The Maritime Sector Maritime Information Systems Risks News About Services Contact FR

Contents

CISA and the U.S. Coast Guard go “fishing” for vulnerabilities

 included in  News
   567 words   3 minutes 
/images/wp-content/uploads/2025/08/1754311893553.png

On July 31, 2025, the CISA (Cybersecurity and Infrastructure Security Agency) and the U.S. Coast Guard (US Coast Guard, USCG) published a joint advisory (available here:
https://www.cisa.gov/sites/default/files/2025-07/joint-advisory-cisa-identifies-areas-for-cyber-hygiene-improvement-after-conducting-proactive-threat-hunt.pdf).

The document follows a proactive threat-hunting operation conducted on the network of a U.S. critical infrastructure organization. Such initiatives are aligned with the Cybersecurity Performance Goals (CPGs) jointly driven by NIST and CISA, as well as with the longstanding—and more recent—work of the USCG on maritime cybersecurity.

The overall conclusion: no compromise or malicious activity was detected. However, investigators did identify a fairly typical set of cybersecurity weaknesses.

The value of this kind of operation

The primary objective of a threat-hunting operation is to identify potential malicious actors already present within a network. In this case, the investigation did not uncover any active compromise (although one might reasonably wonder whether such a finding would have been publicly disclosed).

Interestingly, the operation also took on the characteristics of a security audit, revealing several notable weaknesses. The advisory does not specify whether these vulnerabilities had been actively exploitable, but they nonetheless highlight common shortcomings:

  • Passwords stored in plaintext within scripts and internal tools;
  • Shared local administrator accounts used across multiple systems without proper separation (unique passwords per host) or rotation;
  • Absence of multi-factor authentication (MFA) for critical remote access services such as VPN or RDP;
  • Insufficient logging and lack of centralized log management, making incident investigation difficult;
  • Weak or nonexistent segmentation between IT and OT networks, with poorly hardened gateways;
  • Default or poorly maintained configurations on infrastructure devices.

CISA and USCG recommendations: back to the fundamentals

The technical advisory does not introduce radically new concepts. Instead, it reiterates a number of fundamental cybersecurity practices that remain highly effective.

As is often the case, applying these basic measures—similar to those described in guides such as the ANSSI’s well-known 42 cybersecurity hygiene measures
(https://cyber.gouv.fr/publications/guide-dhygiene-informatique) can significantly reduce both the likelihood and the impact of cyber incidents. These practices are relevant whether the threat originates from state-sponsored actors or cybercriminal groups.

1. Passwords and secrets

  • Prohibit the storage of passwords in plaintext;
  • Secure and automate password management using appropriate protocols, password vaults, or PAM solutions;
  • Encrypt all secrets both on endpoints and in transit across the network;
  • Integrate credential auditing into code reviews and CI/CD pipelines.

2. Privileged access

  • Eliminate shared accounts;
  • Enforce strong authentication (MFA), including for OT environments;
  • Segment environments and prevent uncontrolled pivoting from IT networks into OT systems.

3. Logging and monitoring

  • Enable comprehensive logging across all systems (authentication events, network connections, critical commands);
  • Centralize logs in an out-of-band logging platform;
  • Maintain sufficient log retention to support post-incident forensic analysis.

Final thoughts

The 19-page advisory remains a worthwhile read, particularly for CISOs and cybersecurity teams responsible for critical infrastructure.

That said, the document remains relatively generic. It provides limited sector-specific context—likely to avoid revealing details that could identify the targeted infrastructure—and offers only moderate technical depth regarding OT environments.

In practice, implementing both basic and advanced security measures (for example MFA, stronger PLC protection, or zero-trust architectures) in OT environments is rarely straightforward, and this is even more true in maritime infrastructures.

Any modification to such systems must therefore follow a careful risk-management approach that considers operational constraints. Introducing mechanisms such as MFA or zero-trust controls can improve security, but if poorly implemented they may also introduce new operational risks. Proper design, testing, and integration into operational processes are therefore essential.

Updated on 04/08/2025
Back | Home