Primary Mitigations to Reduce Cyber Threats to Operational Technology

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Environmental Protection Agency (EPA), and Department of Energy (DOE)—hereafter referred to as “the authoring organizations”—are aware of cyber incidents affecting the operational technology (OT) and industrial control systems (ICS) of critical infrastructure entities in the United States. The authoring organizations urge critical infrastructure entities to review and act now to improve their cybersecurity posture against cyber threat activities specifically and intentionally targeting internet connected OT and ICS.
Mitigations
The authoring organizations recommend critical infrastructure asset owners and operators implement the following mitigations[1] to defend against OT cyber threats.
- Remove OT connections to the public internet. OT devices are easy targets when connected to the internet. OT devices lack authentication and authorization methods that are resistant to modern threats and are quickly found by searching for open ports on public IP ranges with search engine tools to target victims with OT components [CPG 2.X].
- Cyber threat actors use simple, repeatable, and scalable toolsets available to anyone with an internet browser. Critical infrastructure entities should identify their public-facing assets and remove unintentional exposure.
- Change default passwords immediately and use strong, unique passwords. Recent analysis of this cyber activity indicates that targeted systems use default or easily guessable (using open source tools) passwords. Changing default passwords is especially important for public-facing internet devices that have the capability to control OT systems or processes [CPG 2.A][CPG 2.B][CPG 2.C].
- Secure remote access to OT networks. Many critical infrastructure entities, or contractors working on their behalf, make risk-based tradeoffs when implementing remote access to OT assets. These tradeoffs deserve careful reevaluation. If remote access is essential, upgrade to a private IP network connection to remove these OT assets from the public internet and use virtual private network (VPN) functionality with a strong password and phishing-resistant multifactor authentication (MFA) for user remote access.
- Document and configure remote access solutions to apply principles of least privilege for the specific asset and user role or scope of work [CPG 2.H]. Further, disable dormant accounts.
- Segment IT and OT networks. Segmenting critical systems and introducing a demilitarized zone for passing control data to enterprise logistics reduces the potential impact of cyber threats and reduces the risk of disruptions to essential OT operations [CPG 2.F].
- Practice and maintain the ability to operate OT systems manually. The capability for organizations to revert to manual controls to quickly restore operations is vital in the immediate aftermath of an incident. Business continuity and disaster recovery plans, fail-safe mechanisms, islanding capabilities, software backups, and standby systems should all be routinely tested to ensure safe manual operations in the event of an incident.
The authoring organizations recommend that critical infrastructure organizations regularly communicate with their third-party managed service providers, system integrators, and system manufacturers who may be able to provide system-specific configuration guidance as they work to secure their OT.
- Misconfigurations may be introduced during standard operations, by the system integrator, by a managed service provider, or as part of the default product configuration by the system manufacturer. Working with the relevant groups to address these issues may prevent future unintentional vulnerabilities from being introduced.

CISA and Partners Issue Fast Flux Cybersecurity Advisory

The Cybersecurity and Infrastructure Security Agency (CISA) joined the National Security Agency (NSA) and other government and international partners to release a joint Cybersecurity Advisory (CSA) that warns organizations, internet service providers (ISPs), and cybersecurity service providers about fast flux enabled malicious activities that consistently evade detection. The CSA also provides recommended actions to defend against fast flux.
An ongoing threat, fast flux networks create resilient adversary infrastructure used to evade tracking and blocking. Such infrastructure can be used for cyberattacks such as phishing, command and control of botnets, and data exfiltration. This advisory provides several techniques that should be implemented for a multi-layered security approach including DNS and internet protocol (IP) blocking and sinkholing; enhanced monitoring and logging; phishing awareness and training for users; and reputational filtering.
 "Threat actors leveraging fast flux techniques remain a threat to government and critical infrastructure organizations. Fast flux makes individual computers in a botnet harder to find and block. A useful solution is to find and block the behavior of fast flux itself,” said CISA Deputy Executive Assistant Director for Cybersecurity Matt Hartman. “CISA is pleased to join with our government and international partners to provide this important guidance on mitigating and blocking malicious fast flux activity. We encourage organizations to implement the advisory recommendations to reduce risk and strengthen resilience."
The authoring agencies encourage ISPs, cybersecurity service providers and Protective Domain Name System (PDNS) providers to help mitigate this threat by taking proactive steps to develop accurate and reliable fast flux detection analytics and block fast flux activities for their customers.
Additional co-sealers for this joint CSA are Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ).

More than 300 arrests as African countries clamp down on cyber threats

Authorities in seven African countries have arrested 306 suspects and seized 1,842 devices in an international operation targeting cyber attacks and cyber-enabled scams.
The arrests were made as part of Operation Red Card (November 2024 – February 2025) which aims to disrupt and dismantle cross-border criminal networks which cause significant harm to individuals and businesses. In particular, the operation targeted mobile banking, investment and messaging app scams. The cases uncovered during the operation involved more than 5,000 victims.
As part of the crackdown, Nigerian police arrested 130 people, including 113 foreign nationals, for their alleged involvement in cyber-enabled scams such as online casino and investment fraud. The suspects, who converted proceeds to digital assets to conceal their tracks, were recruited from different countries to run the illegal schemes in as many languages as possible. Nigerian authorities have established that some of the people working in the scam centres may also be victims of human trafficking, forced or coerced into criminal activities. Overall, the investigation led to the seizure of 26 vehicles, 16 houses, 39 plots of land and 685 devices.
In a significant case from South Africa, authorities arrested 40 individuals and seized more than 1,000 SIM cards, along with 53 desktops and towers linked to a sophisticated SIM box fraud scheme. This setup, which reroutes international calls as local ones, is commonly used by criminals to carry out large-scale SMS phishing attacks.
In Zambia, officers apprehended 14 suspected members of a criminal syndicate that hacked into victims’ phones. The scam involved sending a message containing a malicious link which, when clicked, installed malware to the device. This allowed hackers to take control of the messaging account, and ultimately the phone, giving them access to banking apps. The hackers were also able to use the victim’s messaging apps to share the malicious link within conversations and groups, enabling the scam to spread.
During the operation, Rwandan authorities arrested 45 members of a criminal network for their involvement in social engineering scams that defrauded victims of over USD 305,000 in 2024 alone. Their tactics included posing as telecommunications employees and claiming fake ‘jackpot’ wins to extract sensitive information and gain access to victims’ mobile banking accounts. Another method involved impersonating an injured family member to ask relatives for financial assistance towards hospital bills. Overall, USD 103,043 was recovered and 292 devices were seized.

Tackling cybercrime: common challenges and legislative solutions identified by Europol and Eurojust

The latest joint report by Europol and Eurojust, Common Challenges in Cybercrime, explores the persistent and emerging issues that hinder cybercrime investigations. This year’s edition not only identifies key obstacles—particularly in the field of digital evidence—but also examines how new legislative measures could help address them.
The report highlights several pressing challenges faced by law enforcement, including the overwhelming volume of digital data, the risk of data loss, and the persistent barriers to accessing critical information due to legal and technical constraints. The increasing use of anonymisation services has further complicated efforts to track criminal activities online.
To help mitigate these challenges, the report explores the impact of new EU legislative tools, such as the e-Evidence Package, the Digital Services Act, and the EU AI Act. These instruments aim to facilitate data access, improve cross-border cooperation, and enhance investigative capabilities. However, their effectiveness will largely depend on how they are implemented and integrated into existing operational strategies.
The report also underscores the value of the strategic cooperation between Europol and Eurojust, highlighting initiatives such as the SIRIUS Project, which has strengthened collaboration in cybercrime investigations. These efforts continue to play a crucial role in helping law enforcement agencies navigate an increasingly complex digital landscape.
While challenges remain, the report emphasises the potential of these new legislative measures to strengthen the fight against cybercrime. Equipping law enforcement with the right tools and ensuring their effective use in investigations will be key to staying ahead of evolving cyber threats.

NSA, CISA, FBI, and International Partners Release Cybersecurity Advisory on “Fast Flux,” a National Security Threat

CISA—in partnership with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand’s National Cyber Security Centre (NCSC-NZ)—released joint Cybersecurity Advisory Fast Flux: A National Security Threat (PDF, 841 KB). This advisory warns organizations, internet service providers (ISPs), and cybersecurity service providers of the ongoing threat of fast flux enabled malicious activities and provides guidance on detection and mitigations to safeguard critical infrastructure and national security.

“Fast flux” is a technique used to obfuscate the locations of malicious servers through rapidly changing Domain Name System (DNS) records associated with a single domain name. This threat exploits a gap commonly found in network defenses, making the tracking and blocking of malicious fast flux activities difficult.

The authoring agencies strongly recommend adopting a multi-layered approach to detection and mitigation to reduce risk of compromise by fast flux-enabled threats. Service providers, especially Protective DNS providers (PDNS), should track, share information about, and block fast flux as part of their provided cybersecurity services. Government and critical infrastructure organizations should close this ongoing gap in network defenses by using cybersecurity and PDNS services that block malicious fast flux activity.

ITU and ESA agree on optimising satellite communications

The International Telecommunication Union (ITU) and the European Space Agency (ESA) have announced a collaborative effort to improve mitigation measures against harmful interference in satellite systems.

The joint initiative, reflecting United Nations objectives under the 2030 Agenda for Sustainable Development, aims to ensure the sustainable and efficient use of limited space-based communication resources.

Both organisations recognise growing complexities in managing finite spectrum and orbital resources. An agreement signed in Barcelona, Spain, formalises their plans for closer cooperation on key issues for global digital communications.

Under the agreement, ITU and ESA will work together on:

  • Sustainable and efficient spectrum use: Ensuring that radio frequency spectrum for satellite systems is utilised in a responsible and effective manner.
  • Development of space-based monitoring technologies: Exploring and potentially developing advanced technologies for monitoring the use of radio frequencies to identify and geolocate sources of harmful interference.
  • Exchange of information and expertise: Facilitating knowledge-sharing between the two organisations to enhance space communication systems and regulatory frameworks.

Space-based communication technologies are increasingly crucial for global connectivity, scientific research, and emergency response systems. At the same time, growing numbers of satellites and increasing risks of signal interference necessitate innovative, increasingly complex, and highly coordinated spectrum management solutions.

“Innovation and regulations are key to facilitate and preserve access to spectrum-orbit resources free from harmful interference,” said Mario Maniewicz, Director of ITU Radiocommunications Bureau. “This agreement is the first step towards a series of joint ESA-ITU efforts to ensure sustainability of space radio-communications systems.”

Preserving radio waves for all

ITU, as the UN specialised agency for information and communication technologies, has long been at the forefront of coordination among countries and regions on radio frequencies and satellite orbits worldwide. ITU Resolution 189 (Rev. Bucharest, 2022) emphasises the importance of transparency and confidence-building in outer space activities.

ESA, an intergovernmental organisation established in 1975, supports space research and technology development for peaceful and scientific purposes. Together, ITU and ESA aim to strengthen international efforts in satellite monitoring and interference mitigation, ensuring reliable and sustainable access to satellite communication services worldwide.

“Promoting the responsible use of spectrum and preserving it from interferences is key to ensure the viability of our operators and ultimately the service delivered to their customers,” said Laurent Jaffart, ESA’s Director of Connectivity and Secure Communications. “Together with ITU, we will promote the importance of ensuring the sustainability of this limited and valuable resource and will collaborate towards establishing good practices for its responsible use for the benefit of society and businesses.”

A step towards a sustainable digital future

By combining their expertise and resources, ITU and ESA could set a precedent for enhanced cooperation in the field of satellite communications.

“The shared commitment to responsible spectrum management and technological innovation marks a significant step toward a sustainable digital future for everyone,” said Mr Maniewicz. “This initiative underscores the importance of international collaboration in addressing the challenges and opportunities presented by space technologies.”

Maniewicz and Jaffart signed for their respective organisations at the Mobile World Congress (MWC2025 Barcelona).

As the demand for satellite-based services continues to grow, partnerships like this will help maintain the integrity and accessibility of global communication networks.

ITU and ESA have reaffirmed their dedication to a future where space technologies contribute positively to societal progress and sustainable development.

California Strengthens Resiliency with Adoption of 2024 International Wildland-Urban Interface Code

The State of California adopted the 2024 International Wildland-Urban Interface Code® (IWUIC®) as the basis for Title 24, Part 7, 2025 California Wildland-Urban Interface Code to address escalating wildfire risks, enhance fire resilience with science-based standards, and set the benchmark for safer, more sustainable communities in fire-prone areas.

California’s adoption of the 2024 IWUIC is the result of a multi-year collaboration between the CAL FIRE Office of the State Fire Marshal, the California Fire Prevention Officers (CAL FPOs), California Building Officials (CALBO), the International Code Council (ICC), the California Building Industry Association (CBIA), and wildfire stakeholders culminating with rulemaking by the California Building Standards Commission (CBSC).

“Today marks a milestone that represents the hard work of many to update and modernize Wildland-Urban Interface building codes,” said California State Fire Marshal Daniel Berlant. “While these aren’t necessarily new requirements, it’s a reorganization of many sections into a singular code with the goal of making it easier for local officials to ensure that new homes and buildings built in wildfire-prone areas have an increased chance of surviving a wildfire.”

“With the help of expert volunteers, CAL FIRE’s Office of the State Fire Marshal has shifted the basis of Title-24’s Wildland Urban Interface standards to a nationally developed model code. The IWUIC is developed though the collaborative efforts of the foremost experts in the field of wildland construction safety from across our country. By utilizing this model code, California will benefit from the continual code development cycle that the Code Council uses to ensure that all its codes are the best in the world,” said Code Council Immediate Past President Stuart D. Tom, P.E., CBO, FIAE – Superintendent of Building and Fire, Pasadena, California.

“The adoption of the California Wildland-Urban Interface Code as Part 7 of Title 24 marks a significant milestone in protecting communities from the devastating impacts of wildfires. This accomplishment highlights the dedication and collaboration of the CAL FPOs and the California Office of the State Fire Marshal in adapting the IWUIC to address California’s unique challenges. Our members remain dedicated in their commitment to enhancing fire prevention, improving life safety measures and developing codes that safeguard our homes and neighborhoods,” said Tim Spears, Fire Marshal, CAL FPOs North Division President and Joe Morelli, Fire Marshal, CAL FPOs South Division President.

This decision comes after careful consideration and is a testament to the state’s commitment to upholding the highest standards in wildfire resiliency and mitigation.

“There has never been a more essential time for collaboration in the name of public safety, and the newly approved use of the Code Council’s IWUIC is a testament to this shared effort.  California’s building, fire and code professionals came together to work in concert with the California State Fire Marshal to usher in a new era of fire-safe development standards and defensible space provisions that will enhance fire safety in the built environment.  With the definitive actions of the Building Standards Commission, CALBO looks forward to enforcing the IWUIC and its model provisions into the future,” said Jeff Janes, President of California Building Officials.

“While CBIA was initially concerned with this effort, we are now pleased to strongly support the California State Fire Marshal’s plan to use the Code Council’s IWUIC as the basis for California’s new stand-alone Wildland-Urban Interface fire safety code. This new document will combine three fire safety measures (building standards, defensible space provisions and fire-safe development standards) and publish them all under one cover,” said Christopher E. Ochoa, Esq., CBIA Senior Counsel – Codes, Regulatory and Legislative Affairs.

Now Open for Public Comment | NIST Cybersecurity Framework 2.0 Profile for Semiconductor Manufacturing

The NIST National Cybersecurity Center of Excellence (NCCoE) along with the SEMI Semiconductor Manufacturing Cybersecurity Consortium has released Draft NIST Internal Report (NIST IR) 8546, Cybersecurity framework (CSF) 2.0 Semiconductor Manufacturing Community Profile for public comment.

This draft Profile provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to semiconductor manufacturing systems. The semiconductor manufacturing environment is a complex ecosystem of device makers, equipment OEMs, suppliers and solution providers. This Profile focuses on desired cybersecurity outcomes and can be used as a guideline to improve the current cybersecurity posture of the semiconductor manufacturing ecosystem.

“NIST, in collaboration with industry leaders and government agencies, has developed and is releasing a comprehensive Framework designed to safeguard semiconductor manufacturing from emerging threats and vulnerabilities,” said Sanjay Rekhi, group leader of the Security Components and Mechanisms Group at NIST. “This initiative is part of a broader, multi-year effort to strengthen the security of critical infrastructure, with a particular focus on the security of semiconductors and their supply chain.”

The European Union Agency for Cybersecurity’s first NIS360 report identifies areas for improvement and tracking of progress across NIS2 Directive sectors

The NIS360 is a new product by the EU Agency for Cybersecurity, ENISA, that assesses the maturity and criticality of NIS2 sectors, providing both a comparative and a more in-depth analysis.
The goal of the NIS360 is to help national authorities and cybersecurity agencies in the Member States tasked with the implementation of the NIS2, (1) to understand the overall picture, (2) to help them with prioritisation, (3) to highlight areas for improvement, and (4) to facilitate monitoring of sectors’ progress. The NIS360 also aims to support policy makers at national and EU level, to give input on policy and strategy development, and initiatives to build up cyber resilience.
The report sets out three main priorities. 
Firstly, it recommends that collaboration, within and between sectors is strengthened, through community-building events and cooperation at sector, national and EU level.
Secondly, within this NIS2 transposition period, it is becoming more of a priority to develop sector-specific guidance on how to implement the key NIS2 requirements in each sector. The report notes that national sectorial authorities are stepping up to implement the NIS2. While investments are increasing across sectors, further upskilling is required.
Thirdly, the NIS360 emphasises the need for both alignment of requirements across borders in each NIS sector, and for cross-border collaboration.
The EU Agency for Cybersecurity Executive Director, Juhan Lepassaar, highlighted: “ENISA is working closely with the EU Member States to implement the NIS2 Directive by providing expertise and guidance. The ENISA NIS360 gives valuable insight into the overall maturity of NIS sectors and the challenges of individual sectors. It explains where we stand, and how to move forward."
Key Findings at a Glance
Main findings include the following:
- Electricity, telecoms and banking are the three most critical and most mature sectors that stand out above the rest. These sectors have benefited from significant regulatory oversight, funding and investments, political focus, and overall a robust public-private partnership.
- Digital infrastructures, which includes critical services like internet exchanges, top-level domains, data centres, and cloud services, are a step below in terms of maturity. This NIS sector is very heterogeneous in terms of maturity of entities, and has a strong cross-border nature which complicates supervision, information sharing and collaboration.
- Six NIS sectors fall within the NIS360 risk zone, suggesting that there is room for improvement in their maturity relative to their criticality.
- ICT service management: The sector faces key challenges due to its cross-border nature and diverse entities. Strengthening its resilience requires close cooperation between authorities, reduced regulatory burdens for entities subject to both NIS2 and other legislation, and close cooperation in cross-border supervision.
- Space: Stakeholders’ limited cybersecurity knowledge and its heavy reliance on commercial off-the-shelf components present challenges for the sector. Enhancing its resilience requires better cybersecurity awareness, clear guidelines for pre-integration testing of components, and stronger collaboration with other sectors.
- Public administrations: Being very diverse, it is challenging for the sector to achieve a higher common level of maturity. The sector lacks the support and experience seen in more mature sectors. Being a prime target for hacktivism and state-nexus operations, the sector should aim to strengthen its cybersecurity capabilities leveraging the EU Cyber Solidarity Act and exploring shared service models among sector entities on common areas e.g., digital wallets.
- Maritime: The sector continues to face challenges with Operational Technology (OT) and could benefit from tailored cybersecurity risk management guidance that focuses on minimising sector-specific risks, as well as an EU-level cybersecurity exercise to enhance coordination and preparedness in both sectorial and multi-modal crisis management.
- Health: The health sector with an expanded coverage under NIS2, continues to face challenges such as the reliance on complex supply chains, legacy systems, and poorly secured medical devices. Strengthening its resilience requires the development of practical procurement guidelines to help organisations acquire secure services and products, tailored guidance to help overcome common issues, and staff awareness campaigns.
- Gas: The sector needs to continue working towards developing its incident readiness and response capabilities, through the development and testing of incident response plans at national and EU levels but also through enhanced collaboration with the electricity and manufacturing sectors.
The report is based on data from national authorities with a horizontal or sectorial mandate, on self-assessment by companies within the NIS2 sectors, and on EU data sources such as Eurostat. In the ENISA NIS360, the strengths, sectorial challenges, gaps are identified, and recommendations are made to improve sectorial maturity and resilience across the Union.

Financial institutions and law enforcement enhance their cooperation

Europol and its private partners in the financial sector have issued the EFIPPP Practical Guide for Operational Cooperation between Investigative Authorities and Financial Institutions. This newly-issued Practical Guide saw contributions from numerous EFIPPP public and private sector members, observers, and other experts. The guide provides best practices and lessons learned, drawing from the EFIPPP’s experience as a successful partnership and from other existing cooperative mechanisms. It addresses policymakers, investigative authorities and private stakeholders, providing suggestions to advance operational cooperation from a legal and a practical perspective.
The Europol Financial Intelligence Public Private Partnership (EFIPPP) provides a collaborative mechanism between more than 90 private stakeholders, Financial Intelligence Units (FIUs) and law enforcement agencies to address structured threat information across the community. The EFIPPP secretariat is located within the European Financial and Economic Crime Centre (EFECC) at Europol.
The drafting of the Practical Guide was based on existing operational cooperative mechanisms in Denmark, Ireland, Latvia, Sweden, the Netherlands and the UK. Taking a practical approach, the Practical Guide highlights that successful collaboration relies on trust between public and private stakeholders. Providing an outline of the building blocks required for successful collaboration, it recommends starting small with realistic expectations, and providing leadership by example.
As well as offering hands-on guidance to investigative authorities and financial institutions in shaping their cooperation, the Practical Guide provides inspiration for policymakers in areas where there is not yet an enabling legal environment. With this guide, the EFIPPP delivers on the call made by the European Commission in its EU roadmap to fight drug trafficking and organised crime.
1 2 3 42