CISA Flags Risk of Basic Cyberattacks on Energy Sector ICS/OT

A new joint alert issued by CISA, in coordination with the FBI, EPA, and Department of Energy, warns that "unsophisticated" cyber actors are increasingly targeting operational technology (OT) and industrial control systems (ICS) in U.S. critical infrastructure sectors, with a specific focus on the oil and natural gas industries. Despite the attackers’ use of basic techniques—such as leveraging default credentials or unprotected remote access—CISA cautions that these tactics can still lead to serious outcomes when combined with poor cyber hygiene. The alert emphasizes that internet-exposed assets lacking modern authentication remain a key vulnerability. CISA’s findings, note that these intrusions could result in defacement, configuration changes, operational disruptions, or even physical damage. In response, asset owners and operators are strongly advised to review and implement the recommendations outlined in CISA’s associated fact sheet.

The advisory includes a comprehensive list of mitigations designed to limit exposure and reduce the risk of these low-sophistication but high-impact attacks. Chief among these is the recommendation to completely remove OT systems from public internet access, as such devices are easily discoverable and generally lack sufficient access controls. The agencies further advise replacing default passwords with strong, unique credentials, especially for systems exposed externally or capable of controlling critical processes. In cases where remote access is unavoidable, the recommendation is to restrict access via a private network and enforce phishing-resistant multi-factor authentication. Additional controls include applying the principle of least privilege to remote access and disabling unused accounts to reduce the attack surface.

Another focus of the advisory is network segmentation. CISA recommends separating IT and OT networks using demilitarized zones (DMZs), thereby containing any compromise within a limited scope and preventing adversaries from laterally moving across systems. Entities are also urged to develop and routinely test their ability to revert to manual operations in the event of a cyber incident. This includes maintaining reliable system backups, fail-safe configurations, and standby infrastructure capable of restoring operations quickly. Lastly, critical infrastructure organizations are encouraged to coordinate closely with managed service providers, system integrators, and manufacturers to review and correct potential misconfigurations that may have been introduced during deployment or maintenance.