Destructive cyber attacks against critical infrastructure have unfortunately become increasingly frequent. Just last week, multinational government agencies blared the alarm about a global cyber espionage campaign targeting critical infrastructure networks. With this type of cyber threat in the spotlight, we’re rounding up recent cyber advice for securing critical infrastructure.
In case you missed it, here are six things to know right now about protecting everything from operational technology (OT) and industrial control systems (ICS) to the countless IoT devices that power our world.
1- Global alert: China-backed APTs hit critical infrastructure in cyber espionage campaignLet’s start with the most recent news. Last week, multiple U.S. and international government agencies warned critical infrastructure organizations about ongoing and global cyber attacks from advanced persistent threat (APT) attackers backed by the Chinese government (PRC).
The joint advisory – “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System” – urged security teams to immediately take basic but essential steps, including patching known exploited vulnerabilities; adopting centralized logging; and securing network edge devices.
The prime target? The network infrastructure of large telecom providers, although other critical infrastructure sectors, such as the military and transportation, have also been hit.
The threat actors, active since 2021 and identified over the years as Salt Typhoon, Operator Panda, RedMike, UNC5807 and GhostEmperor, are walking through unlocked doors. For initial entry, they look for low-hanging fruit, such as vulnerabilities that have been disclosed and for which patches exist, including these:
Once inside, the attackers try to avoid detection so that they can stay hidden for years to gather intelligence. Their playbook includes:
Here’s a small sampling of the mitigation recommendations:
To get a deep dive into this threat, read this blog from Tenable's Research Special Operations team: "Frequently Asked Questions About Chinese State-Sponsored Actors Compromising Global Networks."
Meanwhile, the FBI last month alerted that a Russian government unit has been hijacking network devices to surveil industrial networks. In the alert “Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure,” the FBI warned that the hackers are targeting industrial control systems (ICS) by breaching networks via the years-old bug CVE-2018-0171 in the Cisco Smart Install (SMI) software.
For more information about Salt Typhoon and related China-backed APT attacks against critical infrastructure, check out these Tenable blogs:
Last month, the Cybersecurity and Infrastructure Security Agency (CISA) tackled the critical issue of visibility of OT wares with a new playbook for how to structure, manage and update an OT asset inventory.
The new guidance – titled “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators” – delivers a clear message: an OT asset inventory is the bedrock of any OT security architecture. Without it, OT security is fundamentally impaired.
“An OT asset inventory – an organized, regularly updated list of an organization’s OT systems, hardware, and software – is foundational to designing a modern defensible architecture,” the document reads.
But OT operators shouldn’t stop there.
They also must classify their assets. OT environments are a diverse mix of legacy systems, sensors and specialized devices – along with their usual variety of proprietary communication protocols. CISA recommends creating a taxonomy to understand each component's role.
Classifying OT assets by function and importance helps to:
Steps To Build An OT Asset Taxonomy
(Source: CISA)
The document, which CISA created in collaboration with multiple U.S. and international government agencies, aims to help critical infrastructure organizations shift from a reactive to a proactive security posture via full asset visibility and thus attain a more resilient and secure OT environment.
For more information about OT security, check out these Tenable resources:
From medical implants to industrial sensors, tiny Internet-of-things (IoT) devices are everywhere in critical infrastructure. The problem? Most of them don't have the processing muscle for heavy-duty encryption.
To fix this, the National Institute of Standards and Technology (NIST) just finalized a new standard for lightweight cryptography. It’s built for the billions of IoT devices with limited computational resources.
“We encourage the use of this new lightweight cryptography standard wherever resource constraints have hindered the adoption of cryptography,” NIST computer scientist Kerry McKay, who co-led the project, said in a statement.
(Credit: Image generated by Tenable using Google Gemini)
Detailed in NIST Special Publication 800-232, the standard is built around the Ascon family of cryptographic algorithms and includes four specific algorithms designed for different security needs.
This new standard is designed for straightforward implementation and offers better protection against "side-channel attacks," where adversaries analyze a device's power consumption or timing to glean information.
For more information about IoT security:
Of course, the first step in preventing OT breaches is selecting products that were designed and built securely.
In January, CISA published a guide to help organizations choose OT products with cybersecurity baked in from the start.
Titled “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products,” the publication highlights 12 cybersecurity elements that OT products should have, including:
According to CISA, many OT products aren’t designed and developed securely, so they ship with issues such as weak authentication, known vulnerabilities and insecure default settings.
In fact, the agency says it’s common for hackers to specifically target OT products they know are insecure, instead of going after specific organizations.
Back in September 2024, CISA sounded the alarm on critical infrastructure organizations’ susceptibility to common, well-known attack methods in its “CISA Analysis: Fiscal Year 2023 Risk and Vulnerability Assessments” report.
The report’s findings are based on risk and vulnerability assessments (RVAs) of the security of 143 critical infrastructure organizations that CISA and the U.S. Coast Guard conducted in 2023.
Specifically, CISA and USCG assessors had the most success gaining initial access, attaining network permanence, evading defenses and moving laterally by using valid accounts, phishing schemes and default credentials — all simple attack methods.
For example, the use of valid accounts, which are legitimate accounts whose login credentials have been compromised, was the most successful attack technique for achieving:
(Source: “CISA Analysis: Fiscal Year 2023 Risk and Vulnerability Assessments” report, September 2024)
The report offers troves of recommendations to critical infrastructure organizations, including:
For more information about protecting critical infrastructure environments and about operational technology (OT) security, check out these Tenable resources:
As OT computing environments become more digitized, converged with IT systems and cloud-based, critical infrastructure organizations should beef up their cybersecurity by adopting zero trust principles.
That’s the key message the Cloud Security Alliance delivered in November via its “Zero Trust Guidance for Critical Infrastructure” white paper, which focuses on applying zero trust methods to OT and ICS systems.
While OT/ICS environments were historically air gapped, that’s rarely the case anymore. “Modern systems are often interconnected via embedded wireless access, cloud and other internet-connected services, and software-as-a-service (SaaS) applications,” reads the 64-page white paper.
The CSA hopes the document will help cybersecurity teams and OT/ICS operators enhance the way they communicate and collaborate.
Among the topics covered are:
The guide also outlines this five-step process for implementing zero trust in OT/ICS environments:
To get more details, read:
For more information about OT systems cybersecurity, check out these Tenable resources:
What's your plan when ransomware locks up your OT and industrial control systems? If you don't have one, the SANS Institute is here to help.
Its new framework, “A Simple Framework for OT Ransomware Preparation” provides a hands-on guide for building a response playbook. The key message? Preparation is everything.
With the document, published in April, SANS aims to outline an actionable, hands-on approach for critical infrastructure organizations seeking to build or fine-tune ransomware response playbooks.
“In the OT world, a lack of preparation can have real-world consequences,” reads a SANS blog titled “Building a Better OT Ransomware Response Plan: A Simple Framework for ICS Environments.”
At a high level, SANS recommendations for critical infrastructure organizations with OT / ICS environments include:
“By focusing on the unique challenges of OT networks, such as their architectural immaturity and the criticality of safe operations, the framework provides actionable guidance to enhance incident response capabilities,” the document reads.
Enterprises today are no longer confined to a single IT environment. Instead, they are embracing multi-cloud strategies—leveraging services from AWS, Microsoft Azure, Google Cloud, and private clouds to achieve flexibility, scalability, and cost efficiency. This shift enables digital transformation at scale but also introduces unprecedented security challenges. With workloads distributed across multiple providers, visibility becomes
The post Multi-Cloud Security appeared first on Seceon Inc.
The post Multi-Cloud Security appeared first on Security Boulevard.
A sophisticated threat actor, TAG-150, active since at least March 2025. Characterized by rapid malware development, technical sophistication, and a sprawling multi-tiered infrastructure, TAG-150 has deployed several self-developed families—CastleLoader, CastleBot, and most recently CastleRAT—targeting organizations via phishing campaigns and fraudulent repositories. TAG-150 first surfaced with CastleLoader, a loader that delivers a diverse set of follow-on […]
The post TAG-150 Hackers Escalate Attacks with Proprietary Malware Families appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Cybersecurity today is more complex than ever before. Organizations operate in hybrid and multi-cloud environments, manage remote and mobile workforces, and depend on countless third-party applications and integrations. This interconnectedness drives innovation—but it also creates fragmented security silos that adversaries exploit. Most businesses still rely on multiple point solutions for monitoring endpoints, networks, cloud, and
The post Unified Security Visibility appeared first on Seceon Inc.
The post Unified Security Visibility appeared first on Security Boulevard.
You must login to view this content
You must login to view this content
In 2025, internal network penetration testing is more crucial than ever. While external defenses are often the focus, a single compromised credential or an employee falling for a sophisticated social engineering attack can grant an adversary a foothold inside your network. An internal network pentest simulates a hacker who has already gained access, testing the […]
The post 10 Best Internal Network Penetration Testing Companies in 2025 appeared first on Cyber Security News.
A marked escalation in the abuse of ConnectWise ScreenConnect installers since March 2025, with U.S.-based businesses bearing the brunt of these incursions. Adversaries are now deploying lightweight ClickOnce runner installers—devoid of embedded configurations—to evade static detection, fetching malicious components at runtime. Post-installation, attackers automate the rapid deployment of two distinct remote access trojans (RATs): the […]
The post Threat Actors Exploit ScreenConnect Installers for Initial Access appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
A critical vulnerability (CVE-2025-42957) in SAP S/4HANA enterprise resource planning software is being exploited by attackers “to a limited extent”, the Dutch National Cyber Security Center (NCSC NL) has warned on Friday. Their alert seems to be based on a report by SecurityBridge’s Threat Research Labs, who professedly verified that the exploit for the flaw is being used in the wild. About CVE-2025-42957 CVE-2025-42957 is a code injection vulnerability affecting SAP S/4HANA’s function module exposed … More →
The post Attackers are exploiting critical SAP S/4HANA vulnerability (CVE-2025-42957) appeared first on Help Net Security.