The July 31st advisory from CISA and the U.S. Coast Guard (AA25-212A) should serve as a wake-up call to many. Not because of what did happen, but because of what could have happened.
The advisory detailed a proactive threat hunt conducted at a U.S. critical infrastructure organization. While no active malicious activity was discovered, the assessment revealed significant systemic weaknesses that could have been easily exploited.
Among the issues identified:
- Insecurely stored credentials
- Shared local admin accounts across multiple systems
- Unrestricted remote access for privileged users
- Insufficient logging and monitoring
- Weak segmentation between IT and OT environments
- Misconfigured devices with elevated access
This is a textbook case of what many in the field call “security theater.” When policies, tools, or procedures are present on paper or in tooling, but lack real-world enforcement, oversight, or operational discipline.
The Danger of “No Breach” Thinking
“No evidence of compromise” is not the same as “no risk.”
Yet too often, the absence of a breach becomes a reason to defer improvement.
Imagine applying this logic to the physical security of a facility:
- Doors have locks, but keys aren't tracked, or worse, a spare set is left lying around for everyone to use
- There are security cameras, but no one watches the footage or ensures they are actually working
- Entry policies exist, but there is no enforcement - the door is propped open or the lock is broken
We’d never call these scenarios safe. So why are they acceptable in digital environments?
Why This Advisory Matters for Cloud and Regulated Environments
Whether you're operating in AWS GovCloud, pursuing FedRAMP compliance, or managing a hybrid infrastructure with open-source technologies like PostgreSQL, the message is clear:
Security is not a static state. It’s an evolving practice.
Security must be dynamic, not reactive. Waiting until a threat materializes before reacting is an ineffective and inefficient strategy. Modern and robust security requires iterative and adaptable practices that can anticipate and respond to current and emerging threats.
It’s no longer just a question of whether you've been breached.
It’s about whether you’ve hardened your systems to withstand failure and recover quickly when it happens. More importantly, it's about situational awareness and understanding the risk and consequences of complacency.
What This Means in Practice
This advisory points to the need for:
- Continuous auditing of access and configuration
- Active enforcement of change control
- Real-world validation of logging and alerting pipelines
- Operational segmentation between environments
- Internal accountability, not just compliance paperwork
In an upcoming post, we’ll explore what can be learned from public water system resilience to shape a multibarrier approach to cloud security (i.e., the "Swiss Cheese Model"). Hardening isn’t about reacting to threats. It’s about preparing your systems to resist them at every layer, ensuring they are secure and reliable.
Coming up next: “From Turbidity to Tenancy — What Public Water System Management Taught Me About Hardening the Cloud.”