Poland’s ABW confirmed hackers breached ICS at five water plants, gaining ability to alter equipment settings. Russia-linked APT groups suspected.

Poland’s Internal Security Agency (ABW) has published a detailed account of a sustained campaign targeting the country’s water plants, documenting security breaches at five water treatment facilities in 2025. The incidents mark one of the clearest documented cases in Europe of state-linked hackers gaining direct access to industrial control systems managing public water supplies.

The affected facilities were located in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo. In several cases, attackers didn’t just observe, they obtained the ability to modify operational parameters of equipment in real time, creating a direct and concrete risk to the continuity of public water services. A breach of this kind isn’t a data theft. It is the digital equivalent of sabotage.

“In some cases, the attackers gained access to industrial control systems and obtained the capability to modify device operating parameters.” reads the report published by ABW. “This created a direct threat to the continuity of water supply processes and the proper functioning of municipal infrastructure.”

The attack vectors ABW identified are as unglamorous as they are alarming: weak password policies and systems left directly exposed to the internet. These are not sophisticated zero-day exploits. They are basic security failures that the OT and ICS security community has been warning about for years.

“The incidents were made possible by inadequate security measures, including weak password policies and the exposure of management interfaces directly to the public internet.” continues the report. “In several cases, systems responsible for operational technology were accessible without sufficient protection mechanisms.”

The attribution points firmly eastward. ABW identified Russian APT groups APT28 and APT29, the same actors linked to election interference across Europe and the SolarWinds supply chain attack, as well as UNC1151, a Belarusian-aligned group previously connected to the Ghostwriter operation targeting NATO countries.

“APT28, APT29 and UNC1151 are among the most active state-linked cyber espionage groups operating against European targets.” concludes the report. “Their activities combine intelligence collection, disruptive cyber operations and coordinated information warfare campaigns.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Water Plants)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has launched a new initiative called “CI Fortify” aimed at helping critical infrastructure operators prepare for disruptive cyberattacks linked to geopolitical conflicts. The initiative comes amid growing concerns over nation-state cyber threats targeting operational technology (OT) systems that support essential services across the United States. The CI Fortify initiative focuses on improving critical infrastructure resilience through two key objectives: isolation and recovery. CISA said the effort is designed to help operators maintain essential operations even if adversaries compromise telecommunications networks, internet services, or industrial control systems. According to the agency, nation-state actors are no longer limiting their activities to espionage. Instead, threat groups have increasingly been pre-positioning themselves inside critical infrastructure environments to potentially disrupt or destroy systems during future geopolitical conflicts.

CI Fortify Initiative Focuses on Isolation and Recovery

Under the CI Fortify initiative, CISA is urging critical infrastructure organizations to assume that third-party communications and service providers may become unreliable during a crisis. Operators are also being asked to plan under the assumption that threat actors may already have some level of access to OT networks. Nick Andersen, Acting Director at CISA, emphasized the need for organizations to prepare for worst-case operational scenarios. “In a geopolitical crisis, the critical infrastructure organizations Americans rely on must be able to continue delivering, at a minimum, crucial services,” Andersen said. “They must be able to isolate vital systems from harm, continue operating in that isolated state, and quickly recover any systems that an adversary may successfully compromise.” The isolation strategy outlined under CI Fortify involves proactively disconnecting operational technology systems from external business networks and third-party connections. CISA said this approach is intended to prevent cyber impacts from spreading into OT environments while allowing organizations to continue delivering essential services in a degraded communications environment. The agency advised operators to identify critical customers, including military infrastructure and other lifeline services, and determine the minimum operational capabilities needed to support them during emergencies. CISA also recommended updating engineering processes and business continuity plans to support safe operations for extended periods while systems remain isolated.

Recovery Planning Central to Critical Infrastructure Resilience

Alongside isolation, the CI Fortify initiative places strong emphasis on recovery planning. CISA urged operators to maintain updated system documentation, create secure backups of critical files, and regularly practice system replacement or manual operational transitions. The agency noted that organizations should also identify communications dependencies that could complicate recovery efforts, such as licensing servers, remote vendor access, or upstream network connections. CISA encouraged operators to work closely with managed service providers, system integrators, and vendors to understand potential failure points and establish alternative recovery pathways. The initiative also highlights broader benefits of emergency planning beyond cybersecurity incidents. According to CISA, the same planning processes can help organizations maintain operations during weather-related disruptions, equipment failures, and safety emergencies. The agency said isolation planning can help cut off command-and-control access to compromised systems, while strong recovery preparation can reduce incident response costs and shorten recovery timelines.

Security Vendors and Service Providers Asked to Support CI Fortify

The CI Fortify initiative extends beyond infrastructure operators and calls on cybersecurity vendors, industrial automation suppliers, and managed service providers to support resilience planning efforts. Industrial control system vendors are being encouraged to identify barriers that could interfere with isolation and recovery procedures, including licensing restrictions and server dependency issues. Managed service providers and integrators are expected to assist organizations in engineering updates, local backup collection, and recovery documentation planning. Meanwhile, security vendors are being asked to support threat monitoring and provide intelligence if nation-state actors shift from espionage-focused activity to destructive cyber operations. CISA also requested vendors share information related to tactics that could undermine recovery or bypass isolation protections, including malicious firmware updates and vulnerabilities affecting software-based data diodes.

Volt Typhoon Cyberattacks Continue to Shape U.S. Cybersecurity Strategy

The launch of CI Fortify is closely tied to ongoing concerns surrounding the Volt Typhoon cyberattacks, which U.S. officials have linked to Chinese state-sponsored threat actors. CISA’s initiative specifically references the Volt Typhoon campaign as an example of how adversaries have attempted to establish long-term access inside U.S. critical infrastructure systems to potentially support disruptive actions during military conflicts. The Volt Typhoon operation first became public in 2023, when U.S. authorities revealed that Chinese hackers had infiltrated multiple sectors of American critical infrastructure. Former CISA Director Jen Easterly stated in 2024 that the agency had identified and removed Volt Typhoon intrusions across several sectors. She later reiterated in 2025 that efforts continued to focus on identifying and evicting Chinese cyber actors from critical infrastructure environments. Despite these operations, cybersecurity researchers and some government officials have warned that Chinese threat actors may still retain access to portions of critical infrastructure networks. Several experts have argued that nation-state groups remain deeply embedded in certain environments despite years of remediation efforts. With the CI Fortify initiative, CISA appears to be shifting focus toward operational resilience, recognizing that prevention alone may not be sufficient against sophisticated nation-state cyber threats targeting U.S. critical infrastructure.

The post Carlson VASCO-B GNSS Receivers Left Open to Remote Hijack appeared first on Daily CyberSecurity.

The post Critical 9.8 CVSS Flaw Exposes Intrado 911 Emergency Gateways appeared first on Daily CyberSecurity.

The post The Global Surge in Modbus/TCP Probes Targeting Our Physical World appeared first on Daily CyberSecurity.

Trump’s proposed budget cuts to CISA raise concerns about U.S. cyber defense, as experts warn of reduced collaboration and threat intelligence sharing.

The post Trump’s Proposed CISA Cuts Spark Alarm Among Cybersecurity Experts appeared first on TechRepublic.

EU sanctions Chinese and Iranian firms and individuals for cyberattacks targeting critical infrastructure and over 65,000 devices across member states.

The Council of the European Union has imposed sanctions on three companies and two individuals linked to cyberattacks against EU countries and partners.

“The Council adopted today restrictive measures against three entities and two individuals responsible for cyber-attacks carried out against EU member states and EU partners.” reads the press release.

The first sanctioned China-based company is Integrity Technology Group, which supported operations that compromised over 65,000 devices across six EU member states between 2022 and 2023. In January 2025, the U.S. Treasury sanctioned Integrity Tech for links to cyberattacks by China’s state-backed Flax Typhoon APT group (also called Ethereal Panda or RedJuliett).

The China-linked APT group used Integrity Tech’s infrastructure to launch cyberattacks on European and U.S. networks since the summer of 2022. Flax Typhoon is a China-linked hacking group that has been active since 2021, it targets critical infrastructure globally, exploiting vulnerabilities for persistent access.

The second sanctioned China-based firm is Anxun Information Technology, which provided hacking services targeting critical infrastructure. Two Chinese co-founders were sanctioned for directly participating in cyberattacks against EU member states. In March 2025, the U.S. sanctioned Anxun Information Technology (i-Soon) for offering hacker-for-hire services and conducting cyberattacks since 2011. A 2024 data leak exposed its internal operations and tools.

The sanctioned company is the Iranian firm Emennet Pasargad, which breached a French subscriber database and tried to sell the data online. It also spread disinformation by hacking advertising billboards during the Paris 2024 Olympic Games and disrupted a Swedish SMS service, affecting many EU citizens.

Those sanctioned face asset freezes, while EU citizens and companies are banned from providing them funds or resources. Individuals are also subject to travel bans within the EU. With these additions, the EU cyber sanctions regime now covers 19 individuals and 7 entities.

“The move highlights the EU’s commitment to responding firmly to ongoing cyber threats and working with international partners to ensure a secure and stable cyberspace.

“Today’s decision confirms EU’s and its member states’ willingness to provide a strong and sustained response to persistent malicious cyber activities targeting the EU, its member states and partners.” concludes the press release. “The EU and its member states will continue to cooperate with our international partners to promote an open, free, stable and secure cyberspace.”

The EU created its “cyber diplomacy toolbox” in 2017 to prevent and respond to cyber threats using diplomatic and restrictive measures. In 2019, it added a sanctions framework to target cyberattacks posing external threats to the EU and its members.

Pierluigi Paganini

(SecurityAffairs – hacking, EU critical infrastructure)

Industrial systems face rising cyber threats as OT security lags modernization. A new survey reveals widespread breaches and growing risks to critical infrastructure.

The post Industrial Systems Under Siege: 77% of OT Environments Suffer Cyber Breaches appeared first on TechRepublic.

GitGuardian’s latest Secrets Sprawl report found more than 28 million new secrets exposed via public GitHub commits in 2025, a 34% increase over 2024 and the largest annual jump the company has recorded. The spike reflects a broader transformation in software creation, as AI tools lower the barrier to coding.

The post Exposed Developer Secrets Surge: AI Drives 34% Increase in 2025 appeared first on The Security Ledger with Paul F. Roberts.

Europe’s plan to build sovereign search infrastructure highlights a growing security concern: dependence on foreign platforms for access to information and AI knowledge may represent a systemic vulnerability.

The post Europe’s Sovereign Search Plan is Really a Security Strategy appeared first on Security Boulevard.

Palo Alto Networks says an Asian cyber espionage campaign breached 70 organizations in 37 countries, targeting government agencies and critical infrastructure.

The post Asian Cyber Espionage Campaign Breached 37 Countries appeared first on TechRepublic.

Can a remote software attack send a power wheelchair tumbling down a staircase? Sadly: the answer is “yes.” Check out our latest podcast interview with Billy Rios and Brandon Rothel of QED Secure Solutions. Billy and Brandon discuss their research into security flaws in power wheelchairs by the Japanese firm WHILL.

The post When Cybersecurity Breaks Mobility: The Hidden Risks of Software-Powered Wheelchairs appeared first on The Security Ledger with Paul F. Roberts.

💾

Stranger Things concept of the “Upside Down” is a useful way to think about the risks lurking in the software we all rely on. A new report from ReversingLabs shines a light into that dark world.

The post Technology’s “Upside Down”? Software Supply Chain appeared first on The Security Ledger with Paul F. Roberts.

Security researcher Jon “Gainsec” Gaines and YouTuber Benn Jordan discuss their examination of Flock Safety’s AI-powered license plate readers and how cost-driven design choices, outdated software, and weak security controls expose them to abuse.

The post AI Surveillance: Unmasking Flock Safety’s Insecurities appeared first on The Security Ledger with Paul F. Roberts.

💾

While relatively rare, real-world incidents impacting operational technology highlight that organizations in critical infrastructure can’t afford to dismiss the OT threat

A recent CISA red team assessment of a United States critical infrastructure organization revealed systemic vulnerabilities in modern cybersecurity. Among the most pressing issues was a heavy reliance on endpoint detection and response (EDR) solutions, paired with a lack of network-level protections.

These findings underscore a familiar challenge: Why do organizations place so much trust in EDR alone, and what must change to address its shortcomings?

EDR’s double-edged sword

A cornerstone of cyber resilience strategy, EDR solutions are prized for their ability to monitor endpoints for malicious activity. But as the CISA report demonstrated, this reliance can become a liability when paired with inadequate network defenses. Here’s why:

1. Tunnel vision on endpoints: EDR excels at identifying threats on individual devices but struggles with network-wide attacks. This leaves gaps when hackers exploit lateral movement or unusual data transfers — activities that often require network-level visibility to detect.
2. Playing catch-up with threats: Traditional EDR tools depend on recognizing known indicators of compromise (IOCs). Advanced attackers can easily sidestep these tools by using novel techniques or blending in with legitimate activity.
3. Blind spots in legacy systems: Legacy environments often go unnoticed by EDR, giving attackers free rein. In the CISA case, these systems allowed the red team to persist for months undetected.
4. Overwhelmed defenders: Even when EDR generates alerts, security teams can become desensitized by a flood of notifications. As seen in the CISA assessment, critical warnings can slip through the cracks simply because defenders are too stretched to respond.

Common EDR pain points

The challenges highlighted in the CISA report mirror broader issues organizations face with EDR:

• Detection without context: EDR tools often spot anomalies on endpoints but fail to connect the dots across the broader network. This lack of context can leave organizations blind to coordinated attacks.
• Weak network integration: Without network-layer defenses, EDR struggles to identify malicious activities like unusual traffic patterns or data exfiltration, key tactics in advanced breaches.
• Fragmented systems: Many organizations operate a patchwork of security tools, leaving critical gaps in coverage and making it harder to correlate data across endpoints, networks and cloud environments.

Explore threat detection and response services

The next evolution of EDR

Recognizing these shortcomings, cybersecurity is rapidly evolving beyond traditional EDR. Here’s how:

1. Extended detection and response (XDR): XDR takes EDR to the next level by integrating endpoint, network and cloud data into a single platform. This broader scope allows organizations to see the full attack picture and respond more effectively.
2. AI-driven insights: Cutting-edge EDR solutions now harness machine learning to detect subtle behavioral anomalies. By identifying deviations from normal activity, these tools catch threats even when no IOCs exist.
3. Zero trust security: Zero trust architectures take endpoint defense a step further by ensuring no device or user is trusted by default. This integration of endpoint, identity and network security reduces dependence on EDR alone.
4. Network visibility: Modern EDR tools are incorporating network traffic analysis to close the gaps identified in the CISA report. Monitoring traffic for anomalies, such as unusual data flows or external connections, bolsters defenses.
5. Cloud-native solutions: As businesses embrace hybrid and cloud environments, EDR is evolving to provide seamless coverage across on-premises and cloud systems, addressing vulnerabilities in these critical areas.

Why do gaps persist?

Even with these advancements, many organizations struggle to fully address EDR’s limitations:

• Resource strains: Small security teams often lack the bandwidth or expertise to implement and manage advanced solutions like XDR.
• Budget constraints: Upgrading to integrated platforms or modernizing legacy systems can be costly.
• Legacy challenges: Outdated environments remain vulnerable, acting as weak points that attackers can exploit.
• Leadership missteps: As the CISA report pointed out, organizations sometimes deprioritize known vulnerabilities, leaving critical gaps unaddressed.

Building a more resilient future

The CISA red team findings are a wake-up call: Endpoint protection alone is no longer enough. To outsmart today’s sophisticated adversaries, organizations must adopt a layered defense strategy that integrates endpoint, network and cloud security. Solutions like XDR, zero trust principles and advanced behavioral analysis offer a path forward — but they require strategic investments and cultural shifts.

The post Insights from CISA’s red team findings and the evolution of EDR appeared first on Security Intelligence.

On September 25, CISA issued a stark reminder that critical infrastructure remains a primary target for cyberattacks. Vulnerable systems in industrial sectors, including water utilities, continue to be exploited due to poor cyber hygiene practices. Using unsophisticated methods like brute-force attacks and leveraging default passwords, threat actors have repeatedly managed to compromise operational technology (OT) and industrial control systems (ICS).

Attacks on the industrial sector have been particularly costly. The 2024 IBM Cost of a Data Breach report found the average total cost of a data breach in the industrial sector was $5.56 million — an 18% increase for the industry compared to 2023. This represents the highest data breach cost increase of all industries surveyed in the report, rising by an average of $830,000 per breach over last year.

Ongoing vulnerabilities pose a serious threat to public safety and national security, especially as water systems and other critical infrastructure providers remain underprepared in the current threat landscape. Let’s take a closer look at the current state of critical infrastructure security, highlighting recent incidents, efforts to address vulnerabilities and the need for further collaboration between the government and private sectors.

Arkansas City Water Treatment Facility attacked

The cybersecurity incident at the Arkansas City Water Treatment Facility on September 22 exemplifies the growing risks. While city officials emphasized that the water supply remained safe and no disruption to service occurred, the breach still forced the facility to switch to manual operations. The incident is currently under investigation, with local authorities and cybersecurity experts collaborating to resolve the issue and prevent further attacks. But the Arkansas City breach is not an isolated incident; it mirrors a larger trend of attacks on water systems.

CISA has issued multiple warnings regarding the susceptibility of water and wastewater systems to cyber threats. Intruders often exploit outdated and unsecured OT and ICS environments, where systems are exposed to the internet or still using default credentials. This means cyber criminals can gain access using relatively simple techniques, which raises concerns about the overall preparedness of critical infrastructure operators.

CISA warnings and hacktivist activity

CISA’s September alert is not the first indication of the heightened threat to water and other critical infrastructure providers. Earlier in 2024, the agency warned that Russia-affiliated hacktivists were actively targeting ICS and OT environments in U.S. critical infrastructure facilities. Water systems, dams and sectors, such as energy and food, were particularly vulnerable to these attacks.

The situation worsened with the rise of the Cyber Army of Russia Reborn, a hacktivist group tied to Advanced Persistent Threat 44 (APT44), commonly known as Sandworm. The group has been quite busy exploiting weak cybersecurity postures of smaller water systems that lack adequate cyber defense resources.

According to Keith Lunden of Mandiant, “We expect these attacks to continue for the foreseeable future given the lack of dedicated cybersecurity personnel for many small- and mid-sized organizations operating OT.” Unfortunately, hacktivist groups have exploited these gaps with relative ease. And without rapid intervention, these attacks will likely continue.

Read the Threat Intelligence Index

The State and Local Cybersecurity Grant Program (SLCGP)

Amidst the growing cyber threats, the U.S. Department of Homeland Security (DHS) has recognized the need for more support for state and local government cybersecurity. In fiscal year 2024, DHS announced the allocation of $280 million in grant funding for the State and Local Cybersecurity Grant Program (SLCGP). This funding aims to assist state, local, tribal and territorial governments in enhancing their cyber resilience. A special emphasis has been placed on protecting critical infrastructure systems like water utilities, energy grids and emergency services.

These grants will help organizations improve monitoring systems, patch vulnerabilities and implement critical cybersecurity measures such as multi-factor authentication and regular system audits. In states like Michigan, for example, government agencies are already working with local water utilities to provide cybersecurity training and support. The DHS funding could greatly expand these efforts, offering a much-needed boost to the security posture of critical infrastructure providers.

The Cyberspace Solarium Commission

In 2019, the Cyberspace Solarium Commission (CSC) was established by the U.S. Congress to develop a national cyber defense strategy. Currently, approximately 80% of its recommendations have been implemented. However, a final push is needed to address critical gaps, particularly regarding private-sector collaboration and insurance reforms.

One major challenge is identifying the “minimum security burdens” for systemically important entities critical to national security. This would ensure that high-priority infrastructure providers, such as key transportation systems and water utilities, receive the necessary support to prevent catastrophic events.

The CSC also highlighted the need to develop an economic continuity plan for cyber events. This would be nothing less than an incident response and resilience plan to protect the U.S. economy in the face of a major cyberattack. The commission also emphasized the need for better information sharing between government agencies, private industries and international partners to protect critical infrastructure from evolving cyber threats.

During a recent panel discussion, Senator Angus King, co-chair of CSC 2.0, pointed to the difficulties of building trust between the government and private sectors. Private entities own and operate the majority of the nation’s critical infrastructure, but historical tensions make collaboration challenging. King noted that the situation mirrors early tensions that existed between state officials and CISA. Nonetheless, the collaboration between private industry and government is essential to address the growing threat to critical infrastructure.

The state of critical infrastructure cybersecurity

The cybersecurity posture of U.S. critical infrastructure remains a concern. As seen in attacks like the Arkansas City Water Treatment Facility and other incidents targeting internet service providers, threat actors are increasingly focusing on essential services. These attacks are not limited to small municipalities. Larger-scale infrastructure providers, including ISPs and managed service providers, have also been targets.

The FBI recently disclosed that China-linked hackers compromised more than 260,000 network devices, underscoring the scale of the problem. Meanwhile, attacks attributed to the Chinese government have targeted ISPs and managed service providers through vulnerabilities in Versa Networks’ SD-WAN software, demonstrating the growing sophistication of these threats.

While the U.S. government is actively working to improve critical infrastructure cybersecurity, the attacks on water treatment systems and other essential services clearly reveal that more needs to be done. The DHS grant program and the recommendations of the Cyberspace Solarium Commission represent critical steps in this effort, but collaboration between government, private industry and international partners will be key to building a resilient defense against evolving threats.

The safety of critical infrastructure remains a pressing concern. Recent events should serve as a wake-up call for operators, policymakers and the public to take action before a cyberattack occurs that impacts human life and health. Undoubtedly, the threats are real — and any meaningful response requires a concerted effort.

The post Is the water safe? The state of critical infrastructure cybersecurity appeared first on Security Intelligence.

At the end of 2024, we’ve reached a moment in artificial intelligence (AI) development where government involvement can help shape the trajectory of this extremely pervasive technology.

In the most recent example, the Department of Homeland Security (DHS) has released what it calls a “first-of-its-kind” framework designed to ensure the safe and secure deployment of AI across critical infrastructure sectors. The framework could be the catalyst for what could become a comprehensive set of regulatory measures, as it brings into focus the significant role AI will play in securing key infrastructure systems.

As Secretary Alejandro N. Mayorkas put it, “AI offers a once-in-a-generation opportunity to improve the strength and resilience of U.S. critical infrastructure, and we must seize it while minimizing its potential harms. The framework, if widely adopted, will go a long way to better ensure the safety and security of critical services that deliver clean water, consistent power, internet access and more.”

Mayorkas’ statement underscores the urgency of getting it right, as today’s decisions will profoundly shape how AI impacts vital systems in the future.

Key features of the DHS AI framework

The framework lays out clear roles and responsibilities for the parties involved in AI development and deployment for critical infrastructure.

Risk management guidance: DHS suggests an approach that incorporates ongoing risk management, advising stakeholders to continually identify, assess and mitigate potential AI risks. The recommendation includes adopting transparent mechanisms to track AI decisions that could impact essential services.

Ethical standards for developers: The guidelines stress the importance of incorporating ethical considerations into AI design, and make a push for responsible practices that minimize harm and ensure equitable treatment.

Collaboration across sectors: Recognizing the interconnected nature of infrastructure, DHS is promoting collaboration between public and private sectors to share best practices and vulnerabilities effectively. Information sharing is always a great way to minimize the risks brought about by both deliberate attacks and unintended failures.

Incident response preparedness: The framework also outlines how AI developers and operators should prepare for potential incidents; clear protocols must be in place to quickly address issues before they escalate.

Explore AI cybersecurity solutions

What are the responsibilities of AI developers?

One of the most notable aspects of the DHS report is the explicit focus on the responsibilities of AI developers.

The guidelines set a new precedent by outlining clear expectations, especially for those creating AI tools meant to operate in or interact with critical infrastructure.

This focus on developers is particularly important because they are at the forefront of creating technology that directly influences critical systems. The decisions made during the design, development and deployment phases can have significant consequences and impact everything from public safety to national security. By giving developers a structured set of responsibilities, DHS is hoping to create a culture of accountability and foresight in the AI community.

As such, AI developers are encouraged to take the following actions to align with the new guidelines.

Design with risk in mind: Developers are urged to build AI systems that prioritize safety and resilience from the ground up, especially when the technology is intended to interact with critical services like power grids or communication networks. This means integrating fail-safes, conducting stress tests and simulating potential failure scenarios during the design phase.

Adopt explainable AI practices: Transparency is crucial for AI developers. The framework urges the adoption of explainable AI techniques that allow human operators to understand why certain decisions were made. This practice boosts trust while also providing an audit trail that can be useful in identifying the root causes of any issues that arise.

Collaborate for broader impact: Developers should not just work alone but actively engage with a broader community of stakeholders, including policymakers, users and other tech creators. After all, collaboration helps ensure that AI tools are safe, reliable and ready to operate under real-world conditions.

By following these guidelines, developers can help build AI systems that meet technical standards and also align with societal values and safety requirements. The focus on explainable AI, risk-based design and collaboration creates a balanced approach that can maximize the benefits of AI and minimize its potential downsides.

Why does this matter now?

The release of the AI framework is a good reminder that AI technology is not evolving in a vacuum. Today, AI is more pervasive than ever before, but its use in critical infrastructure demands the highest level of care and responsibility. With the focus on developers as important players in minimizing risks, the DHS is creating an environment where AI can thrive without compromising essential public services.

It’s important to note that the responsibility for secure AI extends beyond the developer stage. Tech organizations will play a key role as well. Arvind Krishna, Chairman and CEO of IBM, says, “The DHS Roles and Responsibilities Framework for Artificial Intelligence in Critical Infrastructure is a powerful tool to help guide the responsible deployment of AI across America’s critical infrastructure, and IBM is proud to support its development. We look forward to continuing to work with the Department to promote shared and individual responsibilities in the advancement of trusted AI systems.”

Secretary Mayorkas echoes those sentiments, adding, “The choices organizations and individuals involved in creating AI make today will determine the impact this technology will have in our critical infrastructure tomorrow.”

The secretary’s words capture the essence of why this framework matters: We need to shape the future of AI in a way that protects and enhances the services that are foundational to our society.

The post DHS: Guidance for AI in critical infrastructure appeared first on Security Intelligence.

On August 29, 2024, CISA announced the launch of a new cyber-incident Reporting Portal, part of the new CISA Services Portal.

“The Incident Reporting Portal enables entities and individuals reporting cyber incidents to create unique accounts, save reports and return to submit later, and eliminate the repetitive nature of inputting routine information such as contact information,” says Lauren Boas Hayes, Senior Advisor for Technology & Innovation, at CISA.

Shortly after the announcement, Security Intelligence reported on how the portal was designed and how it differs from other cyber incident reporting structures. We noted that CISA’s biggest advantage was its ability to assist the reporting organization with response and remediation.

“Any organization experiencing a cyberattack or incident should report it — for its own benefit and to help the broader community. CISA and our government partners have unique resources and tools to aid with response and recovery, but we can’t help if we don’t know about an incident,” said CISA Executive Assistant Director for Cybersecurity Jeff Greene in a formal statement covering the portal’s announcement.

Four months later

Since the announcement in August, a lot has happened. There was a presidential election, and a new administration will take charge on January 20. The current CISA director and other political appointees will step down. The agency’s future is uncertain as of this writing, particularly regarding who will oversee it and whether its functions will be divided across different federal departments. Still, it is expected that its work will continue.

Before these changes occur, we wanted to check in with CISA to follow up on the portal’s progress and what the future might look like.

Explore cybersecurity services

Long history of collecting cyber incident reports

CISA was first created in 2018, but federal agencies have collected cyber incident reports for decades.

“The launch of the Incident Reporting Portal is a significant step forward for CISA’s ability to collect operationally relevant data from reporters in a system which is more usable for reporters,” says Hayes. “The vision for the Incident Reporting Portal is for CISA’s Incident Reporting Portal to continue to enhance the functionality of the system to enable entities to share submitted reports with colleagues or clients to facilitate more effective third-party reporting, communicate directly with CISA, and access information and services relevant to the reporter.”

The portal is expected to make compliance with the Cyber Incident Reporting for Critical Infrastructure Act of 2022 easier. This act will “require CISA to coordinate with Federal partners and others on various cyber incident reporting and ransomware-related activities” across the 16 sectors, agencies and industries deemed “vital to the health, economy and security of the community or region.”

Hayes adds that while reporting under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 will not be required until the Final Rule goes into effect, the agency encourages critical infrastructure owners and operators to voluntarily share information on cyber incidents prior to that date to help prevent other organizations from becoming victims of similar incidents.

“Sharing information allows us to work with our full breadth of partners to help prevent attackers from compromising other victims using the same techniques,” says Hayes.  “Sharing information can provide insight into the scale of an adversary’s campaign.”

Why reporting is vital to overall cybersecurity

While reporting cyber incidents to the portal is voluntary at the moment, all organizations are encouraged to share the information. If they feel the need, they can do so anonymously. As cyberattacks and nation-state threats become more sophisticated and increasingly target critical infrastructure industries, sharing this information with CISA allows the agency to help other organizations prepare for emerging threats and implement preventive measures before the damage is done.

“Isolating cyberattacks and preventing them in the future requires the coordination of many groups and organizations,” CISA explained. “By rapidly sharing critical information about attacks and vulnerabilities, the scope and magnitude of cyber events can be greatly decreased.”

And it isn’t just CISA that uses this information. According to the U.S. Government Accountability Office (GAO), 14 federal agencies are responsible for protecting critical infrastructure from cyberattacks, many in unexpected ways. For example, TSA, which handles airport security screening, is also responsible for safeguarding the country’s gasoline pipelines.

“Entities representing critical infrastructure owners and operators told us there are great benefits in getting information about threats from federal agencies,” the GAO reported.

What comes next

Despite a changing presidential administration, CISA is moving forward. It is planning a future designed to keep the critical infrastructure safe from cyber threats, which, in turn, will provide a layer of protection for the nation’s citizens and businesses.

“Sharing information allows us to work with our full breadth of partners so that the attackers can’t use the same techniques on other victims and can provide insight into the scale of an adversary’s campaign,” Jeff Greene was quoted in Federal News Network. “CISA is excited to make available our new portal with improved functionality and features for cyber reporting.”

As for the Incident Reporting Portal’s future, Hayes says, “In the future, we are planning to implement additional features that will take time to develop and incorporate user feedback. Our user experience team is actively working to get feedback on how we can improve the system over time.”

The post CISA’s cyber incident reporting portal: Progress and future plans appeared first on Security Intelligence.