That a recent “hunt” activity by the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Coast Guard revealed a bevy of issues — from insufficient logging and insecure credential storage to poor IT/OT  segmentation and device misconfigurations — at an unnamed organization should come as a surprise to exactly no one. But rather, the revelations, released in a joint Cybersecurity Advisory, should serve as both a cautionary tale and guidance for every organization. 

The two agencies said as much, noting that the findings and the associated mitigations should be used to “assist other critical infrastructure organizations identify potential similar issues and take proactive measures to improve their cybersecurity posture.” 

While the revelations are disturbing, as Bugcrowd Founder Casey Ellis says the findings are “very typical of older enterprise networks, particularly in critical infrastructure sectors,” which “rely on legacy systems that were never designed with modern cybersecurity threats in mind.” 

The CISA and U.S. Coast Guard advisory highlights the struggle organizations go through in identity and access management that keeps critical infrastructure in the crosshairs of bad actors. “These are not emerging threats but long-standing vulnerabilities, such as shared administrator credentials, weak or absent network segmentation and lack of visibility into privileged activity, that remain all too common across systems essential to our national security,” says Darren Guccione, Co-founder and CEO of Keeper Security.  

But Ellis is concerned in particular about the lack of segmentation between IT and OT since that is a vulnerability “attackers can exploit to pivot from IT systems into operational technology, potentially disrupting critical services,” a “well-documented risk” the energy, transportation and maritime sectors, “where OT systems are often older and harder to secure.” 

While IT/OT convergence does increase complexity, “it doesn’t justify sloppy controls,” says Chad Cragle, CISO at Deepwatch. Something like shared local admin accounts with plaintext passwords is “not just a risk, it’s a breach waiting to happen.” Weak logging and soft segmentation are indicators of poor credential hygiene. “You’re not resilient — you’re exposed,” he says. 

Organizations should remember that the proactive hunts conducted by CISA, which has been stripped down and is under assault by the Trump administration, are invaluable. “CISA does not identify the organization evaluated, nor release enough detail to figure it out,” says Liberty Defense President Bryan Cunningham. “Now, this organization knows that it has time to remedy these vulnerabilities, which are pretty straightforward to fix, before bad actors figure them out and target them.” 

Cragle sees the findings as conjuring a broader point beyond the individual hunt engagement in the CISA alert. “Organizations must stop treating CISA advisories as isolated lessons for different sectors,” he says. “If CISA highlights these issues during proactive hunting, it’s likely your environment has similar vulnerabilities unless you’ve thoroughly audited and addressed them.” 

And Ellis called on others to see the hunt engagement as a call to action that compels them to “modernize their security practices and reduce their vulnerability debt.” 

To get started, he recommends that organizations: 

• Prioritize addressing these foundational issues. Start with enforcing unique credentials, implementing MFA and restricting remote admin access. These are low-hanging fruit that can significantly reduce risk. 

• Invest in network segmentation to isolate IT and OT environments. This limits the blast radius of potential attacks. 

• Improve logging and monitoring capabilities to detect and respond to threats more effectively. Without visibility, you’re flying blind. 

• Conduct regular audits and proactive threat hunts, as CISA did, to identify and remediate risks before they’re exploited. 

The upshot? Organizations should leverage CISA’s expertise and findings to improve their own security postures. But if the past is prologue to the future, there is no guarantee they will do so.