The Federal Safety Net Is Fraying: What State CISOs Must Do Now to Defend Against Converging Threats

<p> State government IT leaders face a threat environment unlike anything in recent memory. In the span of a single week, the federal cybersecurity apparatus that states have relied upon for a decade suffered its deepest structural cuts yet, six industrial control system advisories landed affecting equipment in state buildings and water systems, and a social engineering technique called "ClickFix" exploded across multiple ransomware and espionage campaigns &mdash; with government employees squarely in the crosshairs. </p> <p> This is not a drill. The convergence of degraded federal support, active nation-state operations, and a rapidly expanding OT attack surface demands that state CIOs and CISOs take immediate, concrete action. This brief lays out what changed, what it means, and exactly what to do about it. </p> <h2> <strong> What Changed This Week </strong> </h2> <p> The week of March 10&ndash;17, 2026 delivered four developments that individually would warrant attention. Together, they represent a structural shift in the threat landscape for state government. </p> <h3> <strong> 1. CISA's election security and cyber defense programs have been hollowed out.&nbsp; </strong> </h3> <p> The New York Times and multiple outlets reported on March 17 that staffing overhauls have gutted the programs states relied upon to safeguard voting systems and receive federal cyber support. Key departures include the leader of federal cyber defense programs. CIRCIA incident reporting town halls have been delayed. The 2015 Cybersecurity Information Sharing Act &mdash; the legal backbone for threat intelligence sharing between the private sector and government &mdash; lapsed during the October 2025 government shutdown and has not been renewed. </p> <h3> <strong> 2. Six ICS/OT advisories in one week target equipment deployed in state facilities.&nbsp; </strong> </h3> <p> CISA published advisories affecting Schneider Electric EcoStruxure Data Center Expert (hard-coded credentials in data center monitoring), Schneider SCADAPack x70 RTUs (water/wastewater SCADA), Trane Tracer building management systems (arbitrary command execution in state buildings), Siemens SICAM and SIMATIC S7-1500 controllers, and CODESYS in Festo automation products. This is an unusually high volume of advisories affecting products commonly found in state government environments. </p> <h3> <strong> 3. ClickFix social engineering has been adopted by at least five unrelated threat groups in two weeks.&nbsp; </strong> </h3> <p> This technique tricks users into manually executing malicious commands by presenting fake error messages or verification prompts &mdash; completely bypassing email security controls. It has now been weaponized by the Termite ransomware group (via CastleRAT), the newly reported LeakNet ransomware gang (via Deno-based in-memory loaders), macOS infostealer operators (MacSync), DNS-based delivery operators, and unknown actors who compromised over 250 WordPress sites including a U.S. Senate candidate's official webpage. </p> <h3> <strong> 4. Nation-state actors &mdash; Russia, China, and Iran &mdash; are all running active operations against U.S. government targets.&nbsp; </strong> </h3> <p> APT28/Fancy Bear government-targeting IOCs were refreshed on March 17. Chinese actors Volt Typhoon and Salt Typhoon are actively mapping industrial control loops and breaching U.S. telecommunications infrastructure respectively. Iranian threat actors, operating at elevated tempo since the start of the Iran conflict on February 28, are conducting both destructive wiper operations (Handala/Void Manticore, IRGC-affiliated) and espionage campaigns (MuddyWater, MOIS) against U.S. entities. </p> <h2> <strong> Threat Timeline: Key Events (March 2&ndash;17, 2026) </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Impact to State Government </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> Mar 2 </strong> </p> </td> <td> <p> CISA cyber defense program leader resigns </p> </td> <td> <p> Loss of key federal cyber support leadership </p> </td> </tr> <tr> <td> <p> <strong> Mar 6 </strong> </p> </td> <td> <p> Cisco confirms two additional SD-WAN vulnerabilities under active exploitation (CVE-2026-20122, CVE-2026-20128) </p> </td> <td> <p> Direct risk to state WAN infrastructure </p> </td> </tr> <tr> <td> <p> <strong> Mar 7 </strong> </p> </td> <td> <p> Termite ransomware (Velvet Tempest) adopts ClickFix + CastleRAT </p> </td> <td> <p> New ransomware delivery vector targeting government </p> </td> </tr> <tr> <td> <p> <strong> Mar 9 </strong> </p> </td> <td> <p> Microsoft warns ClickFix now targeting Windows Terminal </p> </td> <td> <p> Technique evolution &mdash; harder to detect </p> </td> </tr> <tr> <td> <p> <strong> Mar 9 </strong> </p> </td> <td> <p> CIRCIA incident reporting town halls delayed </p> </td> <td> <p> Reduced federal incident coordination </p> </td> </tr> <tr> <td> <p> <strong> Mar 10 </strong> </p> </td> <td> <p> CISA adds Ivanti EPM flaw to KEV catalog </p> </td> <td> <p> Risk to state endpoint management platforms </p> </td> </tr> <tr> <td> <p> <strong> Mar 10 </strong> </p> </td> <td> <p> Salt Typhoon telecom breach confirmed </p> </td> <td> <p> Chinese espionage targeting U.S. communications infrastructure </p> </td> </tr> <tr> <td> <p> <strong> Mar 11 </strong> </p> </td> <td> <p> 250+ WordPress sites compromised with ClickFix lures </p> </td> <td> <p> Government-adjacent sites weaponized </p> </td> </tr> <tr> <td> <p> <strong> Mar 12 </strong> </p> </td> <td> <p> CISA issues Emergency Directive ED 26-03 for Cisco SD-WAN </p> </td> <td> <p> Mandatory action for federal; strongly recommended for state </p> </td> </tr> <tr> <td> <p> <strong> Mar 12 </strong> </p> </td> <td> <p> Microsoft publishes Storm-2561 VPN poisoning TTPs </p> </td> <td> <p> Fake VPN installers mimicking Fortinet, Cisco, Ivanti brands </p> </td> </tr> <tr> <td> <p> <strong> Mar 12 </strong> </p> </td> <td> <p> Trane Tracer BMS advisory published (ICSA-26-071-01) </p> </td> <td> <p> Arbitrary command execution in state building systems </p> </td> </tr> <tr> <td> <p> <strong> Mar 15 </strong> </p> </td> <td> <p> Google emergency patches Chrome 146 for two zero-days </p> </td> <td> <p> Active exploitation of state employee browsers </p> </td> </tr> <tr> <td> <p> <strong> Mar 16 </strong> </p> </td> <td> <p> CVE-2025-47813 (Wing FTP Server) added to CISA KEV </p> </td> <td> <p> Path disclosure chainable to RCE; patch deadline Mar 30 </p> </td> </tr> <tr> <td> <p> <strong> Mar 17 </strong> </p> </td> <td> <p> CISA publishes 4 ICS advisories (Schneider, Siemens, CODESYS) </p> </td> <td> <p> Hard-coded credentials in data center equipment </p> </td> </tr> <tr> <td> <p> <strong> Mar 17 </strong> </p> </td> <td> <p> NYT reports CISA election security programs gutted </p> </td> <td> <p> Structural loss of federal cyber support for states </p> </td> </tr> <tr> <td> <p> <strong> Mar 17 </strong> </p> </td> <td> <p> LeakNet ransomware adopts ClickFix + Deno in-memory loader </p> </td> <td> <p> Fifth threat group adopting ClickFix in two weeks </p> </td> </tr> <tr> <td> <p> <strong> Mar 17 </strong> </p> </td> <td> <p> APT28/Fancy Bear government-targeting IOCs refreshed </p> </td> <td> <p> Russian military intelligence maintains active government targeting posture </p> </td> </tr> </tbody> </table> <h2> <strong> Threat Analysis: Four Converging Risks </strong> </h2> <h3> <strong> 1. The CISA Gap: States Are Increasingly On Their Own </strong> </h3> <p> The degradation of CISA is not a temporary disruption &mdash; it is a structural change in the federal-state cybersecurity relationship. States that previously relied on CISA for threat intelligence sharing, incident response surge capacity, vulnerability scanning, and election security support must now develop or procure these capabilities independently. </p> <p> The practical impacts are already visible: </p> <ul> <li> <strong> Threat sharing is degraded. </strong> The lapse of the 2015 Cybersecurity Information Sharing Act removes the legal framework that enabled private-sector threat data to flow to government defenders. </li> <li> <strong> Incident response capacity is reduced. </strong> When the next major state government breach occurs, federal surge support may not arrive at the speed or scale states have come to expect. </li> <li> <strong> Election security support is gutted. </strong> With 2026 midterms approaching, states must self-fund the election infrastructure security work CISA previously provided. </li> </ul> <p> <strong> What this means for budget planning: </strong> FY2027 cybersecurity budgets should account for capabilities the state previously received from CISA at no cost. This includes threat intelligence feeds, vulnerability scanning services, incident response retainers, and election security assessments. </p> <h3> <strong> 2. Nation-State Actors: Russia, China, and Iran Are All Active </strong> </h3> <p> Multiple nation-state threat groups are conducting operations relevant to state government networks: </p> <ul> <li> <strong> APT28 / Fancy Bear (Russia, GRU): </strong> Government-targeting indicators for X-Agent malware (HeaderDropper variant) were refreshed on March 17 at very-high severity. APT28 has a long history of targeting U.S. government entities at all levels. Active IOCs are listed in the SOC Guidance section below. </li> <li> <strong> Volt Typhoon / SYLVANITE (China, MSS): </strong> Dragos reported in February that SYLVANITE &mdash; linked to Volt Typhoon &mdash; is actively "mapping control loops across industrial infrastructure." While no direct state government compromise has been publicly reported, the absence of visible activity likely indicates pre-positioning rather than inactivity. Volt Typhoon's known playbook involves living-off-the-land techniques that are extremely difficult to detect. </li> <li> <strong> Salt Typhoon (China): </strong> Confirmed breach of major U.S. telecommunications providers (March 10), with implications for the confidentiality of state government communications traversing compromised carrier networks. </li> <li> <strong> Handala / Void Manticore (Iran, IRGC): </strong> Conducting destructive wiper operations against U.S. entities amid the ongoing Iran conflict (Operation Epic Fury / Roaring Lion, which began February 28). The Stryker wiper attack demonstrated willingness to target U.S. organizations. </li> <li> <strong> MuddyWater (Iran, MOIS): </strong> Deploying the Dindoor backdoor against U.S. banks, airports, and non-profits &mdash; espionage operations running in parallel with Handala's destructive campaigns. MuddyWater operates under Iran's Ministry of Intelligence and Security (MOIS), distinct from the IRGC-affiliated actors conducting wiper operations. </li> <li> <strong> Storm-2561: </strong> Microsoft published a detailed analysis on March 12 of this group's SEO poisoning campaign that delivers trojanized VPN installers mimicking Fortinet, Cisco, and Ivanti branding &mdash; all vendors commonly used in state government environments. </li> </ul> <h3> <strong> 3. OT/ICS: The Physical-Consequence Attack Surface Is Expanding </strong> </h3> <p> The batch of six ICS advisories published between March 12&ndash;17 is not routine. The affected products &mdash; Schneider Electric EcoStruxure, SCADAPack RTUs, Trane Tracer BMS, Siemens SICAM and SIMATIC controllers &mdash; are commonly deployed in state government environments for data center monitoring, water/wastewater treatment, building management, and transportation SCADA. </p> <p> The most concerning findings: </p> <ul> <li> <strong> Schneider Electric EcoStruxure Data Center Expert </strong> contains hard-coded credentials. This product monitors environmental conditions and power management in data centers. Hard-coded credentials provide trivial initial access if the system is network-accessible. </li> <li> <strong> Trane Tracer SC/SC+/Concierge </strong> allows arbitrary command execution. These building management systems control HVAC, lighting, and access systems in state government facilities. Arbitrary command execution could enable an attacker to manipulate physical building systems. </li> <li> <strong> Schneider SCADAPack x70 RTUs </strong> are used in water and wastewater SCADA environments. Combined with the Dragos finding that state-affiliated hackers are actively mapping control loops in industrial environments, this vulnerability represents a direct physical-consequence risk. </li> </ul> <h3> <strong> 4. ClickFix: A Social Engineering Technique That Bypasses Your Email Security </strong> </h3> <p> ClickFix deserves special attention because it represents a fundamental shift in social engineering tactics. Unlike traditional phishing &mdash; which delivers a malicious attachment or link via email &mdash; ClickFix tricks users into manually copying and executing malicious commands by presenting fake error messages, browser verification prompts, or IT support dialogs on compromised websites. </p> <p> <strong> Why this matters for state government: </strong> </p> <ul> <li> It <strong> bypasses email security entirely </strong> because the malicious payload is never delivered via email </li> <li> State employees frequently encounter legitimate IT verification prompts and self-service portals, making them susceptible to mimicry </li> <li> The technique has been adopted by <strong> at least five unrelated threat groups </strong> in two weeks: Termite ransomware (CastleRAT), LeakNet ransomware (Deno loader), MacSync infostealer operators, DNS-based delivery operators, and unknown actors via 250+ compromised WordPress sites </li> <li> A DNS-based variant uses nslookup to retrieve PowerShell payloads &mdash; the first known use of DNS as a ClickFix delivery channel </li> </ul> <p> The cross-pollination speed is alarming. When a technique spreads this rapidly across unrelated groups, it signals that the method is effective and difficult to defend against with existing controls. </p> <h2> <strong> Predictive Analysis: What Comes Next </strong> </h2> <p> Based on current threat trajectories, actor operational tempo, and the convergence of enabling conditions: </p> <table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> ClickFix campaigns specifically targeting .gov or government-adjacent websites </p> </td> <td> <p> <strong> 70% </strong> </p> </td> <td> <p> 7 days </p> </td> <td> <p> Technique proliferation rate, government already in target set, 250+ sites already compromised </p> </td> </tr> <tr> <td> <p> Iran-linked actors (Handala/Void Manticore or MuddyWater) claim another U.S. target </p> </td> <td> <p> <strong> 65% </strong> </p> </td> <td> <p> 7 days </p> </td> <td> <p> Escalating conflict since Feb 28, demonstrated operational tempo, dual IRGC and MOIS campaigns active </p> </td> </tr> <tr> <td> <p> Additional CISA KEV entries for ICS/OT vulnerabilities with compressed remediation timelines </p> </td> <td> <p> <strong> 50% </strong> </p> </td> <td> <p> 14 days </p> </td> <td> <p> Anomalous advisory volume this week, Dragos OT threat reporting </p> </td> </tr> <tr> <td> <p> Ransomware group successfully encrypts a state or local government network </p> </td> <td> <p> <strong> 50% </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> 49% YoY increase in ransomware, 130+ active groups, ClickFix as new initial access vector </p> </td> </tr> <tr> <td> <p> Chinese APT pre-positioning in state OT infrastructure discovered </p> </td> <td> <p> <strong> 35% </strong> </p> </td> <td> <p> 90 days </p> </td> <td> <p> Dragos SYLVANITE/Volt Typhoon reporting, "mapping control loops" activity, historical pattern of delayed discovery </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Hunting Hypotheses </strong> </h3> <table> <thead> <tr> <th> <p> <strong> # </strong> </p> </th> <th> <p> <strong> Hypothesis </strong> </p> </th> <th> <p> <strong> ATT&amp;CK Technique </strong> </p> </th> <th> <p> <strong> Detection Approach </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> H1 </p> </td> <td> <p> ClickFix has delivered payloads to state endpoints via compromised websites </p> </td> <td> <p> T1204.002 (User Execution: Malicious File), T1059.001 (PowerShell) </p> </td> <td> <p> Hunt for powershell.exe or cmd.exe spawned by browser processes (chrome.exe, msedge.exe). Look for clipboard paste events followed by command execution. </p> </td> </tr> <tr> <td> <p> H2 </p> </td> <td> <p> Storm-2561 trojanized VPN installers are present on state endpoints </p> </td> <td> <p> T1036 (Masquerading), T1608.005 (Stage Capabilities: Link Target) </p> </td> <td> <p> Search for VPN installer executables downloaded from non-vendor domains. Audit DNS logs for domains mimicking Fortinet, Cisco, or Ivanti download sites. </p> </td> </tr> <tr> <td> <p> H3 </p> </td> <td> <p> Schneider EcoStruxure DCE hard-coded credentials are being used for unauthorized access </p> </td> <td> <p> T1078 (Valid Accounts), T0859 (Valid Accounts &mdash; ICS) </p> </td> <td> <p> Audit authentication logs on EcoStruxure DCE instances for default/hard-coded credential usage. Check for unexpected remote access to data center monitoring systems. </p> </td> </tr> <tr> <td> <p> H4 </p> </td> <td> <p> DNS-based ClickFix variant is using nslookup for payload retrieval </p> </td> <td> <p> T1071.004 (Application Layer Protocol: DNS) </p> </td> <td> <p> Monitor for anomalous nslookup executions from user workstations, especially those followed by PowerShell execution. Baseline normal DNS tool usage. </p> </td> </tr> <tr> <td> <p> H5 </p> </td> <td> <p> Volt Typhoon living-off-the-land activity in OT-adjacent network segments </p> </td> <td> <p> T1059.001 (PowerShell), T1218 (System Binary Proxy Execution) </p> </td> <td> <p> Hunt for unusual use of native Windows tools (wmic, ntdsutil, netsh) on systems with connectivity to OT/SCADA networks. Focus on lateral movement from IT to OT segments. </p> </td> </tr> </tbody> </table> <h3> <strong> Key ATT&amp;CK Techniques to Monitor </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Technique ID </strong> </p> </th> <th> <p> <strong> Name </strong> </p> </th> <th> <p> <strong> Relevance </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> T1204.002 </p> </td> <td> <p> User Execution: Malicious File </p> </td> <td> <p> ClickFix &mdash; user manually executes payload </p> </td> </tr> <tr> <td> <p> T1059.001 </p> </td> <td> <p> PowerShell </p> </td> <td> <p> ClickFix payload execution, Volt Typhoon LOTL </p> </td> </tr> <tr> <td> <p> T1071.004 </p> </td> <td> <p> DNS Application Layer Protocol </p> </td> <td> <p> DNS-based ClickFix variant </p> </td> </tr> <tr> <td> <p> T1190 </p> </td> <td> <p> Exploit Public-Facing Application </p> </td> <td> <p> Cisco SD-WAN, FortiOS, Wing FTP, Ivanti EPM </p> </td> </tr> <tr> <td> <p> T1078 </p> </td> <td> <p> Valid Accounts </p> </td> <td> <p> Schneider hard-coded creds, APT28, Storm-2561 </p> </td> </tr> <tr> <td> <p> T0855 </p> </td> <td> <p> Unauthorized Command Message </p> </td> <td> <p> Trane Tracer BMS arbitrary command execution </p> </td> </tr> <tr> <td> <p> T0831 </p> </td> <td> <p> Manipulation of Control </p> </td> <td> <p> ICS/SCADA impact from OT vulnerabilities </p> </td> </tr> <tr> <td> <p> T1036 </p> </td> <td> <p> Masquerading </p> </td> <td> <p> Storm-2561 fake VPN installers </p> </td> </tr> <tr> <td> <p> T1189 </p> </td> <td> <p> Drive-by Compromise </p> </td> <td> <p> ClickFix via compromised WordPress sites </p> </td> </tr> </tbody> </table> <h3> <strong> Defensive Guidance </strong> </h3> <ul> <li> <strong> Email security alone will not stop ClickFix. </strong> Implement browser isolation or endpoint detection rules that alert on command-line interpreters (cmd.exe, powershell.exe, terminal) spawned by browser processes. </li> <li> <strong> Segment OT networks aggressively. </strong> The combination of hard-coded credentials in Schneider products and active nation-state mapping of control loops means any OT system reachable from the IT network is at elevated risk. </li> <li> <strong> Audit VPN installer sources. </strong> Storm-2561's SEO poisoning campaign places trojanized VPN installers at the top of search results. Ensure employees download VPN clients only from approved internal sources or verified vendor URLs. </li> <li> <strong> Patch Chrome immediately. </strong> Two zero-days in Chrome 146 (patched to 146.0.7680.75+) are under active exploitation. This is the single fastest-impact action available. </li> </ul> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Revenue, Tax Systems) </strong> </h3> <p> State financial systems process tax payments, benefits disbursements, and vendor payments for millions of residents. The BridgePay ransomware attack (February 10&ndash;16) disrupted payment processing for multiple cities and demonstrates the cascading impact of payment vendor compromise. </p> <ul> <li> <strong> Priority: </strong> Audit third-party payment processor security posture and contractual incident response requirements </li> <li> <strong> Priority: </strong> Deploy phishing-resistant MFA (FIDO2) on all financial transaction systems &mdash; ClickFix and Storm-2561 both target credentials that enable financial fraud </li> <li> <strong> Monitor: </strong> MuddyWater (Dindoor backdoor, MOIS-affiliated) is actively targeting U.S. financial institutions </li> </ul> <h3> <strong> Energy and Water/Wastewater (State-Managed Utilities and SCADA) </strong> </h3> <p> The Schneider SCADAPack x70 RTU advisory and Dragos reporting on SYLVANITE/Volt Typhoon mapping control loops make this the highest-risk sector this week. </p> <ul> <li> <strong> Priority: </strong> Inventory all SCADAPack x70 and Siemens SIMATIC S7-1500 deployments; apply vendor patches or isolate from network </li> <li> <strong> Priority: </strong> Validate that OT networks are not reachable from IT networks without passing through a monitored jump host or demilitarized zone </li> <li> <strong> Monitor: </strong> Any unusual use of native Windows administration tools on systems adjacent to SCADA networks (Volt Typhoon indicator) </li> </ul> <h3> <strong> Healthcare (State Health Agencies, Medicaid Systems) </strong> </h3> <p> State health agencies manage Medicaid enrollment, public health surveillance, and vital records containing protected health information for millions of residents. </p> <ul> <li> <strong> Priority: </strong> ClickFix awareness training for healthcare workers who routinely interact with web-based clinical and enrollment systems </li> <li> <strong> Priority: </strong> Ensure Chrome 146 is patched across all clinical and administrative workstations &mdash; healthcare environments often lag on browser patching </li> <li> <strong> Monitor: </strong> Ransomware groups (Qilin, Medusa, Play) continue to disproportionately target healthcare </li> </ul> <h3> <strong> Government Administration (All Executive Branch Agencies) </strong> </h3> <p> The broadest attack surface &mdash; every state employee is a potential ClickFix target, and every agency uses the shared IT infrastructure (Cisco SD-WAN, FortiGate, M365) that is under active threat. </p> <ul> <li> <strong> Priority: </strong> Issue ClickFix awareness advisory to all state employees within 48 hours </li> <li> <strong> Priority: </strong> Confirm Cisco SD-WAN Manager patched per CISA Emergency Directive ED 26-03 </li> <li> <strong> Priority: </strong> Conduct M365 security configuration audit &mdash; the Western Australia government audit (March 10) found weak conditional access policies, MFA gaps, and permissive OAuth consent settings in a directly analogous state government M365 environment </li> <li> <strong> Monitor: </strong> APT28 government-targeting IOCs (hashes listed above) </li> </ul> <h3> <strong> Aviation and Transportation/Logistics (State DOT, Transit Authorities, Airports) </strong> </h3> <p> The Qilin ransomware attack on Tulsa International Airport (February 2) and MuddyWater targeting of U.S. airports demonstrate that transportation infrastructure is in the active target set. </p> <ul> <li> <strong> Priority: </strong> Review airport and transit authority network segmentation &mdash; ensure operational technology (baggage handling, signaling, traffic management) is isolated from IT networks </li> <li> <strong> Priority: </strong> Audit Siemens SICAM deployments in transportation SCADA environments against the March 17 advisory </li> <li> <strong> Monitor: </strong> Iranian threat actors (MuddyWater, MOIS-affiliated) have specifically targeted U.S. airports in recent campaigns </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> Immediate Actions (Next 48 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> # </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> <strong> Patch Chrome 146 to 146.0.7680.75+ on all state endpoints. </strong> Two zero-days under active exploitation. Verify via endpoint management console. </p> </td> <td> <p> Desktop / Endpoint Ops </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> <strong> Confirm Cisco SD-WAN Manager patched for CVE-2026-20122 and CVE-2026-20128. </strong> If unpatched, conduct threat hunt per CISA Emergency Directive ED 26-03. </p> </td> <td> <p> Network Operations </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> <strong> Issue ClickFix awareness alert to all state employees. </strong> Key message: never execute commands from pop-up prompts, browser error messages, or verification windows. Report suspicious prompts to the SOC immediately. </p> </td> <td> <p> CISO Office / Security Awareness </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> <strong> Ingest APT28/X-Agent IOCs into EDR and SIEM </strong> (hashes listed in SOC Guidance above). </p> </td> <td> <p> SOC / Threat Detection </p> </td> </tr> </tbody> </table> <h3> <strong> 7-Day Actions </strong> </h3> <table> <thead> <tr> <th> <p> <strong> # </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 5 </p> </td> <td> <p> <strong> Inventory and patch Wing FTP Server instances </strong> (CVE-2025-47813). CISA KEV deadline: March 30. </p> </td> <td> <p> Vulnerability Management </p> </td> </tr> <tr> <td> <p> 6 </p> </td> <td> <p> <strong> Audit Schneider Electric EcoStruxure DCE deployments </strong> in state data centers for hard-coded credential vulnerability. Apply vendor patch or network-isolate. </p> </td> <td> <p> Facilities / OT Security </p> </td> </tr> <tr> <td> <p> 7 </p> </td> <td> <p> <strong> Audit Trane Tracer SC/SC+/Concierge BMS deployments </strong> in state buildings. The arbitrary command execution vulnerability has physical-consequence implications. </p> </td> <td> <p> Facilities / OT Security </p> </td> </tr> <tr> <td> <p> 8 </p> </td> <td> <p> <strong> Confirm Ivanti EPM patch status. </strong> CISA flagged an Ivanti EPM flaw as actively exploited on March 10. </p> </td> <td> <p> Endpoint Ops </p> </td> </tr> <tr> <td> <p> 9 </p> </td> <td> <p> <strong> Block Storm-2561 TTPs at web proxy: </strong> flag VPN installer downloads from non-vendor domains, especially those mimicking Fortinet, Ivanti, or Cisco branding. </p> </td> <td> <p> SOC / Web Security </p> </td> </tr> </tbody> </table> <h3> <strong> 30-Day Actions </strong> </h3> <table> <thead> <tr> <th> <p> <strong> # </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 10 </p> </td> <td> <p> <strong> Conduct M365 security configuration audit </strong> modeled on the Western Australia government findings. Focus on conditional access policies, MFA enforcement gaps, OAuth app consent settings, and mail forwarding rules. </p> </td> <td> <p> Cloud Security / IAM </p> </td> </tr> <tr> <td> <p> 11 </p> </td> <td> <p> <strong> Assess CISA service degradation impact and develop contingency plans. </strong> Identify which CISA services the state relied upon (threat sharing, incident response, election security, vulnerability scanning) and budget for alternatives. </p> </td> <td> <p> CISO Office / Policy </p> </td> </tr> <tr> <td> <p> 12 </p> </td> <td> <p> <strong> Review third-party payment processor security posture. </strong> The BridgePay ransomware attack disrupted payment systems for multiple cities. Ensure state payment vendors have tested incident response plans and contractual security requirements. </p> </td> <td> <p> Procurement / Vendor Risk </p> </td> </tr> <tr> <td> <p> 13 </p> </td> <td> <p> <strong> Evaluate SCADAPack x70 RTU and Siemens SIMATIC S7-1500 exposure </strong> in water/wastewater and transportation SCADA. Cross-reference with Dragos finding that state-affiliated hackers are mapping control loops in OT environments. </p> </td> <td> <p> OT Security / Critical Infrastructure </p> </td> </tr> </tbody> </table> <h3> <strong> Executive and IR Preparedness </strong> </h3> <table> <thead> <tr> <th> <p> <strong> # </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 14 </p> </td> <td> <p> <strong> Brief the Governor's office and agency heads </strong> on the CISA degradation and its implications for state cybersecurity posture ahead of 2026 midterms. </p> </td> <td> <p> CIO / CISO </p> </td> </tr> <tr> <td> <p> 15 </p> </td> <td> <p> <strong> Validate incident response retainer contracts. </strong> With reduced federal surge capacity, ensure the state has commercial IR retainers that can respond within contractual SLAs. Test activation procedures. </p> </td> <td> <p> CISO Office </p> </td> </tr> <tr> <td> <p> 16 </p> </td> <td> <p> <strong> Conduct a tabletop exercise </strong> simulating a ransomware attack on a state agency during a period of degraded federal support. Test state-level response without CISA assistance. </p> </td> <td> <p> CISO Office / Agency CISOs </p> </td> </tr> <tr> <td> <p> 17 </p> </td> <td> <p> <strong> Review cyber insurance coverage </strong> in light of the expanded OT threat surface and ClickFix-enabled ransomware delivery. Ensure policy covers OT incidents and social engineering-initiated compromises. </p> </td> <td> <p> Risk Management / Legal </p> </td> </tr> </tbody> </table> <h2> <strong> The Bottom Line </strong> </h2> <p> The three developments this week &mdash; CISA's structural degradation, the surge in OT/ICS advisories, and the rapid proliferation of ClickFix &mdash; are not isolated events. They are converging to create a threat environment where state governments face more sophisticated attacks with less federal support than at any point in the last decade. Layered on top of this, nation-state actors from Russia, China, and Iran are all running active operations, with Iranian threat groups operating at elevated tempo since the start of the Iran conflict on February 28. </p> <p> The math is straightforward: nation-state actors are actively targeting government networks and mapping industrial control systems. Ransomware groups are adopting social engineering techniques that bypass your email security. And the federal agency that was supposed to help you deal with all of this has been hollowed out. </p> <p> States that act now &mdash; patching critical vulnerabilities, training employees on ClickFix, auditing OT environments, and planning for reduced federal support &mdash; will be in a defensible position. States that wait for the next CISA advisory may find that advisory never comes. </p> <p> <strong> Patch Chrome today. Issue the ClickFix alert tomorrow. Start your OT audit this week. Brief your leadership on the CISA gap this month. </strong> The threat actors are not waiting, and neither should you. </p>