Analysts from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and U.S. Coast Guard (USCG) conducted a threat hunt engagement at a critical infrastructure organization. During this hunt, CISA proactively searched for evidence of malicious activity or the presence of a malicious cyber actor on the customer’s network using host, network, ICS (industrial control system), commercial cloud, and open-source analysis tools. While reviewing IT–OT interconnectivity, CISA found the OT (operational technology) environment was misconfigured.
Key findings included shared local admin accounts with identical plaintext passwords, poor network segmentation between IT and OT environments, and inadequate log retention and logging practices. Additional findings covered misconfigured ‘sslFlags’ on a production server and misconfigured structured query language connections on a production server.
“While CISA did not find evidence of threat actor presence on the organization’s network, the team did identify several cybersecurity risks,” CISA and the USCG identified in a Thursday cybersecurity advisory. “These findings are listed below in order of risk. Technical details of each identified cyber risk are included, along with the potential impact from threat actor exploitation of each risk.”
During the engagement, CISA did not identify evidence of malicious cyber activity or actor presence on the organization’s network. However, the agency did uncover several cybersecurity risks, including insufficient logging, insecurely stored credentials, shared local administrator credentials across many workstations, unrestricted remote access for local admin accounts, poor network segmentation between IT and OT assets, and multiple device misconfigurations. The agency also searched for evidence of activity by looking for specific exploitation tactics, techniques, and procedures (TTPs) and associated artifacts.
Several of these findings align with those observed during similar engagements conducted by US Coast Guard Cyber Command (CGCYBER), which are documented in their 2024 Cyber Trends and Insights in the Marine Environment (CTIME) report. The authoring agencies encourage critical infrastructure organizations to review the CTIME report to understand trends in the techniques/attack paths threat actors are using to compromise at-risk organizations, and what mitigations organizations should implement to prevent a successful attack.
CISA identified a few local admin accounts with non-unique passwords; these accounts were shared across many hosts. The credentials for each account were stored in plaintext in batch scripts. CISA discovered these authorized scripts were configured to create user accounts with local admin privileges and then set identical, non-expiring passwords, these passwords were stored in plaintext in the script.
Moreover, one script was configured to create an admin account, set with a password stored in the script in plaintext, and automatically added to the admin group. The account was set as the local admin account on many other hosts.
With local admin access, malicious hackers can modify existing accounts or create new accounts, potentially escalating privileges or maintaining persistent access; install malicious browser extensions on compromised systems; and communicate with compromised systems using standard application layer protocols, which may bypass certain security monitoring tools. They can also modify local policies to escalate privileges or disable security features; alter system configurations or install software that executes at startup, ensuring continued access and persistence, and hijack the execution flow of applications to inject malicious code.
CISA identified misconfigurations in the OT environment during its assessment of IT–OT interconnectivity. Specifically, standard user accounts could directly access the supervisory control and data acquisition (SCADA) virtual local area network (VLAN) from IT hosts. CISA determined it was possible to establish a connection from a user workstation in the IT network to a system within the SCADA VLAN.
The cybersecurity agency also detected that the customer did not have sufficient secure bastion hosts dedicated for accessing SCADA and heating, ventilation, and air conditioning (HVAC) systems. A bastion host, sometimes referred to as a jump box or jump server, is a specialized, highly secured system (often a server or dedicated workstation) that serves as the sole access point between a network segment (such as an internal IT network) and a protected internal network (like an OT or ICS environment).
The advisory mentioned that insufficient OT network segmentation configuration, network access control (NAC), and the ability of a non-privileged user within the IT network to use their credentials to access the critical SCADA VLAN present a security and safety risk. “Given that SCADA and HVAC systems control physical processes, compromises of these systems can have real-world consequences, including risks to personnel safety, infrastructure integrity, and equipment functionality.”
Malicious actors could further exploit potentially unsecured workstations with access to OT systems, and insufficient network segmentation configuration between IT and OT systems, using RDP or Secure Shell (SSH) protocols to move laterally from compromised IT workstations to OT systems. They can also execute commands and scripts using scripting languages like PowerShell to attack OT systems; map network connections to identify paths to OT systems; and gather information about network configurations to plan attacks on OT systems.
The CISA-USCG advisory assesses that by exploiting these weaknesses, attackers can potentially gain unauthorized access to critical OT systems, manipulate physical processes, disrupt operations, and cause harm.
CISA was unable to hunt for every MITRE ATT&CK procedure in the scoped hunt plan, partly because the organization’s event logging system was insufficient for this analysis. “The absence of comprehensive and detailed logs, along with a lack of an established baseline for normal network behavior, prevented CISA from performing thorough behavior and anomaly-based detection. This limitation hindered the ability to hunt for certain TTPs, such as living-off-the-land techniques, the use of valid accounts, and other TTPs used by sophisticated threat actors,” it added.
CISA and USCG recommend that critical infrastructure organizations implement various mitigations to improve their organization’s cybersecurity posture. Recommendations to reduce cyber risk are listed for each of CISA’s findings during this engagement and are ordered from the highest to lowest importance for organizations to implement. CISA and USCG also include general practices to strengthen cybersecurity for OT environments that are not tied to specific findings.
Organizations must provision unique and complex credentials for local administrator accounts across systems; and require phishing-resistant multifactor authentication (MFA) in addition to unique passwords for administrative access, including local- and domain-level administrator accounts, RDP sessions, and VPN connections. They must also use privileged access workstations (PAWs) dedicated solely for administrative tasks and isolate them from the internet and general network to reduce exposure to threats and lateral movement.
They must also conduct continuous auditing of privileged accounts by regularly collecting and analyzing logs of administrative activities, such as login attempts, command executions, and configuration changes, and apply the principle of least privilege by limiting administrative privileges to the minimum required for users to perform their roles.
Organizations must also create individual administrative accounts with unique credentials and role-specific permissions and disable or rename built-in local administrator accounts to reduce common attack vectors; avoid using shared administrator accounts to improve accountability and auditability, and ensure administrators use standard accounts for non-administrative tasks to minimize credential exposure.
They must also identify and remove unauthorized or unnecessary local administrator accounts, maintain oversight by documenting and tracking all authorized accounts, and enforce strict account management policies by restricting account creation privileges and implementing approval workflows for new administrator accounts.
The advisory also called upon critical infrastructure organizations to implement a demilitarized zone (DMZ) between IT and OT environments to provide an additional security layer, and consider a full network re-architecture if current segmentation methods cannot separate IT and OT networks. They must also collaborate with cybersecurity and network experts to design an architecture that meets ICS-specific security requirements, which includes strict identity verification for all users and devices attempting to access OT assets.
Organizations must also implement unidirectional gateways (data diodes) where appropriate to prevent bidirectional communication; keep network diagrams, configuration files, and asset inventories up to date; and regularly test segmentation controls to validate their effectiveness in restricting unauthorized access by conducting penetration testing and security assessments.
The CISA-USCG also suggested that organizations enforce strong password policies that require a minimum password length of 15 or more characters for all password-protected IT assets and all OT assets, when technically feasible. In instances where minimum password lengths are not technically feasible, apply and record compensating controls, such as rate-limiting login attempts, account lockout thresholds, and strong network segmentation. Prioritize these systems for upgrade or replacement, and implement MFA.
The advisory further recommends that critical infrastructure organizations implement additional mitigations to improve the cybersecurity of their IT and OT environments. They include secure RDP from the IT to OT environments by deploying dedicated VPNs for all remote interactions with the OT network; deploy VPNs with strong encryption protocols such as SSL/TLS or Internet Protocol Security (IPsec) to safeguard data integrity and confidentiality; and use MFA across VPN access points to ensure only authorized personnel can gain access.
Organizations must also configure VPN gateways to perform rigorous security checks and manage traffic destined for the OT network, ensuring comprehensive validation of all communications through pre-defined security policies. They must also align the VPN traffic monitoring with the DMZ’s capabilities to regulate and inspect the data flow between IT and OT environments. Furthermore, within the VPN configuration, enforce strict routing rules that require all remote access requests to pass through the DMZ and be authenticated by bastion hosts.
The advisory added that if wireless technology is employed within the OT environment, organizations must implement Wi-fi Protected Access 3 (WPA3)-enterprise encryption with strong authentication protocols like Extensible Authentication Protocol (EAP)-TLS to ensure data confidentiality and integrity.
