The US Cybersecurity and Infrastructure Security Agency (CISA) yesterday published a joint advisory warning of "ongoing malicious activity—by both known and unknown actors" directed against water and wastewater treatment facilities. It emphasizes the threat of spearphishing as well as exploitation of outdated operating systems and vulnerable control system firmware.
CISA also released more than twenty industrial control system advisories yesterday.
Missouri Governor Mike Parson has denounced the Saint Louis Post-Dispatch for what he characterized as the newspaper's "hacking" of the Department of Elementary and Secondary Education (DESE). He said at a press conference yesterday that he's referring the newspaper and its reporter for prosecution. The Post-Dispatch had found some teachers' Social Security Numbers coded into the html of a publicly accessible DESE website where citizens could check teachers' credentials. The paper informed DESE, waited until DESE had taken the information down, and then published its story.
Governor Parson has since doubled down via Twitter, claiming that the Post-Dispatch's story places them on the wrong side of "Tampering with computer data" (a Class A misdemeanor, or, if the action involves theft of $750 or more, a Class E felony). His Tweet also points out that "Tampering with computer data, computer equipment, or computer users" is a civil tort. Most of those covering or reacting to the governor's press conference aren't buying it. See Ars Technica for a representative discussion of Governor Parson's excursus on that hackin' world. (Ars Technica's story is more measured than most of the others we've seen.)