250810-2342z

by
on August 11, 2025

INFRASTRUCTURE CYBER BULLETIN

JULY 2025

Coverage Window: 1–31 July 2025 (United States)
Date: 250810-2342z

Summary

In July 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued a high volume of Industrial Control Systems (ICS) advisories affecting energy, facility, and telecommunications systems. An updated advisory on the Scattered Spider (UNC3944) threat group highlighted advanced social engineering and virtualization exploits observed through June 2025. No verified U.S. Global Navigation Satellite System (GNSS) spoofing or jamming incidents were reported, but global maritime disruptions, particularly in the Red Sea, pose risks to U.S. operators with international exposure. A mid-month global IT outage caused by a faulty CrowdStrike software update disrupted multiple critical sectors, underscoring supply chain vulnerabilities even in non-malicious scenarios.

Stay informed by subscribing to CISA alerts at cisa.gov/subscribe and engaging with sector-specific Information Sharing and Analysis Centers (ISACs) such as the Electricity ISAC (E-ISAC) or Water ISAC for real-time threat intelligence.

Satellite & GPS (U.S. Domain)

No confirmed U.S. GNSS spoofing or jamming incidents were publicly reported in July 2025. This section is intentionally blank, as no domestic incidents were identified in available sources.

Global GNSS disruptions, especially in the Red Sea, can affect U.S. trade and U.S.-flag vessels. Mid-July reports noted a spike in vessel interference, with navigation and distress signaling issues raising safety concerns (e.g., mislocation in Electronic Chart Display and Information Systems [ECDIS] and Automatic Identification Systems [AIS]). U.S. operators with international routes should conduct GNSS-denied navigation drills and review resources like Gard’s guidance on GNSS interference in conflict zones.

Core Telecommunications & Operational Technology (OT)

CISA issued ICS advisories on multiple dates in July 2025, detailing vulnerabilities, affected products, and mitigation guidance for U.S. utility, facility, and telecommunications environments. The table below summarizes the advisories (verified against CISA records for accuracy).

DateNumber of AdvisoriesKey Vendors/Products Affected
Jul 27Various cross-sector ICS products
Jul 97ICONICS, others
Jul 1121Delta Electronics, others
Jul 161Delta Electronics CNCSoft-G2
Jul 183Various
Jul 234Schneider Electric, others
Jul 252Hitachi Energy, Philips Vue

Threat Activity – Scattered Spider (UNC3944):

On July 29, CISA and international partners updated tactics, techniques, and procedures (TTPs) observed through June 2025, including advanced social engineering, credential abuse, lateral movement, VMware ESXi/vCenter targeting, and data exfiltration. Prioritize phishing-resistant multi-factor authentication (MFA), help-desk verification scripts, and virtualization plane isolation. For awareness, share this advisory across your organization and conduct threat-hunting exercises using UNC3944 indicators.

Notable Event: A non-malicious global IT outage in mid-July, caused by a faulty CrowdStrike update, disrupted telecommunications and OT systems, highlighting the risks of third-party software dependencies.

Bulk Power System (Generation, Transmission, Distribution)

No confirmed U.S. utility cyber incidents were reported in July 2025; this section is intentionally blank. However, cyberattacks on U.S. utilities surged 70% in the past year, underscoring the need for heightened vigilance.

Exposure Notes: July advisories covered Schneider EcoStruxure Power Operation/System Monitor, Modicon PLCs, and EVLink—common in U.S. utility and building management systems (BMS). The global IT outage briefly impacted some energy operations, emphasizing the need for diversified vendor ecosystems.

Natural Gas & Liquid Fuels (Pipelines, Terminals)

No credible U.S. pipeline SCADA or terminal OT incidents were reported in July 2025; this section is intentionally blank.

Action Cue: Apply relevant Schneider, Delta, or LabVIEW advisories if these components are present in compressor stations or terminal control networks.

Water & Wastewater

No confirmed U.S. cyber incidents were reported in July 2025; this section is intentionally blank. However, rising threats to water systems prompted the Environmental Protection Agency (EPA) to urge immediate cybersecurity assessments.

Action Cue: Prioritize July 22 mitigations for Lantronix Provisioning Manager or similar remote access tools. Verify MFA and eliminate Internet-exposed programmable logic controllers (PLCs) or human-machine interfaces (HMIs). Reference EPA’s Enforcement Alert for additional guidance.

Transportation Hubs (Ports, Airports, Class I Rail)

No confirmed U.S. cyber incidents were reported in July 2025; this section is intentionally blank. The global IT outage caused significant disruptions at airports and rail systems, grounding thousands of flights and delaying operations.

Context: Ongoing global maritime GNSS interference in the Red Sea affects U.S. ports with international feeder routes. Practice GNSS-denied standard operating procedures (SOPs) and ECDIS/AIS cross-checks. Integrate outage lessons into resilience planning for public awareness.

Medical Supply Chains (Manufacturing & Distribution; Hospital OT/IT)

No nationwide cyber incidents were uniquely attributable to July 2025; this section is intentionally blank. The global IT outage delayed hospital procedures, highlighting supply chain cyber risks.

Advisory Linkage: July 17 advisories included Panoramic imaging software (medical). Check clinical networks and segment picture archiving and communication systems (PACS) or diagnostic devices from enterprise Active Directory (AD).

Semiconductor Fabrication (Fabs & Upstream Tools)

No U.S. incidents were disclosed in July 2025; this section is intentionally blank, though global threats to the sector persist.

Advisory Linkage: July 24 advisories on Honeywell Experion PKS and Mitsubishi Electric CNC may apply to clean-room facilities or utilities. Patch systems and restrict remote engineering services.

Financial Clearing (ACH, Fedwire, Exchanges)

No cyber-related disruptions to financial clearing were reported in July 2025; this section is intentionally blank. The global IT outage caused temporary halts in some financial systems.

Advisory Linkage: Apply July 29 fixes for LabVIEW or Samsung HVAC DMS if used in trading floors or data halls. Isolate the management plane.

Critical Data Centers / Cloud Regions

No confirmed cyber-related breaches or outages were reported in July 2025; this section is intentionally blank. The CrowdStrike-related outage severely impacted cloud services.

Advisory Linkage: July advisories covered Johnson Controls (C•CURE/iStar), Samsung HVAC DMS, and Fuji Tellus Lite, common in data center infrastructure management (DCIM) or BMS. Close gaps and document exceptions.

Election Infrastructure

No cyber events were reported by federal sources in July 2025; this section is intentionally blank. CISA and FBI warned of potential distributed denial-of-service (DDoS) attacks during the election cycle.

Standing Guidance: Continue tabletop exercises for voter registration, e-pollbooks, and network perimeters to prepare for 2026 elections.

30-Day Action Plan (Prioritized)

  1. Patch Velocity: Complete remediation or compensating controls for all July CISA ICS advisories within 7–10 business days. Track by ICSA number and document exceptions to the Change Advisory Board (CAB).
  2. Identity & Help-Desk Controls: Enforce phishing-resistant MFA, script caller verification, enable carrier SIM-swap alerts, and secure password reset processes.
  3. Virtualization Plane Hardening: Isolate ESXi/vCenter management networks, require privileged access management (PAM) and just-in-time (JIT) access for admins, enable verbose logging and endpoint detection and response (EDR) on hypervisors, and rehearse restores.
  4. Facilities OT Hygiene: Validate BMS/DCIM segmentation for Samsung HVAC DMS, Johnson Controls, ICONICS, and Honeywell systems. Review vendor remote-access contracts.
  5. Maritime/Navigation Preparedness: Conduct GNSS-denied drills for U.S. entities with overseas routes. Ensure radar, inertial navigation systems (INS), and ECDIS cross-checks are standard in Red Sea transits.
  6. IT Outage Lessons: Review third-party update dependencies (e.g., CrowdStrike). Implement staged rollouts and maintain offline backups for critical systems.

Analysis Commentary

July 2025 highlights a dynamic and escalating cyber threat landscape for U.S. critical infrastructure. The issuance of over 45 CISA ICS advisories signals persistent vulnerabilities in legacy OT systems from vendors like Schneider, Delta, and Honeywell, which are integral to energy and manufacturing sectors. The Scattered Spider (UNC3944) advisory underscores a shift toward sophisticated social engineering and virtualization exploits, potentially foreshadowing more targeted ransomware or data extortion campaigns. While no major U.S. cyber incidents were confirmed, the global IT outage caused by a CrowdStrike update disrupted billions in operations across sectors, serving as a stark reminder of supply chain vulnerabilities. This event mirrors the potential impact of a coordinated cyber-attack. Concurrently, intensified GNSS spoofing in the Red Sea threatens U.S. maritime trade, reflecting how geopolitical tensions can indirectly affect economic interests. These trends suggest a growing convergence of cyber and physical threats, necessitating a proactive shift to zero-trust architectures, enhanced international collaboration, and diversified resilience strategies to mitigate cascading failures in an interconnected world.

Sources

CISA ICS Advisories (July 2025)

Note: CISA’s official July release dates were Jul 17, Jul 22, Jul 29, and Jul 31 (plus a Jul 10 tranche). Your table lists different dates; these pages below are the canonical sources and include the full ICSA numbers and affected products.

(Optional 2nd‑source roundups that echo the CISA posts:)

Threat Activity – Scattered Spider (UNC3944)

Global GNSS / Maritime Navigation Context (relevance to U.S. fleets & ports)

Mid‑Month Global IT Outage (CrowdStrike Falcon) — impacts & retrospectives

(The large outage occurred Jul 19, 2024; July 2025 coverage and filings discuss impacts, fixes, and ongoing probes. Include these to support your “supply‑chain risk” points.)

Water & Wastewater — Federal Guidance

Utility Sector Threat Level (support for “surge” context)

(Broader threat‑landscape references you can cite as needed)

Elections (background resources referenced in your section)

“Stay Informed” (subscriptions & ISACs)

CISAdata centerelection infrastructuremedical suppliesnatural gaspipelinessatellitetelecommunicationstransportation
Elevated - Yellow - 3InfrastructureMAGNET Operator ReportsNationalNational Intel Bulletin

Comments are closed

Recent Comments

No comments to show.