MFG-ISAC

MFG-ISAC in the news---- Manufacturers fortify cyber defenses in response to dramatic surge in attacks "To confront growing threats, manufacturing companies have teamed up through the MFG-ISAC, which hosts events and distributes guidance to members. “Customers view peer collaboration as one of the most effective defenses they have,” said Chris Grove, director of cybersecurity strategy at Nozomi Networks. “Manufacturers trust information coming from peers who face the same operational realities.” In 2025, the MFG-ISAC partnered with Google Cloud on an in-person tabletop exercise, convened a working group that produced a cyber-incident response playbook and co-organized an OT training course with the security firm Dragos. Dozens of companies have participated in that program, MFG-ISAC Director Tim Chase said. The ISAC also manages an OT discussion group through which member firms can plan shared responses to sector-wide challenges, such as the difficulty of securely monitoring remote facilities. This year, Chase said, the ISAC is planning another in-person tabletop exercise, as well as an expanded range of guidance documents and services for managing OT threats. The organization is also creating new working groups to address the priorities of its growing membership base. One of the groups will bring together manufacturers who need to meet the Defense Department’s new Cybersecurity Maturity Model Certification standards and want to discuss implementation challenges. Within the manufacturing sector, “there’s a strong understanding that collaboration benefits everyone,” said Sean Tufts, field CTO at Claroty. “MFG-ISAC provides a trusted environment where even competitors can share failures and success.” That collaboration will be essential for improving the security posture of a highly diverse sector, in which many different industries share overlapping vulnerabilities and concerns. The MFG-ISAC’s members include everything from pharmaceutical giants and food companies to businesses that make home heating and plumbing appliances. A recent Dragos report tallied 26 distinct manufacturing subsectors. "The diversity in manufacturing … can make it a challenging sector to help facilitate collective defense,” Chase said. Read the comprehensive article here: cybersecuritydive.com/news/manufactu…

The OT Security Training Program is a partnership between Dragos OT-CERT and MFG-ISAC that gathers small and medium suppliers of large OT-centric businesses and provides free resources and training. By improving OT security and reducing risk, together we can strengthen resilience for the entire ecosystem. The program will offer live virtual training and a portal to access training materials and guides. A chat tool will allow participants to communicate with one another to facilitate operationalizing the training materials. Contact tchase@grf.org with questions about this free resource. *Please note: You must register for the free OT-CERT portal before you will be sent the invite for the training session. When you register, in the dropdown menu “How did you hear about OT-CERT,” select MFG-ISAC. Register for the portal here: dragos.com/community/ot-c…

@RESecurity has published an excellent white paper on the leaked Chinese state cyber actor documents referred to as the Knownsec leak incident. The translated documents show that US manufacturing is a “high priority target.” Read more: resecurity.com/blog/article/k…

Now available for download is the October issue of the GRF monthly newsletter. In this issue you will find info about an upcoming webinar on incident recovery, an announcement about a new tool for GRF-affiliated members, and the incorporation of the Operational Resilience Framework into the Shared Assessments SIG, among other exciting news: grf.org/newsletter-oct…

MITRE Launches ATT&CK v18 Expanding ICS Framework with New Asset Objects @MITREcorp has expanded its @MITREattack for ICS framework in version 18 with new and updated Asset objects that more accurately represent industrial devices and attack scenarios. The update introduces a clearer distinction between platforms (operating systems and applications) and assets (physical or logical devices), while adding the new Related Assets field to harmonize sector-specific terminology across industries. Three new asset types -DCS Controller (A0017), Firewall (A0016), and Switch (A0015) - were added to enhance coverage of industrial environments like Manufacturing, Chemical, and Oil & Gas operations. MITRE also clarified existing asset descriptions (like Data Gateways and Data Historians) and refined platform mappings to reflect real-world configurations. The DCS Controller entry highlights its role in managing continuous processes and enabling redundancy across distributed systems, while the Firewall and Switch assets emphasize segmentation and network isolation within the Purdue Model to limit lateral movement. Beyond ICS, ATT&CK v18 introduces two new detection-oriented objects: Detection Strategies and Analytics - representing a major shift toward structured, behavior-driven defensive modeling. Coverage has been expanded across domains to include Kubernetes, DevOps, CI/CD, and cloud-based systems, as well as nation-state operations from China and North Korea, ransomware preparation behaviors, and supply-chain compromises. Future updates will focus on refining detection models, expanding asset coverage to more sectors, and exploring new areas such as adversarial use of AI and LLMs during intrusions. Looking ahead to ATT&CK v19, MITRE plans to continue refining detection guidance, incorporating community feedback, and expanding intelligence coverage to reflect the professionalization of cybercrime, the convergence of state and criminal operations, and the growing exploitation of cloud and edge infrastructure. Read more: attack.mitre.org/resources/upda…

The OT Security Training Program is a partnership between Dragos, Inc. OT-CERT and MFG-ISAC that gathers small and medium suppliers of large OT-centric businesses and provides free resources and training. By improving OT security and reducing risk, together we can strengthen resilience for the entire ecosystem. The program will offer live virtual training and a portal to access training materials and guides. A chat tool will allow participants to communicate with one another to facilitate operationalizing the training materials. This webinar will be the second meeting of the program. Contact tchase@grf.org with questions about this free resource, or simply register for the webinar to join us. *Please note: You must register for the free OT-CERT portal before you will be sent the invite for the training session. When you register, in the dropdown menu “How did you hear about OT-CERT,” select MFG-ISAC. Register for the portal here: dragos.com/community/ot-c… Register here for the complimentary webinar: us02web.zoom.us/webinar/regist…

eSentire: DarkCloud Information Stealer Phishing Campaign eSentire’s Threat Response Unit discovered a spear-phishing campaign targeting a customer in the Manufacturing industry that attempted to deliver the DarkCloud information stealer. DarkCloud is a commodity information stealer that was formerly sold on the now-defunct XSS hacking forum. The malware can target web browsers, email, VPN and FTP clients. Threat actors use it to harvest sensitive information like credentials, cookies, and keystrokes. DarkCloud can exfiltrate the stolen data through various channels like Telegram API, SMTP, FTP, or through a PHP web panel. The malware has received numerous updates, including a full stub re-write in VB6, string encryption, and evasion updates. Campaign Details: -The lure used by the threat actor was financially themed and was sent to the victim’s Zendesk support address. -The phish contained a ZIP file that purported to be a Swift message but contained a DarkCloud executable. The specific version in this case was an older version of DarkCloud, version 3.2, which was released earlier this year. -Researchers noted the social engineering and targeting helped make the phishing seem credible and could bypass user suspicion. Analyst Note: This commodity malware is designed to gather and log sensitive information that can later be used in follow-up attacks. Monitoring for abnormal outbound communications to Telegram APIs and unfamiliar FTP hosts can help detect such activity. Recommendations -Employ email protection rules to block ZIP attachments with suspicious embedded file types like executables and scripts. -Implementing Phishing and Security Awareness Training (PSAT) programs is crucial to educate employees about emerging threats and mitigate the risk of successful social engineering attacks. -Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) solution to detect and contain threats. For the full report see here: esentire.com/blog/eye-of-th… MFG-ISAC Portal Alert: mfgisac.cyware.com/webapp/user/my…

Join MFG-ISAC and Google Cloud in Chicago for a fast-paced tabletop exercise (TTX) to test manufacturing security and operational resilience. This is a chance to review strategies, share intelligence, and see what it really takes to defend and sustain critical operations amid today’s threat landscape. Learn more: mfgisac.org/google-ttx-2025

On October 30, a panel of CISOs and CMMC experts will discuss supply chain cybersecurity and the CMMC. Attendees are encouraged to contribute questions, concerns, and best practices for discussion. The Department of Defense published the final CMMC rule on September 10, 2025, which takes effect November 10, 2025. This impacts cybersecurity and supply chain/third party risk professionals who work with defense and federal contractors, including their supply chains. Discussion: • Latest CMMC requirements and timelines • How the new CMMC rule, effective November 10, impacts businesses that are involved with the Department of Defense, federal contractors and their supply chains • How protecting Controlled Unclassified Information (CUI) strengthens supply chain resilience Register here: us02web.zoom.us/webinar/regist…

One week left to book a room in the Summit block! This is the surest way to get the best price and assure you're in the conference hotel! Learn more, register and book a room here: grf.org/summit2025 #cybersecurity #ai #riskmanagement #thirdpartyrisk

Join us for the 8th Annual Summit on Security & Third-Party Risk! Nick Panos of @googlecloud will present "Winning the Resilience Race: Outpacing Risk in the Age of AI and Automation." Session abstract: The modern digital risk landscape is not just evolving—it is accelerating. Fueled by AI-powered threats, sophisticated supply chain attack techniques, and significant geopolitical volatility, the critical questions now revolve around when, and how often, major disruptions will occur. Traditional approaches to business continuity and cybersecurity are not enough to keep pace. The new imperative is cyber resilience: the ability to anticipate, withstand, recover from, and adapt to adverse conditions. This session moves beyond the buzzwords and delivers an actionable framework for building and accelerating digital resilience within your organization. We will discuss the key pillars of a modern resilience strategy, from proactive threat anticipation and defensible architecture to rapid response and adaptive recovery. Drawing on real-world case studies, you will learn how to shift your organization's mindset from reactive defense to proactive readiness, ensuring your critical business functions remain fortified against the next major disruption. We hope to see you at the Palms in Las Vegas, November 3-5. Learn more and register here grf.org/summit2025

When cyberattacks occur in manufacturing environments, traditional business continuity and disaster recovery plans often show their gaps. Because recovery is rarely designed to consider the lack of trust after a cyber event, critical production dependencies suddenly become visible, control systems fail, and supply chain communications break down, causing Recovery Time Objectives (RTO) to stretch from hours into weeks. For manufacturing organizations, this means production stoppages, missed delivery deadlines, damaged equipment, and potentially compromised worker safety. A Minimum Viable Factory (MVF) strategy focuses on moving to a production and supply chain-focused approach to cyber recovery. Through deeper investigation of critical manufacturing processes, IT and OT Security teams can better partner with production managers and plant operations to identify the essential functions and systems that ensure a cyberattack remains a contained incident, rather than a catastrophic shutdown. Join this webinar to explore key insights, including: -Defining the essential manufacturing processes that keep your production lines operational and your supply chain intact. -Understanding the difference between creating a Minimum Viable Factory (MVF) and traditional Business Continuity Management/Disaster Recovery (BCM/DR) approaches for manufacturing environments. -Learning three practical steps you can take to start building your own MVF with particular attention to securing the IT backbone of your operational technology (OT) environments. -Examining real-world examples and lessons learned from successfully implementing MVF strategies in various manufacturing sectors. Register here for the complimentary webinar: us02web.zoom.us/webinar/regist… Hosted in collaboration with @rubrikInc

Listen to Jim Routh, a former CSO/CISO at multiple Fortune 500 companies, discuss the benefits of attending the annual Summit on Security & Third-Party Risk. Learn more and join us in Las Vegas from November 3-5, 2025: grf.org/summit2025 youtube.com/watch?v=D5um9_…

Summit on Security & Third-Party Risk Nov. 3-5  |  Las Vegas Why Now: Tighten third-party risk, resilience, and compliance before 2026 audits and board meetings Outcome: Peer-tested TPRM workflows and improvements & cybersecurity insights CPEs: Attendees self-report 10+ hours of education Who Attends: CISOs, CSOs, directors of cybersecurity and TPRM, compliance teams, risk managers, security analysts Urgency: Four weeks until the room block closes and you have to stay offsite Register: grf.org/summit2025

A recent set of vulnerabilities in Copeland E2 and E3 mechanical controllers are of significant concern to manufactures and the MFG-ISAC membership: "@Armissecurity uncovered ten critical hardware vulnerabilities in Copeland E2 and E3 controllers, widely deployed across global enterprises for managing HVAC (Heating, Ventilation, and Air Conditioning), BMS (building management systems), and commercial refrigeration systems in various industries, including Food Retail, Pharmaceuticals, and Cold Chain Logistics. Dubbed ‘Frostbyte10,’ these vulnerabilities could allow attackers to remotely disable equipment, alter system parameters, steal operational data, or achieve unauthenticated remote code execution with root privileges. The risks extend beyond IT, threatening food safety, cold chain logistics, and physical infrastructure by potentially disabling lighting in emergencies, spoiling goods and disrupting retail operations. Copeland has released updated firmware to address the issues, and organizations are urged to patch immediately to reduce the risk of exploitation. They also stressed there is no evidence that the flaws were exploited in the wild prior to fixes being issued. Due to the severity of these vulnerabilities and their impact, Armis urges affected organizations to assess their current exposure and to deploy mitigation actions immediately." Learn more from Copeland: #section9" target="_blank" rel="nofollow noopener">copeland.com/en-us/products…

Agenda posted! Join Global Resilience Federation for the 8th Annual Summit on Security & Third-Party Risk at the Palms in Las Vegas, from November 3-5, 2025. Attendees will gain an understanding of how organizations from different sectors are managing risk and leave the conference better armed to defend their company, regardless of its size or the maturity of its programs. View the list of speakers and sessions here: grf.org/summit2025

The OT Security Training Program is a partnership between @DragosInc OT-CERT and MFG-ISAC that gathers small and medium suppliers of large OT-centric businesses and provides free resources and training. By improving OT security and reducing risk, together we can strengthen resilience for the entire ecosystem. The program will offer live virtual training, and a portal to access training materials and guides. A chat tool will allow participants to communicate with one another to facilitate operationalizing the training materials. This webinar will be the first meeting of the program. Register to join us and learn more about these complimentary resources: us02web.zoom.us/webinar/regist…

GRF analysts recently completed the semiannual ransomware report covering the first half of 2025. The report series tracks attacks based on public sources and conversations of threat actors in closed forums. Analysts compiled data on 2,940 successful attacks. Some key findings: •Manufacturing was again the most targeted industry with 531 victims, a 69% increase from H2 2024. The next most targeted sector was Commercial Facilities with 459, a 50% increase from the last report. •This is the seventh report in a row in which Manufacturing has been the most targeted industry. •Cl0p was the most prolific actor with 415 successful attacks, followed by Akira with 261. •Roughly matching the previous report, the United States was targeted by 62% of all ransomware attacks tracked by GRF analysts, with 18% directed at companies within the EU and UK. •Re-extortion is becoming more common, Initial Access Brokers have become an integral part of actors’ process, and Endpoint Detection Killers are gaining popularity. Read the full report: grf.org/ransomware-rep…