The CISA yesterday warned critical infrastructure organizations of “unsophisticated” threat actors actively targeting the U.S. oil and natural gas sectors.
CISA is increasingly aware of unsophisticated cyber actor(s) targeting ICS/SCADA systems within U.S. critical Infrastructure sectors (Oil and Natural Gas), specifically in Energy and Transportation Systems. Although these activities often include basic and elementary intrusion techniques, the presence of poor cyber hygiene and exposed assets can escalate these threats, leading to significant consequences such as defacement, configuration changes, operational disruptions and, in severe cases, physical damage
Ensar Seker, CISO at SOCRadar had this comment:
“CISA’s warning about unsophisticated actors targeting ICS and OT systems in the oil and natural gas sectors should not be underestimated. The level of technical sophistication doesn’t always correlate with the level of impact, especially when it comes to operational technology. In many cases, even basic scanning tools, default credentials, or exposed interfaces can lead to catastrophic outcomes when ICS and SCADA environments are not properly segmented or monitored.”
“What makes this alarming is the growing accessibility of industrial-specific exploits and open-source ICS scanning tools, which are now circulating not only in underground forums, but even in open GitHub repositories. This lowers the barrier to entry for less capable threat actors including ideologically driven groups or lone wolves with potentially disproportionate physical effects, such as fuel distribution disruptions or pipeline shutdowns.”
“The real issue here isn’t just threat actor sophistication, it’s systemic exposure. Many ICS environments were designed decades ago, without cybersecurity in mind, and continue to rely on legacy protocols like Modbus and DNP3 with little to no authentication, encryption, or tamper detection.”
“This isn’t just about defending against advanced persistent threats. It’s about recognizing that even a simple script, when aimed at an unprotected valve, sensor, or controller, can have very real-world consequences.”
“CISA’s alert is yet another signal that the line between cyber and physical security has dissolved. It’s time for energy and transportation operators to treat every node on their ICS networks as a critical attack surface regardless of how sophisticated the attacker may seem.”
James McQuiggan, Security Awareness Advocate at KnowBe4:
“Critical infrastructure must move from “if” to “when” thinking. Eight years after NotPetya disrupted global operations, we’re still seeing attackers rely on tactics that should no longer be effective, yet they are. That clearly indicates that many critical infrastructure organizations haven’t hardened their defenses fast enough.”
“These attacks aren’t carried out by sophisticated state actors. They’re using well-known techniques like stolen credentials, unpatched vulnerabilities, and remote access misconfigurations, all items blue teams should be able to stop. Too many organizations operate under the assumption that they won’t be targeted, or that their OT environments are “isolated enough.” That’s the same logic as leaving your front door unlocked because no one’s robbed your neighbors yet.”
“If you can’t see your attack surface, you can’t secure it. Organizations should run tabletop exercises specific to OT scenarios. Include ransomware in your simulations and work to identify single points of failure before attackers do.”
“Leaders, including boards and the C-suite, must stop treating cybersecurity as an IT line item, as this is an operational risk. And in many cases, it’s a matter of national security. We’re not in the “what if” phase anymore. We’re in the “how bad will it be when it happens” phase.”
Paul Bischoff, Consumer Privacy Advocate at Comparitech:
“Cybercriminals are always looking for low-hanging fruit, and that includes ill-prepared critical infrastructure. These threats are easy to spot but persistent, so vigilance is key. An organization can avoid it 1,000 times but only needs to slip up once to allow cybercriminals into their network. Once inside, they can steal data and deploy ransomware, among other attacks.”
Chris Hauk, Consumer Privacy Champion at Pixel Privacy:
“Unfortunately, the infrastructure in the U.S. is an attractive target for the bad actors of the world. The rise of malware-as-a-service allows unsophisticated hackers to wreak havoc with little effort, often causing unintended consequences in some cases. U.S. oil and gas companies need to modernize and harden their systems. While this won’t be cheap, it will still be more economical than trying to clean up the mess left behind by the bad guys.”
This illustrates that the amount of threat actors looking to launch attacks are only increasing. Thus it’s incumbent on defenders to make sure that potential attacks are mitigated or stopped before they happen.
Like this:
Like Loading...
Related
This entry was posted on May 7, 2025 at 12:20 pm and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Critical Oil and Gas Sectors Actively Targeted by Unsophisticated Threat Actors CISA Warns
The CISA yesterday warned critical infrastructure organizations of “unsophisticated” threat actors actively targeting the U.S. oil and natural gas sectors.
CISA is increasingly aware of unsophisticated cyber actor(s) targeting ICS/SCADA systems within U.S. critical Infrastructure sectors (Oil and Natural Gas), specifically in Energy and Transportation Systems. Although these activities often include basic and elementary intrusion techniques, the presence of poor cyber hygiene and exposed assets can escalate these threats, leading to significant consequences such as defacement, configuration changes, operational disruptions and, in severe cases, physical damage
Ensar Seker, CISO at SOCRadar had this comment:
“CISA’s warning about unsophisticated actors targeting ICS and OT systems in the oil and natural gas sectors should not be underestimated. The level of technical sophistication doesn’t always correlate with the level of impact, especially when it comes to operational technology. In many cases, even basic scanning tools, default credentials, or exposed interfaces can lead to catastrophic outcomes when ICS and SCADA environments are not properly segmented or monitored.”
“What makes this alarming is the growing accessibility of industrial-specific exploits and open-source ICS scanning tools, which are now circulating not only in underground forums, but even in open GitHub repositories. This lowers the barrier to entry for less capable threat actors including ideologically driven groups or lone wolves with potentially disproportionate physical effects, such as fuel distribution disruptions or pipeline shutdowns.”
“The real issue here isn’t just threat actor sophistication, it’s systemic exposure. Many ICS environments were designed decades ago, without cybersecurity in mind, and continue to rely on legacy protocols like Modbus and DNP3 with little to no authentication, encryption, or tamper detection.”
“This isn’t just about defending against advanced persistent threats. It’s about recognizing that even a simple script, when aimed at an unprotected valve, sensor, or controller, can have very real-world consequences.”
“CISA’s alert is yet another signal that the line between cyber and physical security has dissolved. It’s time for energy and transportation operators to treat every node on their ICS networks as a critical attack surface regardless of how sophisticated the attacker may seem.”
James McQuiggan, Security Awareness Advocate at KnowBe4:
“Critical infrastructure must move from “if” to “when” thinking. Eight years after NotPetya disrupted global operations, we’re still seeing attackers rely on tactics that should no longer be effective, yet they are. That clearly indicates that many critical infrastructure organizations haven’t hardened their defenses fast enough.”
“These attacks aren’t carried out by sophisticated state actors. They’re using well-known techniques like stolen credentials, unpatched vulnerabilities, and remote access misconfigurations, all items blue teams should be able to stop. Too many organizations operate under the assumption that they won’t be targeted, or that their OT environments are “isolated enough.” That’s the same logic as leaving your front door unlocked because no one’s robbed your neighbors yet.”
“If you can’t see your attack surface, you can’t secure it. Organizations should run tabletop exercises specific to OT scenarios. Include ransomware in your simulations and work to identify single points of failure before attackers do.”
“Leaders, including boards and the C-suite, must stop treating cybersecurity as an IT line item, as this is an operational risk. And in many cases, it’s a matter of national security. We’re not in the “what if” phase anymore. We’re in the “how bad will it be when it happens” phase.”
Paul Bischoff, Consumer Privacy Advocate at Comparitech:
“Cybercriminals are always looking for low-hanging fruit, and that includes ill-prepared critical infrastructure. These threats are easy to spot but persistent, so vigilance is key. An organization can avoid it 1,000 times but only needs to slip up once to allow cybercriminals into their network. Once inside, they can steal data and deploy ransomware, among other attacks.”
Chris Hauk, Consumer Privacy Champion at Pixel Privacy:
“Unfortunately, the infrastructure in the U.S. is an attractive target for the bad actors of the world. The rise of malware-as-a-service allows unsophisticated hackers to wreak havoc with little effort, often causing unintended consequences in some cases. U.S. oil and gas companies need to modernize and harden their systems. While this won’t be cheap, it will still be more economical than trying to clean up the mess left behind by the bad guys.”
This illustrates that the amount of threat actors looking to launch attacks are only increasing. Thus it’s incumbent on defenders to make sure that potential attacks are mitigated or stopped before they happen.
Share this:
Like this:
Related
This entry was posted on May 7, 2025 at 12:20 pm and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.