Skip to content
SPECIAL

THREATS TO CRITICAL INFRASTRUCTURE IN IRAN CONFLICT

READ MORE

Critical infrastructure sectors on the most concerning threats – and needed solutions

Hurricane Helene brought down power lines and telephone poles in Chimney Rock, N.C., as seen Oct. 10, 2024. (Photo by Michel Sauret/U.S. Army Corps of Engineers Pittsburgh District)
By Threat Beat Staff

With critical infrastructure constantly under myriad threats, sector-focused information sharing and analysis centers and organizations collect, analyze and disseminate actionable cyber and physical threat information to stakeholders and provide them with tools to mitigate risks and enhance resiliency. To mark Cybersecurity Awareness Month, Threat Beat asked:

1) What is the most pressing short-term security concern in your sector?

2) What is one thing the public and/or industry/government can do now to address this? 

(Department of Energy)

Downstream Natural Gas Information Sharing and Analysis Center (DNG-ISAC)

John Bryk, Manager of Intelligence and Risk Analysis

1) THREAT: The security of telecom infrastructure, which is under active assault. Recent intrusions by state-sponsored actors have exploited unpatched routers, switches and edge devices to infiltrate U.S. networks. These aren’t theoretical risks – they’re live-fire exercises against the backbone of our digital economy. Yet without liability protection, telecom (actually, all) companies are disincentivized from reporting to their ISACs or to the government. That breaks the cycle: Government agencies and ISACs can’t process raw data into actionable intelligence, ISACs can’t push tailored, actionable alerts to members, and the entire early-warning system collapses.

The root cause of a throttling of (global) reporting is the expiration of the Cybersecurity Information Sharing Act of 2015 (CISA), which sunset quietly on Sept. 30. That’s a critical loss. CISA 2015 provided the legal framework that enabled national critical infrastructure providers and their ISACs to share cyber threat intelligence without fear of liability, antitrust exposure or FOIA requests. Without it, we’re receiving comments from some ISACs, and seeing in our own, that members are withholding reporting out of caution.

2) ADDRESSING THE THREAT: Congress needs to act – either reauthorize CISA or pass new legislation that restores those protections. Liability shields, antitrust exemptions and privacy safeguards aren’t just legal niceties; they are essential for effective threat sharing.

In the meantime, even if it’s not mandated, we need to keep the information flowing. Industry can continue with anonymized, voluntary reporting to ISACs. The DNG-ISAC this summer stepped up reporting operations to supplement lost government feeds as some of our government partners were furloughed or removed. In September, we lost that intelligence momentum with the end of CISA 2015. Industry must weigh the risk versus gain and consider continuing:

  • Including ISACs in incident workflows
  • Promoting safe, anonymous sharing protocols
  • Supporting ISAC-led campaigns that spotlight real-world threats – like ransomware, DDoS and even physical risks to field workers

We’ve built a strong threat intelligence ecosystem. Let’s not let it unravel because the legal scaffolding fell away.

An Idaho National Laboratory power engineer examines breaker settings inside the yard of an electric substation on Aug. 22, 2013. (Department of Energy)

Electricity Information Sharing and Analysis Center (E-ISAC)

1) THREAT: Cybersecurity –

  • Newly disclosed and rapid exploitation of network edge vulnerabilities leading to unauthenticated remote access, full compromise of vulnerable devices or execution of arbitrary code.
  • Cyber espionage-focused advanced threat actors who are capable of maintaining long-term persistence on victims’ networks, evading detection, leveraging living-off-the-land tools already present and exfiltrating sensitive information.
  • Cybercriminal and cyber hacktivist groups with nationalist agendas who actively target operational technology systems.
  • Cybersecurity vulnerabilities in critical infrastructure supply chains pose serious risks for disruption, espionage and sabotage, threatening national security and public safety. 

Physical security –

  • Criminal activity specifically related to theft (i.e. copper) and vandalism (physical damage to electric assets) is a pressing security concern to industry. Thefts and attempted thefts as well as vandalism continue to increase and result in electricity outages and operational impacts. 
  • Drones/UAS/UAV: The proliferation of drones/UAS/UAV technology has increased the risk for the electricity industry nationwide. Geopolitical conflicts have also shown how nation-state actors have used drones to attack and target electric infrastructure. This highlights the need for legislation on drones and clearer control of the airspace over electric facilities and critical assets. 
  • Threats and assaults to utility personnel (i.e. field workers, CEOs, site and security personnel). Increased political, social and economic tensions are contributing to an increased threat to personnel across the industry and other sectors. Field workers who make direct contact with members of the public experience the brunt of threats and assaults in the electric sector. However, recent acts of violence such as the killing of UnitedHealthcare CEO Brian Thompson highlight an increased risk to executives by violent extremists due to ideologically driven grievances. 
  • Violent extremists continue to pose a threat to electric infrastructure and are often ideologically driven to target the electric grid.  

2) ADDRESSING THE THREAT: Cybersecurity –

  • Revisit patch management programs and prioritize patching devices and applications that are high risk. This includes devices that are directly connected to the internet and devices whose network placement and architecture is in line with critical or high-risk assets.
  • Monitor for new tactics, techniques and developments on cyber threat actors from U.S. and Canadian government agencies and ISACs as well as research and reports from cybersecurity and news companies.
  • Share event and incident response information within and across sectors, which will aid in enterprise cyber defense.  
  • Enhance ICS security by prioritizing cybersecurity hygiene, including comprehensive management of privileged accounts with strong authentication and access controls, alongside robust network segmentation to isolate critical systems and minimize the potential for widespread disruption from cyberattacks.

Physical security –

  • Criminal activity mitigation efforts to help address this include stiffer punishments for criminal activity targeting critical infrastructure, enabling law enforcement to target supporting industries such as scrap metal/recycling facilities accepting stolen materials. It’s also important to educate the public and law enforcement about the risk of theft from electricity sites.
  • Drones/UAS/UAV: Currently, there are no laws that prohibit drones/UAS/UAV activity over or near electric facilities, and most drone mitigation activities (with the exception of some drone detection technologies) are prohibited by federal law. There is ongoing work within the industry to make recommendations on federal laws and regulations, which would help utilities manage the risk. Educating the public about the risk to electric facilities from drones and to avoid flying over or near electric infrastructure would be helpful. 
  • Threats and assaults: Increase support for legislation at state and federal levels to enhance field worker safety. Industry can also support with risk assessments to identify potential hazards and by conducting continuous safety training on how to recognize hazards, utilize PPE, respond during emergencies, determine which safety solutions are available to employees, and provide training on de-escalation efforts.   
  • Violent extremists: In recent years, law enforcement has apprehended and thwarted high-profile attacks; however, acts of sabotage to the sector continue. Increasing law enforcement apprehension of suspects targeting electric infrastructure and more severe prosecutions could deter future threats and attacks from being carried out.
Damage seen Sept. 17, 2020, after an arson attack at St. Gregory the Illuminator Armenian Apostolic Church in San Francisco. (FBI)

Faith-Based Information Sharing and Analysis Organization (FB-ISAO)

Andy Jabbour, Co-Founder, Board Member and Senior Advisor

1) THREAT: Most immediately, physical security and the enduring concerns around lone actors is the most pressing security concern for faith-based organizations. Violent lone actors, regardless of their motivations, which range from personal grievances to various forms of religious, ideological and political extremism, salad bar terrorism and everything in between, remain the greatest overall security risk based on likelihood and overall consequences. This is further complicated by increasing domestic stressors. Of course, the broad array of hostile events, from vandalism to arson, other forms of violence, etc., are all a concern. And we also have to keep our eyes on insider threats, misconduct and other criminal activity, as well as escalating threats and disturbances in the cyber domain both to operations and facilities.

2) ADDRESSING THE THREAT: The most important thing we can all do, as individuals, as FBOs, as communities, is to remain vigilant. For FBOs, do the work. Have plans. Train your people. Do the exercises. We have to protect our people and places. For all of us, we have to understand threats and report suspicious behavior. We have to understand run, hide, fight. And we have to be ready to do our part, as we are able, to assist in de-escalation and responding as bystanders.

A rice farm in Calcasieu Parish in Lake Charles, La. (USDA/Kirsten Strough)

Food and Agriculture – Information Sharing and Analysis Center (Food and Ag-ISAC) 

Jonathan Braley, Director

1) THREAT: The continued integration of emerging technologies into food and agriculture has made modern agriculture more productive, which is positive. But every new device added is a new device that needs to be monitored, protected and patched to prevent it from becoming an entry point into an organization. 

Meanwhile, most attacks we’re seeing in the industry appear to be opportunistic. The attackers are not targeting food and agriculture companies specifically, but are targeting low-hanging fruit. They look for unpatched vulnerabilities on publicly exposed systems or other poor security practices.

Smaller companies are often resource-constrained and allocate their limited resources where it provides them maximum value. Many smaller organizations may not adequately understand the threats they face or how to mitigate them. While this issue is not unique to the food and agriculture sector, the interconnected nature of the food and agriculture sector means that an incident at one company can impact others in the supply chain. Not only can incidents in smaller partners and suppliers have immediate impacts to upstream partners, but small businesses can be impacted by disruptions of larger companies within the supply chain.

2) ADDRESSING THE THREAT: We believe strongly in informed risk management. We want to help organizations across the sector, of every size, better understand the dangers so that they can better manage threats to their enterprises. The Food and Ag-ISAC distributes cyber threat reporting and best practice documentation throughout the supply chain. We have created partnerships with both major industry trade associations and agriculture-centric universities to help amplify our resources and thought leadership pieces. The ISAC has also been actively engaged with both CISA and USDA to bilaterally share cyber threat intelligence to the sector.

In addition, we developed a cybersecurity guide to provide small and medium-sized businesses with cost-effective, easy to implement steps they can take to secure their enterprises. In developing the guide, we identified the most common and effective tactics, techniques and procedures (TTPs) of the attackers and suggested mitigations to defend against these specific TTPs. This guide is free to the public and is being actively shared throughout the industry, as well as among our association and academic partners.

The Intensive Care Unit at the United States Naval Hospital Okinawa, Japan, on Aug. 16, 2023. (Photo by Tech. Sgt. Michael Brown/141st Air Refueling Wing)

Health Information Sharing and Analysis Center (H-ISAC)

Jon Crosson, Director, Health Sector Resilience

1) THREAT: Many health-sector organizations continue to see ransomware as their top cyber threat. These attacks don’t just steal data; they encrypt critical systems (patient records, lab results, imaging, etc.), which can directly endanger patient care. The cybercriminals even threaten to publicly release or sell sensitive patient information unless a ransom is paid. Phishing remains one of the main attack vectors for ransomware in the health sector and it’s becoming more sophisticated and personalized by using public information, AI, etc.

2) ADDRESSING THE THREAT: Organizations should follow basic cybersecurity hygiene and can use the voluntary guidelines published from a joint public-private partnership between HHS and the Health Sector Coordinating Council Cyber Security Working Group. The Cybersecurity Performance Goals can be found here.

To start, I would focus on 1) patching (stay up to date on new vulnerabilities and patch promptly), 2) back up systems and data (and ensure you can restore if needed – practice this!) and 3) use multifactor authentication for all remote access and for all privileged access (and ensure MFA is enforced for all these accounts on a regular basis).

Officials visit the Navajo Nation Kayenta Solar Project in Arizona on April 14, 2022. (Brett Lake/Department of Energy)

Multi-State Information Sharing and Analysis Center (MS-ISAC)

Carlos Kizzee, Senior Vice President, MS-ISAC Strategy and Plans

1) THREAT: The surge in ransomware attacks targeting state, local, tribal and territorial infrastructure, especially those organizations that suffer severe resource constraints and have limited or no cybersecurity staffing, is a key security concern.

State, local, tribal and territorial governments are top targets for ransomware and other cybersecurity exploitation. The majority of cybersecurity breaches can be traced back to social engineering and phishing, making human error a major component of cybersecurity breaches.

State, local, tribal and territorial governments and their departments and agencies operate with very small numbers of dedicated cybersecurity professionals, if any. These government entities house the sensitive information of residents and the non-public proprietary information of businesses in their jurisdictions. State, local, tribal and territorial governments consistently identify insufficient funding to keep pace with the volume and sophistication of cyber threats as a top security concern that places that data, and the continuity of vital government services, at risk. The threats facing them may be from nation-state threat actors or may leverage sophisticated tools and techniques that are increasingly available and made even more effective by artificial intelligence. 

2) ADDRESSING THE THREAT: Solutions to this threat include expanding federal government funding for access to effective, scalable and impactful security awareness training in the state, local, tribal and territorial public-sector workforce environment, and enabling federal government funding for state, local, tribal and territorial governments to receive scalable and effective cybersecurity services and peer-to-peer security networking collaboration from organizations such as the Multi-State Information Sharing and Analysis Center and other trusted networks like state fusion centers and research and education networks. 

If our nation-state enemies were launching missiles on our states and municipalities there would need to be national federal protections and countermeasures to the attack. Those enemies and their criminal surrogates are attacking state, local, tribal and territorial targets via cybersecurity threat activities, and there likewise needs to be national federal support for state, local, tribal and territorial governments to protect from these sophisticated threat actors and their surrogates.

Offshore drilling in the Santa Barbara Channel (Department of Energy)

Oil and Natural Energy Information Sharing and Analysis Center (ONE-ISAC)

Mary Fernandez, Director of Threat Intelligence

1) THREAT: From the ONE-ISAC view, the most pressing short-term risk is compromise of developer and automation identities in source control and CI/CD (continuous integration/continuous delivery) on the enterprise side, which enables package poisoning, secret theft and pivots into cloud or on-prem networks that can later touch operational technology (OT). In oil and natural energy, specifically, many organizations do build and run substantial enterprise and cloud software, so CI/CD security is relevant there, while changes to industrial control systems (ICS) and OT are usually vendor-managed and promoted under strict change control rather than fast pipelines. 

2) ADDRESSING THE THREAT: Our guidance is to require phishing-resistant MFA for all developer accounts, replace long-lived tokens with short-lived or trusted publishing, use isolated and ephemeral runners with least privilege, sign and verify build artifacts, and keep any OT changes offline, pre-tested, allowlisted and segmented from IT.

The U.S. Space Force’s Space Systems Command (SSC) Assured Access To Space (AATS) and Space Launch Delta 30 (SLD 30) teams successfully launch the Space Development Agency’s Tranche 1 Transport Layer-B (T1TL-B) mission aboard a SpaceX Falcon 9 rocket from Space Launch Complex (SLC)-4 East from Vandenberg Space Force Base, Calif., on Sept. 10, 2025. (SpaceX)

Space Information Sharing and Analysis Center (Space ISAC)

Samuel Visner, Chairman of the Board of Directors, Space ISAC

1) THREAT: In the space systems sector, there are several immediate concerns. First, we are seeing continued interference with space-based navigation systems. Commercial satellite communications systems are also being targeted, and the undersea cables on which some space systems depend – and that depend on space systems, too – have been attacked, particularly in the Baltic region. While norms of behavior have protected space systems more or less until now, norms do not protect cyber systems, and space and cyber systems are increasingly linked and interdependent. 

2) ADDRESSING THE THREAT: More information sharing among industry partners and with the government, particularly in regard to threats, incidents and vulnerabilities. Research and development regarding the security of space systems. Recognition that industry must work together – through the Space Information Sharing and Analysis Center – to share vital information and engage collaboratively in finding solutions to the problems described above.

The wastewater treatment plant on Joint Base Pearl Harbor-Hickam, Hawaii, on April 21, 2025. (U.S. Navy photo by Anna Marie G. Gonzales)

Water Information Sharing and Analysis Center (WaterISAC)

Chuck Egli, Director of Security and Resilience Operations

1) THREAT: The recently disclosed vulnerabilities in F5 devices. This equipment is used across many different critical infrastructure sectors, typically on the IT/DMZ side to front-end customer and business apps but sometimes to broker access into OT environments. Researchers have found more than 266,000 exposed devices online that may be susceptible to remote attacks, representing the latest cybersecurity compromise with potential impacts across many critical infrastructure sectors. Chinese threat actors are alleged to be behind efforts to exploit the vulnerabilities, reflecting the increasing cyber activity directed against U.S. critical infrastructure entities from PRC-related threat actors. They are believed to have used a malware family called BRICKSTORM, which is attributed to a PRC-related espionage group dubbed UNC5221.

2) ADDRESSING THE THREAT: For those affected, follow the guidance in CISA Executive Directive 26-01: Mitigate Vulnerabilities in F5 Devices. Although not technically required (the Executive Directive only formally applies to Federal Civilian Executive Branch agencies), WaterISAC strongly encourages following the guidance in the Executive Directive to mitigate the threat. Additionally, WaterISAC encourages reviewing F5’s security advisory.

Read More

Click to listen highlighted text!