CISA Finds Cyber Hygiene Gaps in U.S. Infrastructure Network

A cybersecurity hunt engagement led by the Cybersecurity and Infrastructure Security Agency (CISA) and U.S. Coast Guard (USCG) uncovered cyber hygiene deficiencies at a U.S. critical infrastructure organization. While no active malicious cyber activity or presence was identified, the assessment revealed serious risks, including insufficient logging, insecure storage of credentials, misconfigured network segmentation, and widespread use of shared local administrator accounts. These findings reflect broader trends observed by USCG in its 2024 Cyber Trends and Insights in the Marine Environment (CTIME) report, reinforcing recurring vulnerabilities across critical infrastructure. CISA emphasizes that, even in the absence of confirmed compromise, such weaknesses leave organizations open to lateral movement, data theft, and long-term persistence by threat actors.

One of the most severe risks identified was the use of shared local administrator credentials stored in plaintext batch files across multiple workstations. These credentials, which were configured to never expire, granted administrative access to numerous systems, enabling lateral movement and unauthorized access without detection. CISA demonstrated the feasibility of this risk during a controlled exercise, successfully using the plaintext credentials to move between systems via Remote Desktop Protocol (RDP). Such practices, if left unaddressed, significantly elevate the risk of privilege escalation, system compromise, and long-term unauthorized access. The agency recommends unique, complex credentials per host, password rotation mechanisms, and multifactor authentication (MFA) to mitigate such exposure.

CISA also found a lack of adequate segmentation between IT and operational technology (OT) networks, specifically identifying accessible paths between IT user workstations and critical SCADA systems over insecure protocols like FTP. Several systems intended to serve as bastion hosts for OT access lacked appropriate hardening and access controls, increasing the risk of unauthorized entry into sensitive environments. Insecure network configurations, combined with the absence of logging visibility into these domains, limited CISA's ability to detect potentially malicious activity or lateral movement. Recommendations include implementing VLAN separation, deploying properly hardened bastion hosts, and applying strict network access controls to isolate IT from OT assets.

In addition, insufficient logging and retention practices hampered detection efforts. Event logs from workstations were not being captured centrally, and key events such as command-line arguments were missing, reducing the effectiveness of threat hunting. Other findings included misconfigured SSL settings on web servers that allowed anonymous connections and outdated encryption standards, as well as weak password policies and centralized database configurations that posed systemic risks. To address these issues, CISA and USCG recommend a comprehensive logging strategy, use of encrypted protocols, enforcement of strong authentication, and segmentation of application resources. These mitigations align with CISA’s Cybersecurity Performance Goals (CPGs) and provide a lesson plan for organizations to reduce risk and harden defenses against adversaries. All technical findings and mitigations are detailed in CISA’s full advisory.