Cyber Resources & Guidance

CISA, Australia, and Partners Author Joint Guidance on Securely Integrating Artificial Intelligence in Operational Technology

12/03/2025 11:00 AM EST

CISA and the Australian Signals Directorate’s Australian Cyber Security Centre, in collaboration with federal and international partners, have released new cybersecurity guidance: Principles for the Secure Integration of Artificial Intelligence in Operational Technology.

This guidance aims to help critical infrastructure owners and operators integrate artificial intelligence (AI) into operational technology (OT) systems securely, balancing the benefits of AI—such as increased efficiency, enhanced decision-making, and cost savings—with the unique risks it poses to the safety, security, and reliability of OT environments.

The document focuses on machine learning (ML), large language models (LLMs), and AI agents due to their complex security challenges, but is also applicable to systems using traditional statistical modeling and logic-based automation.

Key Principles for Secure AI Integration:

  1. Understand AI: Educate personnel on AI risks, impacts, and secure development lifecycles.
  2. Assess AI Use in OT: Evaluate business cases, manage OT data security risks, and address immediate and long-term integration challenges.
  3. Establish AI Governance: Implement governance frameworks, test AI models continuously, and ensure regulatory compliance.
  4. Embed Safety and Security: Maintain oversight, ensure transparency, and integrate AI into incident response plans.

Critical infrastructure owners and operators are encouraged to adopt these principles to maximize AI benefits while mitigating risks. For further details, review the full guidance.

For more information on related resources, visit CISA’s Artificial Intelligence and Industrial Control Systems webpages.

CISA and UK NCSC Release Joint Guidance for Securing OT Systems
09/29/2025

CISA, in collaboration with the Federal Bureau of Investigation, the United Kingdom’s National Cyber Security Centre, and other international partners has released new joint cybersecurity guidance: Creating and Maintaining a Definitive View of Your Operational Technology (OT) Architecture.

Building on the recent Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators, this guidance explains how organizations can leverage data sources, such as asset inventories and manufacturer-provided resources like software bill of materials to establish and maintain an accurate, up-to-date view of their OT systems.

A definitive OT record enables organizations to conduct more comprehensive risk assessments, prioritize critical and exposed systems, and implement appropriate security controls. The guidance also addresses managing third-party risks, securing OT information, and designing effective architectural controls.

Key recommendations include:

  • Collaborating Across Teams: Foster coordination between OT and IT teams;
  • Aligning with Standards: Follow international standards such as IEC 62443 and ISO/IEC 27001.

Organizations are encouraged to use this guidance to strengthen their OT security posture and reduce risks. For additional details, review the full guidance.

To learn more about developing an OT Asset Inventory, attend CISA’s webinar tomorrow at 2:00 p.m. (ET).

CISA Releases Advisory on Lessons Learned from an Incident Response Engagement
09/23/2025

Today, CISA released a cybersecurity advisory detailing lessons learned from an incident response engagement following the detection of potential malicious activity identified through security alerts generated by the agency’s endpoint detection and response tool. 

This advisory, CISA Shares Lessons Learned from an Incident Response Engagement, highlights takeaways that illuminate the urgent need for timely patching, comprehensive incident response planning, and proactive threat monitoring to mitigate risks from similar vulnerabilities.

The advisory also outlines the tactics, techniques, and procedures (TTPs) employed by cyber threat actors, including exploitation of GeoServer Vulnerability CVE-2024-36401 for initial access. By understanding these TTPs, organizations can enhance their defenses against similar threats.

CISA recommends organizations take the following actions:

  • Prioritize Patch Management: Expedite patching of critical vulnerabilities, particularly those listed in CISA’s Known Exploited Vulnerabilities catalog, with a focus on public-facing systems.
  • Strengthen Incident Response Plans: Regularly update, test, and maintain incident response plans, ensuring they include procedures for engaging third-party responders and deploying security tools without delay.
  • Enhance Threat Monitoring: Implement centralized, out-of-band logging and ensure security operations centers continuously monitor and investigate abnormal network activity to detect and respond to malicious activity effectively.

CISA urges organizations to apply these lessons learned to bolster their security posture, improve preparedness, and reduce the risk of future compromises. For additional details, review the full cybersecurity advisory.

CISA Releases Malware Analysis Report Associated with Microsoft SharePoint Vulnerabilities

08/06/2025 12:00 PM EDT

CISA published a Malware Analysis Report (MAR) with analysis and associated detection signatures on files related to Microsoft SharePoint vulnerabilities:

Cyber threat actors have chained CVE-2025-49704 and CVE-2025-49706 (in an exploit chain publicly known as “ToolShell”) to gain unauthorized access to on-premises SharePoint servers. CISA analyzed six files including two Dynamic Link-Library (.DLL), one cryptographic key stealer, and three web shells. Cyber threat actors could leverage this malware to steal cryptographic keys and execute a Base64-encoded PowerShell command to fingerprint host system and exfiltrate data.

CISA added CVE-2025-49704 and CVE-2025-49706 to its Known Exploited Vulnerabilities Catalogon July 22, 2025, and CVE-2025-53770 on July 20, 2025.

CISA encourages organizations to use the indicators of compromise (IOCs) and detection signatures in this MAR to identify malware.

Downloadable copy of IOCs associated with this malware:

MAR-251132.c1.v1.CLEAR_stix2 (JSON, 84.95 KB )

Downloadable copies of the SIGMA rule associated with this malware:

CMA SIGMA 251132 1 (YAML, 4.22 KB )
CMA SIGMA 251132 2 (YAML, 2.86 KB )
CMA SIGMA 251132 (YAML, 5.55 KB )

For more information on the malware files and YARA rules for detection, see MAR-251132.c1.v1 Exploitation of SharePoint Vulnerabilities.

CISA and USCG Issue Joint Advisory to Strengthen Cyber Hygiene in Critical Infrastructure

07/31/2025 02:00 PM EDT

CISA, in partnership with the U.S. Coast Guard (USCG), released a joint Cybersecurity Advisory aimed at helping critical infrastructure organizations improve their cyber hygiene. This follows a proactive threat hunt engagement conducted at a U.S. critical infrastructure facility.

During this engagement, CISA and USCG did not find evidence of malicious cyber activity or actor presence on the organization’s network but did identify several cybersecurity risks. CISA and USCG are sharing their findings and associated mitigations to assist other critical infrastructure organizations identify potential similar issues and take proactive measures to improve their cybersecurity posture. The mitigations include best practices such as not storing passwords or credentials in plaintext, avoiding sharing local administrator account credentials, and implementing comprehensive logging.

For more detailed mitigations addressing the identified cybersecurity risks, review joint Cybersecurity Advisory: CISA and USCG Identify Areas for Cyber Hygiene Improvement After Conducting Proactive Threat Hunt at US Critical Infrastructure Organization.

CISA Releases Part One of Zero Trust Microsegmentation Guidance

07/29/2025 3:00 PM EDT

CISA released Microsegmentation in Zero Trust, Part One: Introduction and Planning as part of its ongoing efforts to support Federal Civilian Executive Branch (FCEB) agencies implementing zero trust architectures (ZTAs).

This guidance provides a high-level overview of microsegmentation, focusing on its key concepts, associated challenges and potential benefits, and includes recommended actions to modernize network security and advance zero trust principles.

Microsegmentation is a critical component of ZTA that reduces the attack surface, limits lateral movement, and enhances visibility for monitoring smaller, isolated groups of resources.

While the guidance focuses on FCEB references, its principles are applicable to any organization. As part of its Journey to Zero Trust series, CISA plans to release a subsequent technical guide to offer detailed implementation scenarios and technical considerations for implementation teams. Visit our Zero Trust webpage for more information and resources.

CISA and Partners Release Updated Advisory on Scattered Spider Group

07/29/2025 11:00 AM EDT

CISA, along with the Federal Bureau of Investigation, Canadian Centre for Cyber Security, Royal Canadian Mounted Police, the Australian Cyber Security Centre’s Australian Signals Directorate, and the Australian Federal Police and National Cyber Security Centre, released an updated joint Cybersecurity Advisory on Scattered Spider—a cybercriminal group targeting commercial facilities sectors and subsectors. This advisory provides updated tactics, techniques, and procedures (TTPs) obtained through FBI investigations conducted through June 2025.

Scattered Spider threat actors have been known to use various ransomware variants in data extortion attacks, most recently including DragonForce ransomware. While Scattered Spider often changes TTPs to remain undetected, some TTPs remain consistent. These actors frequently use social engineering techniques such as phishing, push bombing, and subscriber identity module swap attacks to obtain credentials, install remote access tools, and bypass multi-factor authentication.

The Mitigations section of the Scattered Spider joint Cybersecurity Advisory offers critical infrastructure organizations and commercial facilities recommendations to fortify their defenses.

Treasury resources for financial institutions.

This year, the Department of Treasury has been rolling out the largest public-private partnership it has ever established: Project Fortress, an effort to improve the security and resilience of the financial services sector.

The project encompasses four main components: two free cybersecurity tools for banks; a physical space for collaboration between banks and Treasury’s cyber officials in downtown D.C.; and offensive efforts by federal law enforcement against cyber attackers. They are new and existing offerings, all consolidated in May under the collective banner of Project Fortress.

Project Fortress has now been updated in January 2025.

Cybersecurity and Critical Infrastructure Protection

The Office of Cybersecurity and Critical Infrastructure Protection coordinates the Department’s efforts to enhance the security and resilience of financial services sector critical infrastructure and reduce operational risk. The office works closely with financial sector companies, industry groups, and government partners to share information about cybersecurity and physical threats and vulnerabilities, encourage the use of baseline protections and best practices, and respond to and recover from significant incidents.

Financial Stability Oversight Council

The Council is charged with identifying risks to the financial stability of the United States; promoting market discipline; and responding to emerging risks to the stability of the United States’ financial system. The Council consists of 10 voting members and 5 nonvoting members and brings together the expertise of federal financial regulators, state regulators, and an independent insurance expert appointed by the President.

Financial Institutions Policy

The Office of Financial Institutions Policy develops, analyzes, and coordinates the Department’s policies on issues affecting financial institutions, including depository institutions, bank holding companies, broker-dealers and securities firms, financial technology (fintech) and payment companies, pension funds and other investment firms, non-bank mortgage and small business lenders, digital asset companies, and other regulated and unregulated financial companies.  The Office’s principal focus is on regulation, financial infrastructure, and safety and soundness matters, including regulatory capital, resolution, liquidity, stress testing, and deposit insurance; industry competition, structure, and financial condition; and emerging forms of financial services through innovations in technology and business models. The Office also focuses on how the financial system impacts individuals and small businesses, including through analyzing legislative, economic, and regulatory conditions. In addition, the Office advises the Department of Treasury on its board responsibilities for the Pension Benefit Guaranty Corporation (PBGC) and the Securities Investor Protection Corporation (SIPC).  For more information contact the Office of Financial Institutions Policy at [email protected].

Federal Insurance Office

The Dodd-Frank Wall Street Reform and Consumer Protection Act established Treasury’s Federal Insurance Office (FIO) and vested FIO with the authority to monitor all aspects of the insurance sector, monitor the extent to which traditionally underserved communities and consumers have access to affordable non-health insurance products, and to represent the United States on prudential aspects of international insurance matters, including at the International Association of Insurance Supervisors.  In addition, FIO serves as an advisory member of the Financial Stability Oversight Council, assists the Secretary with administration of the Terrorism Risk Insurance Program, and advises the Secretary on important national and international insurance matters.