INFRASTRUCTURE CYBER BULLETIN

AUGUST 2025

Coverage Window: 1–29 August 2025 (United States)
Date/Time Group: 250830-0030z

Summary

August 2025 highlighted the persistent exposure of U.S. critical infrastructure to cyber and operational risks. The Cybersecurity and Infrastructure Security Agency (CISA) issued a surge of Industrial Control Systems (ICS) advisories impacting energy, building automation, and industrial control systems, while a Citrix NetScaler zero-day vulnerability was actively exploited across critical environments. A ransomware attack disrupted Maryland’s paratransit services, and persistent GPS jamming abroad demonstrated the diverse threats facing critical systems. Concurrently, the U.S. Coast Guard’s new maritime cybersecurity rule, effective July 16, 2025, shifted from voluntary to mandatory protections, signaling a broader regulatory trend toward enforceable standards[^1][^9].

Satellite & GPS (U.S. Domain)

No confirmed U.S. Global Navigation Satellite System (GNSS) spoofing or jamming events were reported in August (intentionally blank).

• International Context:
  • Baltic region interference disrupted over 80% of flights inbound to Estonia, forcing reroutes[^4].
  • Russian oil port jamming disabled Automatic Identification System (AIS) broadcasts, creating collision hazards for tankers[^5].

Recommendations for U.S. Operators with Overseas Routes:

• Conduct GNSS-denied navigation drills to prepare for interference scenarios.
• Cross-check radar, AIS, and Inertial Navigation Systems (INS) to maintain operational continuity.
• Monitor U.S. Coast Guard (USCG) and National Oceanic and Atmospheric Administration (NOAA) advisories for updates on foreign interference.

Core Telecommunications & Operational Technology (OT)

CISA ICS Advisories (Aug 5–28):
Affected systems include Johnson Controls FX Building Management System (BMS), Rockwell FactoryTalk, Siemens SIPROTEC, Schneider Modicon, ICONICS automation, Yealink phones, EG4 solar inverters, Fujifilm Synapse Mobility, and GE Vernova CIMPLICITY[^1].

Key Takeaways:

• Cross-sector exposure persists in building automation and remote management tools.
• Many advisories target IT/OT boundary systems (e.g., contractor-accessible BMS, cloud-managed inverters), highlighting vulnerabilities at the IT/OT interface.

Additional Guidance:

• CISA’s OT Asset Inventory Guidance (Aug 13) emphasizes the need for baseline device visibility to enhance security[^10].
• A joint advisory (Aug 27) confirmed People’s Republic of China (PRC) state-backed campaigns targeting telecommunications and energy sectors[^2].
• CISA should provide simplified, cost-effective OT asset inventory tools tailored for small and medium-sized enterprises (SMEs) to address resource constraints[^15].

Action Plan:

• Patch affected systems within 10 business days[^1].
• Implement Network Access Control (NAC) and segmentation to isolate IT/OT boundaries.
• Harden help-desk workflows to mitigate social engineering risks, especially given PRC campaigns[^2].

Bulk Power System (Generation, Transmission, Distribution)

No confirmed U.S. utility cyber incidents were reported in August (intentionally blank).

• Relevant Advisories: Schneider EcoStruxure, Modicon Programmable Logic Controllers (PLCs), and Siemens engineering platforms[^1].

Recommendations for Utilities:

• Prioritize patching by asset class using North American Electric Reliability Corporation (NERC) Electricity Information Sharing and Analysis Center (E-ISAC) guidance.
• Segment engineering workstations from substation OT networks to limit exposure.
• Rehearse outage tabletop scenarios tied to ICS compromise to improve incident response readiness.

Natural Gas & Liquid Fuels

No confirmed U.S. pipeline or terminal OT incidents were reported in August (intentionally blank).

• Relevant Advisories: Modicon M340 and INVT Human-Machine Interfaces (HMIs) applicable to compressor and terminal environments[^1].

Recommendations for Operators:

• Enforce strict remote-access controls to prevent unauthorized access to OT systems.
• Deploy anomaly detection on OT traffic bound for cloud services to identify potential threats.
• Develop federal grant programs to subsidize anomaly detection tools for smaller pipeline operators, addressing resource limitations[^15].

Water & Wastewater

No confirmed U.S. water system incidents were reported in August (intentionally blank).

• DEF CON “Hackers on the Water” Findings:
  • Default credentials, flat networks, and internet-exposed PLCs remain prevalent vulnerabilities[^11][^12].

Action Cues:

• Reset all default credentials and enforce Multi-Factor Authentication (MFA).
• Implement Virtual Local Area Network (VLAN) or air-gap segmentation to isolate critical systems.
• Remove HMIs and PLCs from direct internet exposure to reduce attack surfaces.
• Expand federal support programs, like Michigan’s EGLE and BitLyft initiatives, to provide affordable cybersecurity solutions for small water utilities[^16].

Transportation Hubs (Ports, Airports, Class I Rail)

• Maryland MTA MobilityLink: A ransomware attack disrupted scheduling and dispatch operations, impacting paratransit services[^6].
• USCG Maritime Cyber Rule (effective Jul 16, 2025, now enforceable):
  • Mandates cyber incident reporting to the National Response Center (NRC).
  • Requires designation of a Cybersecurity Officer[^9].

Recommendations:

• Transit operators should maintain offline scheduling backups to ensure service continuity.
• Ports and vessels must conduct annual cyber drills and reporting rehearsals to comply with USCG requirements.
• Accelerate the USCG’s Cybersecurity Officer designation timeline (currently set for 2027) to 2026 to enhance maritime cyber resilience[^17].

Medical Supply Chains (Manufacturing/Distribution; Hospital OT/IT)

No nationwide medical OT incidents were reported in August (intentionally blank).

• Advisory Relevance: Fujifilm Synapse Mobility Picture Archiving and Communication System (PACS)[^1].

Safeguards:

• Segment PACS and diagnostic systems from enterprise Active Directory (AD) to prevent lateral movement.
• Restrict vendor remote access and enforce encrypted Digital Imaging and Communications in Medicine (DICOM) transfers.

Semiconductor Fabrication

No disclosed U.S. fabrication plant incidents were reported in August (intentionally blank).

• Advisories: Honeywell and Mitsubishi Computer Numerical Control (CNC) systems relevant to fabrication automation[^1].

Recommendations:

• Audit access to engineering toolchains to identify and mitigate unauthorized access risks.
• Rotate vendor credentials regularly to reduce the risk of credential-based attacks.

Financial Clearing (ACH, Fedwire, Exchanges)

No cyber-related disruptions were reported in August (intentionally blank).

• Regulatory Update: The Federal Financial Institutions Examination Council (FFIEC) Cyber Assessment Tool (CAT) was retired on August 31, 2025[^13].

Recommendations:

• Banks should transition to updated cybersecurity assessment frameworks to maintain compliance.
• Provide clearer guidance on transitioning from FFIEC CAT to new frameworks, including free training resources for smaller financial institutions[^15].

Critical Data Centers / Cloud Regions

• Citrix NetScaler Zero-Day (CVE-2025-7775): Active exploitation confirmed; patched builds are required[^7][^8].
• Salesforce/Workday SaaS Breach: Demonstrated downstream vendor risk in Software-as-a-Service (SaaS) integrations[^14].

Defensive Steps:

• Immediately patch NetScaler systems, hunt for webshells, and monitor for token abuse.
• Segment SaaS integrations and audit privileges to limit exposure.
• Test vendor patch pipelines and SaaS integration security to ensure robust supply chain security.

Election Infrastructure

No U.S. election system incidents were reported in August (intentionally blank).

• Standing Risks: Distributed Denial-of-Service (DDoS) attacks and account compromise during election cycles.

Recommendations:

• States should conduct voter database backups and DDoS tabletop drills to prepare for election-related threats.

30-Day Action Plan (Prioritized)

1. Patch all August ICS advisories within 10 business days[^1].
2. Upgrade and harden Citrix NetScaler systems; validate incident response plans[^7][^8].
3. Conduct OT asset inventory and apply NAC/segmentation[^10].
4. Harden help-desk workflows against social engineering[^2].
5. Align port and vessel operations with USCG cyber rule requirements[^9].
6. Run GNSS-denied navigation drills for international operators[^4][^5].
7. Test vendor patch pipelines and SaaS integration security[^14].

Analysis Commentary

August 2025 illustrates the convergence of technical vulnerabilities, adversarial intent, and regulatory pressures across U.S. critical infrastructure. The wave of ICS advisories reveals persistent OT vulnerabilities, affecting systems from building management in office towers to relays in power substations. Adversaries, particularly PRC state-backed groups, are exploiting these weaknesses with increasing sophistication, as confirmed by CISA’s joint advisory[^2].

The Citrix NetScaler zero-day (CVE-2025-7775) is the month’s most critical development. As an internet-facing access gateway, its compromise enables attackers to bypass enterprise boundaries and target critical workloads. Its addition to CISA’s Known Exploited Vulnerabilities (KEV) catalog and rapid exploitation underscore the urgency of patching and threat hunting[^7][^8].

Operational disruptions, such as the ransomware attack on Maryland’s MTA MobilityLink, highlight the disproportionate impact of localized attacks on vulnerable populations[^6]. Similarly, global GPS jamming incidents, while not occurring in U.S. territory, affect U.S. commerce and safety abroad, necessitating proactive preparedness[^4][^5].

The U.S. Coast Guard’s maritime cybersecurity rule marks a significant shift toward mandatory protections, with enforceable reporting and governance requirements[^9]. This trend toward regulatory accountability may extend to other sectors, raising the baseline for resilience.

The report’s focus on state-backed threats is critical but may underemphasize non-state actors, such as ransomware groups and hacktivists, which pose significant risks, as seen in the Maryland incident and Cyble’s maritime attack findings[^6][^18].

Overall, August 2025 reflects increasing maturity in both threats and defenses. Vulnerabilities are disclosed and patched at scale, adversaries are adapting, and regulators are enforcing standards. Operators must treat advisories as urgent, implement defense-in-depth strategies, and prepare for a landscape where operational, cyber, and regulatory pressures converge.

Sources

[^1]: CISA ICS Advisories (Aug 5–28, 2025) — https://www.cisa.gov/news-events/alerts
[^2]: CISA Joint Advisory on PRC State Actors (Aug 27, 2025) — https://www.cisa.gov/news-events/alerts/2025/08/27/prc-state-actors-exploiting-infrastructure
[^3]: CISA News — Incident Response in Nevada (Aug 27, 2025) — https://www.cisa.gov/news-events/news/cisa-supports-nevada-cyber-incident-response
[^4]: gCaptain — GPS Jamming in Estonia (Aug 23, 2025) — https://gcaptain.com/estonia-flights-gps-jamming
[^5]: Bloomberg — GPS Jamming at Russian Oil Ports (Aug 23, 2025) — https://www.bloomberg.com/news/articles/2025-08-23/russian-oil-ports-hit-by-gps-jamming
[^6]: MDOT MTA — Paratransit Service Disruption (Aug 2025) — https://www.mta.maryland.gov/mobilitylink-service-disruption-august-2025
[^7]: Citrix Security Bulletin CTX694938 (Aug 26, 2025) — https://support.citrix.com/article/CTX694938
[^8]: NVD CVE-2025-7775 / CISA KEV (Aug 26, 2025) — https://nvd.nist.gov/vuln/detail/CVE-2025-7775
[^9]: USCG Final Cyber Rule (Effective Jul 16, 2025) — https://www.federalregister.gov/documents/2025/07/16/uscg-maritime-cybersecurity-final-rule
[^10]: CISA OT Asset Inventory Guidance (Aug 13, 2025) — https://www.cisa.gov/news-events/alerts/2025/08/13/ot-asset-inventory-guidance
[^11]: ABC News — DEF CON “Hackers on the Water” (Aug 7, 2025) — https://abcnews.go.com/Technology/hackers-on-the-water-cybersecurity
[^12]: The Register — DEF CON Water Cybersecurity (Aug 10, 2025) — https://www.theregister.com/2025/08/10/defcon-water-utility-cybersecurity
[^13]: Independent Banker — FFIEC CAT Sunset (Aug 31, 2025) — https://independentbanker.org/2025/08/ffiec-cat-sunset-transition
[^14]: BrightDefense — Salesforce/Workday Breach Coverage (Aug 18, 2025) — https://brightdefense.com/blog/salesforce-workday-breach-aug-2025
[^15]: National Institute of Standards and Technology (NIST) — Cybersecurity Resources for Small Businesses — https://www.nist.gov/cybersecurity/small-business-cybersecurity-resources
[^16]: Michigan EGLE and BitLyft — Water Sector Cybersecurity Initiative — https://www.michigan.gov/egle/about/cybersecurity
[^17]: U.S. Government Accountability Office (GAO) — Maritime Cybersecurity Report (2025) — https://www.gao.gov/products/maritime-cybersecurity-2025
[^18]: Cyble — Maritime Cyber Threat Report (2025) — https://cyble.com/blog/maritime-cyber-threats-2025