Agencies Issue Warning on Threats to Oil and Gas ICS and OT Systems

In a recent joint cybersecurity advisory, the United States  Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Environmental Protection Agency (EPA), and Department of Energy (DOE) have issued a warning about unsophisticated cyber actors targeting industrial control systems (ICS) and operational technology (OT) within the U.S. oil and natural gas sectors.

These threat actors employ basic intrusion techniques, but due to poor cyber hygiene and exposed assets, their actions can lead to significant consequences, including defacement, configuration changes, operational disruptions, and, in severe cases, physical damage.

To mitigate these risks, the agencies recommend several actions:

• Remove public-facing OT devices from the internet.

• Change default passwords to unique and strong ones.

• Secure remote access to OT assets using virtual private networks (VPNs) with phishing-resistant multifactor authentication (MFA).

• Segment IT and OT networks using demilitarized zones to separate local area networks from untrusted networks.

• Practice reverting to manual controls to quickly restore operations in the event of an incident.

The advisory also emphasizes the importance of regular communication with third-party managed service providers, system integrators, and system manufacturers to secure OT systems effectively.

This warning follows previous alerts and research about cyber threats to critical infrastructure sectors, including water and wastewater systems, highlighting the ongoing need for vigilance and proactive cybersecurity measures across all critical infrastructure sectors.

For more detailed guidance and resources, organizations are encouraged to review the full advisory and implement the recommended mitigations to enhance their cybersecurity posture.

CISA offers several resources:

• For more information on procuring Secure by Design OT components, see CISA's Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products.
• For more information on best practices to secure water systems and accompanying resources, see Top Cyber Actions for Securing Water Systems.
• For more information on addressing network segmentation for water systems, please see the EPA's Guidance on Improving Cybersecurity at Drinking Water and Wastewater Systems, Factsheet 2.F.
• For more comprehensive security controls to address advanced threat actors who pivot through enterprise networks to reach OT, see Identifying and Mitigating Living Off the Land Techniques.

[REALTED: To learn more on this topic, attend the SecureWorld Critical Infrastructure virtual conference on August 28, 2025. See the agenda and register for free here.]

What cybersecurity vendors are saying

"These alerts are very serious and come from observed actions by these malicious actors who are compromising critical systems. The motivation of the malicious actors is irrelevant; if an organization's sensitive systems are exposed to the internet with no security hardening, they are at risk of a compromise," said Thomas Richards, Infrastructure Security Practice Director at Black Duck.

"Many times, these systems are provided internet access for remote connectivity from support teams and vendors, but this creates a major security risk without restricting who can access it and adding proper authentication controls. Organizations in this space should conduct a complete review of their external attack surface and identify insecure devices that are exposed. Once these devices are identified, controls should be put in place to prevent unauthorized access," Richards said.

Trey Ford, CISO at Bugcrowd, offered his perspective. "I read this joint alert from CISA, FBI, EPA, and the DoE from two perspectives:

• The ICS/SCADA community is, by definition, critical infrastructure, and regularly receive alerts on highly sophisticated and nation-state activity targeting their sector. Why should this alert, tied to unsophisticated groups and activists, activate a response for folks facing capable and well-funded attackers?
• The fact that CISA has a need to report on the activities of an unsophisticated threat activity is noteworthy. Their issuing an intelligence product focusing on hygienic cybersecurity foundations like this is a reminder that all security programs are on a journey, and failure in these seemingly obvious controls leads to certain failure and compromise.

I also dream of a day where OT technologies can be safely (whether willfully or accidentally) exposed to the internet with resilience and confidence."

"Impact to Critical National Infrastructure (CNI) is a continued and growing concern with the applications of AI-based capabilities for both offensive and defensive teams," said Nathaniel Jones, Vice President of Threat Research at Darktrace. "Over the past year, the Darktrace Threat Research Team has observed a substantial, global increase in sophisticated threat actors targeting organizations within designated CNI. This trend is informed both by the heightened warnings from national intelligence agencies, as well as an overall focus of threat analysis on activity identified within customers in these industries. The targeting of CNI entities, and the subsequent operations following access, suggest threat actors may be building strategic pathways to yield geopolitical leverage in the event of conflict."

"Malicious groups exploiting CNI networks may have differing aims based on their operating context. Some APT groups may not have immediate objectives once persistence is obtained within CNI networks," Jones continued. "Potentially state-sponsored actors may take a lay-and-wait approach: opting to sit within networks with minimal activity beyond beaconing, only increasing activity when outside strategic conditions change. Certain threat actors will also leverage malware aimed at causing immediate disruption to suit their goals. This threat is particularly relevant for organizations with OT and ICS environments. Darktrace Threat Research analysts recently noted an uptick in attacks in the energy sector motivated by disruption. The means of disruption observed ranged from an OT specific attack on a Canadian energy provider's PLC motor in the SCADA environment at a field substation, to multiple Fog ransomware attacks that successfully led to encryption."

Jones added, "As OT becomes more integrated with IT systems, it presents more opportunities for attackers. OT security is strongest when supported by robust IT security, requiring coordination between IT and OT teams to defend the entire network. By adopting good cyber hygiene, proactively securing your digital estate, and addressing any vulnerabilities before they can be exploited, organizations will be much better equipped to defend their networks against increasingly opportunistic threat actors."

Derek Manky, Chief Security Strategist & Global Vice President of Threat Intelligence with Fortinet's FortiGuard Labs, provided this summary:

"OT cyber threats have evolved dramatically as attackers increasingly target industrial environments with more sophisticated techniques. In fact, the latest Global Threat Landscape Report from Fortinet's FortiGuard Labs found that the OT sector remains one of top targets for attackers, with industrial organizations experiencing almost half (44%) of the ransomware and wiper activity during that timeframe. The rise of Crime-as-a-Service (CaaS) has made it easier for adversaries to launch attacks, providing them with ready-made tools to breach critical infrastructure. Additionally, state-sponsored actors and financially motivated cybercriminals are focusing on disrupting industrial operations, often leveraging ransomware and advanced persistent threats (APTs).

"One of the most significant shifts has been the increasing convergence of IT and OT environments, which expands the attack surface and makes traditional security measures insufficient. Threat actors are capitalizing on this shift by leveraging new attack methods that were previously impractical to use against air-gapped OT systems and employing reconnaissance-as-a-service to map out OT networks before deploying malicious payloads.

"The future of OT security will be driven by technologies that enable faster detection, response, and adaptation to evolving threats. Key trends include: 

• AI-driven threat detection that continuously learns and adapts to new attack patterns. 

• Automated security orchestration (SOAR) to streamline incident response and reduce manual workload. 

• Continuous Threat Exposure Management (CTEM) to identify and mitigate risks before they become exploitable. 

• Industry-wide intelligence sharing initiatives, such as MITRE ATT&CK for ICS, to improve collective defense strategies. 

• Zero Trust security frameworks tailored for OT environments, ensuring strict access controls and network segmentation. 

"By adopting these technologies, organizations can move from a reactive to a proactive security posture, significantly reducing the risk of cyberattacks impacting industrial operations. 

"Moving forward, organizations must take a risk-based approach that aligns security efforts with regulatory requirements while ensuring minimal disruption to operations. Implementing automated compliance monitoring and threat intelligence-sharing agreements can help streamline adherence to cybersecurity mandates while maintaining business continuity."