CISA Observes Unsophisticated Cyber Activity Against U.S. Oil & Natural Gas Infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA) released an alert this week warning of unsophisticated cyber actors increasingly targeting Industrial Control Systems (ICS) and SCADA environments within U.S. oil and natural gas infrastructure, specifically in Energy and Transportation Systems. While these cyber actors may lack sophistication, their activities pose serious risks in the case of poor cyber hygiene and exposed assets. As the alert notes, even basic intrusion techniques can lead to defacement, configuration changes, operational disruptions, and in severe cases, physical damage.

CISA’s official alert is available here.

CISA strongly urges review of their Primary Mitigations to Reduce Cyber Threats to Operational Technology, which outlines the following guidance:

1. Remove OT Connections to the Public Internet
   OT devices connected to public networks are easy targets. Lacking modern authentication and authorization, these devices are easily found through open port scans. Identifying and removing unnecessary internet exposure is crucial.
2. Change Default Passwords and Use Strong, Unique Credentials
   Many targeted systems still use default or easily guessable passwords. Especially for internet-facing OT assets, strong passwords and multi-factor authentication are necessary to prevent unauthorized access.
3. Secure Remote Access to OT Networks
   Remote access is often a convenience, but it introduces risks. If remote access is necessary, it should be isolated from public networks using VPNs with strong authentication and phishing-resistant MFA.
4. Segment IT and OT Networks
   Proper network segmentation, including the use of demilitarized zones (DMZs), reduces the likelihood of widespread disruption from a single intrusion point.
5. Practice and Maintain Manual Operation Capabilities
   Having the ability to revert to manual operations is critical in the event of an incident. Organizations should test business continuity, disaster recovery plans, and islanding capabilities regularly.
6. Collaborate with Third Parties for Configuration Guidance
   Misconfigurations are often introduced during installation or regular operations. Working closely with system integrators, managed service providers, and manufacturers can help identify and address these vulnerabilities before they become exploited.

CISA's alert points to observed activity targeting Oil & Natural Gas infrastructure, particularly Energy and Transportation systems. These sectors are not regulated as stringently for cybersecurity as electric utilities under NERC CIP and therefore may vary in levels of cybersecurity maturity.

For organizations needing to strengthen security best practices, solutions like Industrial Defender can help OT asset owners and operators close gaps in their cyber hygiene and bring the implementation of critical cybersecurity controls up to standard. Industrial Defender can bring visibility to the security risks outlined above—monitoring OT assets, ensuring secure configurations, addressing vulnerabilities, and increasing vigilance across OT environments for weaknesses and signs of intrusion. We echo CISA's call to improve cyber hygiene and are available to help asset owners understand their risk landscape and take proactive steps to secure it. Establishing these best practices is key to minimizing risk and safeguarding critical operations.