Plaintext: Latest in Critical Infrastructure Security

Welcome to Dark Reading in Plaintext, brought to your inbox this week by Tines. In this issue of Plaintext, we review some of the biggest headlines recently about attacks on critical infrastructure. CISA has published an updated guidance to boost overall security in the space. We also look at how ransomware gangs continue to evolve their tactics. If you enjoy Plaintext, please share with friends and colleagues!

Latest on Critical Infrastructure Security In Norway, suspected Russian operators seized control of a dam in Bremanger, holding its valves open for four hours and releasing approximately 500 liters of water per second downstream. Norway's domestic intelligence agency, PST, has attributed the dam attack to Moscow, characterizing it as an intimidation tactic designed "to cause fear and chaos among the general population." While the dam attack didn't cause catastrophic damage, it demonstrated the attackers' ability to potentially cause more significant harm, and showcased the Kremlin's apparent strategy of probing various sectors of Western infrastructure regardless of their prominence or obscurity.

CISA is strongly urging organizations with operational technology (OT) environments to implement the recommendations outlined in its Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators amid an alarming rise in attacks targeting industrial systems. The document provides a systematic approach for creating and maintaining comprehensive OT asset inventories and taxonomies and should be considered a foundation for improved security posture. CISA describes OT taxonomies as "a categorization system that organizes and prioritizes OT assets, aids in risk identification, vulnerability management, and incident response by classifying assets based on function and criticality."

The guidance comes at a critical time, with Dragos reporting an 87% year-over-year increase in cyberattacks targeting U.S. industrial companies in 2024, and the FBI warning of significant spikes in attacks on critical infrastructure. Acting CISA Director Madhu Gottumukkala said in a statement that OT systems "power everything from water systems and energy grids to manufacturing and transportation networks," making them vital to national security.

This guidance is "a valuable resource that helps organizations effectively identify and secure their most vital assets, reduce the risk of cybersecurity incidents, and ensure the continuity of their mission and services." —Chris Butera, CISA Acting Executive Assistant Director for Cybersecurity

Water utilities and related infrastructure seem to be seeing more attacks. In the first quarter of 2025 one in five utilities (19%) surveyed by the Water Information Sharing and Analysis Center (ISAC) suffered a cybersecurity incident. This is why partnerships like the one with public-service project DEF CON Franklin and the National Rural Water Association (NRWA) is so important. Volunteer security experts worked with five water utilities across four states over the past year to help implement basic security controls such as changing default passwords and deploying multi-factor authentication, and establish strategic initiatives such as incident response planning, says Jake Braun, former principal deputy national cyber director at the White House during the Biden Administration and current lecturer at the University of Chicago Harris School of Public Policy. The goal is to scale up the initiative to reach more water systems across the US, he says.

Dark Reading in Plaintext is brought to you by Tines

The State of the SOC in 2025: What the SANS Data Says

Get the full SANS 2025 SOC Survey report, sponsored by Tines, to learn how today’s SOCs are evolving - and where they’re still stuck.

Ransomware is Killing Endpoint Star? At least twelve ransomware groups now deploy kernel-level EDR killers to disable endpoint security products before launching attacks, Trend Micro reports. Groups like Crypto24 use customized versions of tools such as RealBlindingEDR to disable security products from 28 vendors including Sophos, Trend Micro, and SentinelOne, while others employ variants of EDRKillShifter in a consistent pattern where security tools are disabled before ransomware deployment. These sophisticated attacks often utilize "Bring Your Own Vulnerable Driver" techniques to gain kernel-level access, allowing attackers to operate undetected.

The threat extends beyond disabled endpoint defenses because it allows easier lateral movement across network infrastructure, particularly in cloud environments. Some ransomware operators have even begun repurposing legitimate software tools like HRSword, making detection more challenging. The implications are particularly concerning for organizations with complex cloud-connected networks, where communication paths between various components may remain inadequately monitored after endpoint telemetry is compromised. Systems with properly configured security controls and robust access management, consistent with the principle of least privilege, remain protected from such attacks, Trend Micro said.

"What we observed represents a classic example of 'living off the land' tactics, where threat actors leverage legitimate administrative tools to further their attacks in post-compromise scenarios." —Trend Micro

What We Are Reading

• [Tines] 3 Steps to GRC Maturity: Discover How Dragos Innovated

• From Scott Cooper on Navigating the Cybersecurity Budget Tug-of-War

• Data Dump From APT Actor Yields Clues to Attacker Capabilities

• [DR Global] China Questions Security of AI Chips From NVIDIA, AMD

• [DR Technology] Agentic AI Use Cases for Security Soar, but Risks Demand Close Attention

What We Heard On-Air

Check out the latest "CISO Conversation" between our editor-in-chief Kelly Jackson Higgins and deputy CISO Carmine Valente (Con Edison) discussing how IT and OT security worlds are converging. And of course, AI came up.

"In some form, AI has been always present in SecOps...We've always had tools within the SecOps [security operations] that would help massage data and analyze big data to identify potential threats or potential anomalies throughout [network] layers." —Carmine Valente, deputy CISO at Con Edison, New York

From Our Library

Check out some of the latest reports from our Dark Reading Library!

• [Tines] Operationalizing Zero Trust: A Guide for Federal Agencies

• Tech Insight: Automating Security Operations Data Analysis

• Dark Reading Reports: State of Enterprise Incident Response

• Dark Reading Reports: State of Enterprise Application Security

• Tech Insight: EDR, SIEM, SOAR, and More: What's the Right Endpoint Strategy

On That Note

Lots of great Dark Reading videos recently! Black Hat USA last week in Vegas marked our 10th year of running News Desk. Thank you for all the guests we've hosted over the years. You can check out all our guests from this year's News Desk here (individual write-ups are on the way) as well as our News Desk archives on YouTube. In our Career Conversations With a CISO series, Jessica Sica discusses resilience and Melina Scotto addresses certifications and degrees.

Dark Reading in Plaintext is brought to you by Tines