Multiple security weaknesses have been discovered by the Cybersecurity and Infrastructure Security Agency and the U.S. Coast Guard in the systems of an unnamed U.S. critical infrastructure organization, according to The Register.
While neither nefarious network activity nor foul play has been observed, the organization had inadequate logging and insecure credential storage that increase the threat of covert illicit cyber activity, the joint CISA and USCG report showed. Aside from having various workstations having shared local admin credentials, the organization also had no remote access restrictions for local admin accounts, as well as inadequate IT and operational technology asset segmentation. Numerous issues have also been observed in the organization's Supervisory Control and Data Acquisition and HVAC systems. "Given that SCADA and HVAC systems control physical processes, compromises of these systems can have real-world consequences, including risks to personnel safety, infrastructure integrity, and equipment functionality," said the report.
While neither nefarious network activity nor foul play has been observed, the organization had inadequate logging and insecure credential storage that increase the threat of covert illicit cyber activity, the joint CISA and USCG report showed. Aside from having various workstations having shared local admin credentials, the organization also had no remote access restrictions for local admin accounts, as well as inadequate IT and operational technology asset segmentation. Numerous issues have also been observed in the organization's Supervisory Control and Data Acquisition and HVAC systems. "Given that SCADA and HVAC systems control physical processes, compromises of these systems can have real-world consequences, including risks to personnel safety, infrastructure integrity, and equipment functionality," said the report.
