The Cybersecurity & Infrastructure Security Agency recently issued a statement to help raise awareness regarding unsophisticated cyber actor(s) targeting ICS/SCADA systems within the U.S. critical Infrastructure sectors of oil and natural gas processing. Although these activities often include basic and elementary intrusion techniques, the presence of poor cyber hygiene and exposed assets can escalate these threats, leading to configuration changes, operational disruptions and, in severe cases, physical damage.
CISA is strongly urging asset owners and operators to review their Primary Mitigations to Reduce Cyber Threats to Operational Technology fact sheet. Additionally, a number of industry experts weighed in on the topic, offering advice, perspective and best practices.
Having previously studied ICS and OT systems when he worked for NATO, Ensar Seker, CISO at SOCRadar, commented: “CISA’s warning about unsophisticated actors targeting ICS and OT systems in the oil and natural gas sectors should not be underestimated. The level of technical sophistication doesn’t always correlate with the level of impact, especially when it comes to operational technology. In many cases, even basic scanning tools, default credentials, or exposed interfaces can lead to catastrophic outcomes when ICS and SCADA environments are not properly segmented or monitored.
“What makes this alarming is the growing accessibility of industrial-specific exploits and open-source ICS scanning tools, which are now circulating not only in underground forums, but even in open GitHub repositories. This lowers the barrier to entry for less capable threat actors including ideologically driven groups or lone wolves with potentially disproportionate physical effects, such as fuel distribution disruptions or pipeline shutdowns.
“The real issue here isn’t just threat actor sophistication, it’s systemic exposure. Many ICS environments were designed decades ago, without cybersecurity in mind, and continue to rely on legacy protocols like Modbus and DNP3 with little to no authentication, encryption, or tamper detection. This isn’t just about defending against advanced persistent threats. It’s about recognizing that even a simple script, when aimed at an unprotected valve, sensor, or controller, can have very real-world consequences.
“CISA’s alert is yet another signal that the line between cyber and physical security has dissolved. It’s time for energy and transportation operators to treat every node on their ICS networks as a critical attack surface regardless of how sophisticated the attacker may seem.”
Similarly, James McQuiggan, Security Awareness Advocate at KnowBe4 offered his thoughts. “Critical infrastructure must move from “if” to “when” thinking. Eight years after NotPetya disrupted global operations, we’re still seeing attackers rely on tactics that should no longer be effective, yet they are. That clearly indicates that many critical infrastructure organizations haven’t hardened their defenses fast enough.
“These attacks aren’t carried out by sophisticated state actors. They’re using well-known techniques like stolen credentials, unpatched vulnerabilities, and remote access misconfigurations, all items blue teams should be able to stop. Too many organizations operate under the assumption that they won’t be targeted, or that their OT environments are ‘isolated enough.’ That’s the same logic as leaving your front door unlocked because no one’s robbed your neighbors yet.
“If you can’t see your attack surface, you can’t secure it. Organizations should run tabletop exercises specific to OT scenarios. Include ransomware in your simulations and work to identify single points of failure before attackers do. Leaders, including boards and the C-suite, must stop treating cybersecurity as an IT line item, as this is an operational risk. And in many cases, it’s a matter of national security. We’re not in the ‘what if’ phase anymore. We’re in the ‘how bad will it be when it happens’ phase.”
Chris Hauk, Consumer Privacy Champion at Pixel Privacy also chimed in, adding: “Unfortunately, the infrastructure in the U.S. is an attractive target for the bad actors of the world. The rise of malware-as-a-service allows unsophisticated hackers to wreak havoc with little effort, often causing unintended consequences in some cases.
“U.S. oil and gas companies need to modernize and harden their systems. While this won’t be cheap, it will still be more economical than trying to clean up the mess left behind by the bad guys.”