ALL American utilities are facing cyber attacks. Frankly every organization out there is facing them daily. I am focused on security constantly and I have dedicated security professionals in several organizations. I am telling half of you here nothing new...

Email is the worst. I know someone that left a big security software company recently. He was kind of high up in the organization and a long time employee. The official stats put compromise by email at about 90% of all compromises and their company does too, but he says the reality is more like 98%. And anyone trying to sell you on AI is the answer - well it simply isn't at this point. Any reputable email filtering company is leveraging it as part of their scanning. Some of the stuff that has made it through our email filtering just boggles my mind. The things people open double boggle my mind. Train them all you want they are still people. One we had in the last month - Subject - "Information on your upcoming special bonus", mailed from a .jp email address from outside our company? No words in the body? Just and Excel attachment? I better open that... And I can't even begin to tell you it came from NOBODY in our company and didn't pretend to.

Today's EDR (antivirus) software is good. Management of the software is the real issue. You can't count on the companies to manage them and 3rd parties are a true roll of the dice. Some of the biggest breaches happened under the nose of very reputable security organizations. Everyone heard of Crowdstrike because they screwed up in a massive way recently. I don't run them but IMHO theirs is the best on the market at the moment. I recently had a behind the scenes look at their platform. They are ahead of the rest, again IMHO. There are several worthy competitors SentinelOne, CarbonBlack, PaloAlto, TrendMicro being some of the best. But it all comes down to the existing MITRE ATT&CK matrix (road mapped method of compromising a computer) and detecting new unmapped methods AND effectively blocking them.

My physical sites are hit with what reach "scan" level events daily. They are probably hit another 10 to 20 times a day on ports that don't reach scan level events (3 ports or less in my settings). I actively block half the countries in the world at this point because we should not have incoming traffic from them. All that to say, the US is still open and there are a lot of compromised computers in the US being used for the same thing. Staying on top of Firewalls is a top priority.

I definitely employ a few layers of defense but we are a private company so we are a bit more nimble in being able to adjust to the threat landscape and have owners that understand how high of a priority it is.