, and AzeoTech. The notices call out specific products such as iSTAR, SINEMA Remote Connect Server, and DAQFactory, plus open-source and medical-imaging components. Administrators and operators are encouraged to review the technical details and apply recommended mitigations to reduce exploitation risk.

🚨 A joint advisory from CISA, the FBI, the NSA and partners warns of a surge in pro‑Russia hacktivist activity exploiting exposed VNC and other internet-facing OT interfaces to breach systems across US water, food production and energy sectors. Low-skilled groups such as CARR, NoName057(16), Z-Pentest and Sector16 employ port scans, brute-force password guessing and simple reconnaissance tools to capture screenshots, alter parameters, disable alarms and force costly manual recoveries.

🔒 U.S. prosecutors arraigned 33-year-old Victoria Dubranova, accusing her of supporting Russian state-linked hacktivist groups in cyberattacks against critical infrastructure, including water systems and election-related targets. Dubranova, known by aliases such as Vika and SovaSonya, was extradited this year and has pleaded not guilty to charges tied to NoName057(16) and CyberArmyofRussia_Reborn (CARR). She faces separate trials in February and April 2026 and potential sentences of up to 27 years and 5 years under the respective indictments.

⚠️ This joint advisory from CISA, FBI, NSA, and international partners details opportunistic intrusions by pro‑Russia hacktivist groups—CARR, NoName057(16), Z‑Pentest, and Sector16—against OT/ICS environments. Actors are exploiting internet‑exposed VNC services, using open‑source scanning and brute‑force tools to access HMI devices with default or weak credentials, causing loss of view, configuration changes, and operational downtime. The advisory urges organizations to reduce public exposure, apply network segmentation, enforce strong authentication (MFA where feasible), harden device credentials, and follow secure‑by‑design guidance for OT products.

🚨 CISA, the FBI, NSA, DOE, EPA, DOD’s DC3, and international partners issued a joint advisory alerting operators that pro‑Russia hacktivist groups are conducting opportunistic, low‑sophistication attacks against U.S. and global critical infrastructure. These actors exploit internet‑facing OT components (notably VNC and SCADA) and sometimes combine intrusions with DDoS. The advisory urges immediate mitigations: reduce OT exposure, improve asset management, and enforce robust authentication.

🔒CISA, alongside the FBI, NSA, DOE, EPA, the Department of Defense Cyber Crime Center, and international partners, published a joint advisory describing opportunistic pro-Russia hacktivist activity targeting operational technology (OT) systems. These groups exploit minimally secured, internet-facing VNC connections to access OT control devices and have caused varying impacts, including physical damage. Named actors include Cyber Army of Russia Reborn, Z-Pentest, NoName057(16), and Sector16. The advisory recommends reducing internet exposure of OT assets, adopting mature asset-management and mapping practices, and enforcing robust authentication.

🔒 A new Check Point brief warns that cyber attacks against the U.S. have evolved into coordinated geopolitical tools employed by states, criminal networks, and ideological groups. These operations now aim to influence policy, erode public trust, and target critical infrastructure rather than being mere technical intrusions. The report urges leaders to prioritize resilience, improve cross-sector coordination, and strengthen information-sharing and recovery capabilities.

🔐 Vaillant CISO Christoph Reiß says rising geopolitical tensions and the professionalization of cybercrime — amplified by accessible AI tools — are elevating the threat to the heating and energy sector. Vaillant relies on a holistic, multilayered security strategy that combines preventative and reactive measures and protects IT, production, and customer products. Employee-focused training, from gamification to practical compliance, is central, and Reiß highlights regulatory complexity (e.g., NIS2, DORA, Cyber Resilience Act) while urging organizations to start, don’t wait on pragmatic implementation.

🔐 The SANS State of ICS/OT Security 2025 report, sponsored by Fortinet, highlights persistent operational risks across critical infrastructure, with high incident rates, extended remediation times, and remote-access exposures. It calls for treating mean time to recovery (MTTR) as a board-level metric, unifying IT/OT visibility, and automating response playbooks. The analysis urges replacing ad hoc remote connectivity with secure, monitored access and integrating OT-specific threat intelligence into enforcement; FortiPAM and FortiGuard AI-Powered Security Services are cited as solutions to improve segmentation, detection, and recovery.

🔒 The Louvre has issued a €57m public tender to overhaul its safety and security infrastructure after an October break-in at the Apollo Gallery that led to the theft of the Crown Jewels valued at €88m. The procurement seeks a new digital safety management system, consolidated IT and physical security monitoring, a central VMS/CCTV upgrade, ANSSI‑vetted access controls, and revamped IDS and artwork proximity sensors. All solutions must be interoperable, scalable and open to avoid vendor lock-in. Companies have until December 10 to apply.