Feed aggregator

The John F. Kennedy Center for the Performing Arts in Washington, D.C., has dissolved its Social Impact division, which partnered with local organizations to bring in diverse artists and audiences.

(Image credit: Kennedy Center)

More than three-quarters of U.S. wells make just 6% of the country's oil. They're called marginal wells because of their small output. But they're a big deal to oil producers and environmentalists.

(Image credit: September Dawn Bottoms for NPR)

Many rural counties are short on dentists, and if they lose water fluoridation, tooth decay could surge to levels that have not been seen in decades, experts warn.

(Image credit: Katie Adkins)

As agencies scramble to comply with President Trump's Jan. 20 order terminating remote work, employees say the process has been marked by confusion, changing guidance, and frustrating conditions.

(Image credit: Andrew Harnik)

Operational technology (OT) has long struggled with modern cybersecurity demands, but operators now face an increasingly dire cyber threat from nation-state actors. OT is essential for managing cyber-physical systems across fields, including manufacturing, transport, and energy, putting it in the sights of hostile actors backed by China, Russia, Iran, and more.

Yet many OT environments are profoundly unprepared for the threat, often struggling with essential vulnerability management activity that should be a baseline to reliable security.

OT security teams should consider a shift to a policy of exposure management, a smarter approach that prioritizes the most exploitable, high-risk vulnerabilities first. Organizations relying on OT must move to reduce operational strain while closing the gaps that leave their systems open to hostile state-backed actors.

Why OT is a prime target for nation-state cyberattacks

OT environments are prime targets for nation-state actors and cybercriminals attacking critical national infrastructure (CNI). Adversaries have a range of objectives, from stealing classified data and conducting corporate espionage to disrupting economic stability.

In the last few years, multiple high-profile incidents have been linked to known threat groups. For example, Volt Typhoon and Salt Typhoon are two prolific groups linked to China that have conducted several attacks on U.S. infrastructure.

Volt Typhoon has infiltrated critical infrastructure, including communications, energy, and water, and is known for using stealthy, low-and-slow tactics to exploit native tools and systems. Salt Typhoon, meanwhile, is believed to be involved in exfiltrating data from ISPs for use by Chinese intelligence operations.

Sandworm, closely linked to Russia’s military intelligence, is another long-running APT targeting critical infrastructure. The group is believed to be behind several attacks on Ukraine’s power grid over the last decade, creating the Industroyer and Industroyer 2 malware designed for industrial equipment using specific protocols. Sandworm also unleashed the notorious NotPetya ransomware.

Iran has also proven itself to be a major player in international cyberattacks. The CyberAv3ngers group has attacked U.S. water facilities using compromised PLCs and HMIs. The group has also targeted civilian infrastructure with IOCONTROL, a Linux-based backdoor designed for multiple standard OT control systems.

While high-level APTs like these have the resources and expertise for advanced tools and tactics, many OT attacks begin with unsecured devices connected to the internet, providing a clear attack path to establish footholds in critical systems.

After assessing nearly one million OT devices across 270 organizations in multiple fields, we found persistent evidence of malware in OT systems. Sample companies in manufacturing, natural resources, and logistics and transportation all had more than 10% of their OT devices communicating with malicious domains.

The problem with traditional vulnerability management

Vulnerability management is a persistent issue across most sectors but can be particularly difficult when dealing with OT environments. In addition to the large and continuously increasing number of vulnerabilities to address, OT security teams must also deal with complex networks that include many disparate assets, often using their own proprietary operating systems. OT assets are seldom compatible with scanning and IT management tools designed for standard IT networks.

As a result, teams often struggle to implement the prioritized, ordered approach to vulnerabilities needed to keep ahead of hostile attacks.

Of the 270 organizations we assessed, 70% had at least one known exploitable vulnerability (KEV) in their OT systems. Twelve percent of the nearly one million devices included in the study contained a KEV that had yet to be patched. Worse, 40% of organizations have OT assets insecurely connected to the internet, creating a direct pathway for cyberattacks.

Security teams are often stuck pursuing slow and inefficient patch management programs that lack clear direction. Prioritization is usually based extensively on CVSS scores, which fail to consider the context within the company and, thus, the vulnerability's real-world exploitability and impact. More dangerous vulnerabilities may be overlooked while less important issues drain resources.

The case for exposure management

Dealing with vulnerable OT assets requires a more dynamic approach, prioritized by the real risk to the organization and its infrastructure. Exposure management has emerged as one of the most effective strategies, enabling teams to identify and focus on vulnerabilities with the most significant potential for real-world exploitation.

Exposure management weighs priorities based on multiple risk factors, including identifying which KEVs are actively exploited in the wild and whether assets are affected by insecure remote access or misconfigurations that increase risk. The assessment also considers a device's criticality to business operations, for example, prioritizing those that would disrupt production or cause safety issues in the event of a breach.

The result is a drastically reduced and more focused to-do list for security teams. For example, our research found roughly 111,000 devices with KEVS. But filtering the list by vulnerabilities linked to ransomware and devices with insecure connectivity immediately reduces the total number to 3,800. Suddenly, the task has shrunk by a factor of 30, even before applying more context for specific organizations.

How to start implementing exposure management in OT security

Exposure management follows a five-step process to identify, assess and resolve OT vulnerabilities.

1. Scoping

The first step is identifying those OT assets most critical to operations, such as production lines in manufacturing or scheduling control systems in maritime transport. This is especially important for asset-intensive companies with a large volume of devices to manage. The aim is to reduce the number of assets that need continuous security inspection.

2. Discovery

Next, this initial list of assets is built into a detailed inventory, focusing on the highest-risk devices. This needs to be a highly data-driven method, while more extensive and complex operations will need an automated approach to make discovery manageable.

3. Prioritization

The high-risk inventory can now be prioritized based on severity. As discussed, this process needs to move beyond basic CVSS scores to consider the actual risk posed by KEVs, the asset’s connectivity status, and the potential impact of a breach. Exploit prediction scoring and business impact assessments provide more data points to inform these decisions.

4. Validation

Before taking any action, it’s crucial to ensure vulnerabilities are exploitable and not blocked by elements like closed ports or firewalls. This avoids wasting resources on patching vulnerabilities that look severe on paper but are low risk in reality.

5. Mobilization

With all that preparation done, it’s time to get moving. It’s best to integrate exposure management into existing security workflows like patching and access control wherever possible to keep things efficient. Organizations should also look to establish cross-team collaboration between IT, security, and operations, as OT often becomes heavily siloed from standard IT practices.

Hardening OT against advanced adversaries

Traditional vulnerability management is failing OT security teams by focusing on attempting to patch everything rather than addressing real threats. In the face of increasingly aggressive state-backed actors, this inefficient approach leaves critical infrastructure vulnerable to severe security incidents.

Identifying and prioritizing high-risk vulnerabilities through an exposure management approach will enable these organizations to manage vulnerabilities quickly and efficiently, drastically improving defenses against nation-state threats, ransomware, and cybercriminals.

We feature the best network monitoring tool.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

While federal guardrails for AI tools in the U.S. are being dismantled—even as global coalitions gather to adopt new standards—tech leaders face a critical choice: exploit the regulatory void for short-term gains, or step up to shape what responsible innovation looks like. Your move matters more than you think.

This isn't just another think piece lecturing you about "tech responsibility"—though responsible tech practices absolutely matter. Instead, it's about building resilient organizations that thrive because of ethical governance, not in spite of it. Let me show you how.

Leading in the Void

When regulations retreat, two things happen at once: responsibility shifts from government oversight directly to your organization, and your decisions take on amplified significance. This vacuum presents a crucial leadership opportunity. When government oversight steps back, the most innovative companies step forward, not to exploit the gaps, but to demonstrate what good governance looks like in practice.

Consider the evolution of privacy practices - companies that proactively developed comprehensive data protection frameworks before GDPR and CCPA became law had a significant advantage. Those that waited found themselves rushing through expensive, disruptive compliance programs. The same dynamic is playing out with AI governance today.

The Now/Next Imperative

Success in this environment requires mastering what I call the Now/Next Continuum—a strategic framework that helps organizations navigate immediate pressures while building toward better futures. It's not about artificially balancing short-term versus long-term thinking—it's about recognizing the natural throughline between them. Today's decisions actively shape tomorrow's possibilities.

This means asking questions like: how will this AI deployment decision affect our ability to adapt to future regulatory changes? What precedent are we setting for our industry? How does this choice align with our vision for technology's role in society?

Building Future-Ready Governance

Your governance framework shouldn't depend on regulatory stability to function. Instead, build systems that:

• Embed ethics into operational DNA, not just compliance checklists
• Create feedback loops that catch problems before they become headlines
• Maintain consistent standards even when external requirements fluctuate
• Center human outcomes in every decision matrix
• Establish clear accountability structures for AI-driven decisions
• Include diverse perspectives in governance discussions
• Build transparency into AI deployment processes

The most successful organizations aren't waiting for regulatory clarity—they're creating it. They understand that ethical governance isn't a burden—it's a catalyst that drives deeper, more meaningful innovation.

The Leadership Imperative

In an era where tech leaders occupy the highest echelons of policy making and can reshape federal agency positions with a single decision—and where AI continuously finds novel pathways to familiar harms—the argument that "existing rules are sufficient" simply doesn't hold water. Responsibility means far more than mere compliance. Even smaller companies must ask harder questions. We must move beyond "Can we?" to "Should we?" Beyond "Is it legal?" to "Is it right?"

This shift requires developing new muscles: strategic foresight, ethical reasoning, and the ability to balance competing interests while maintaining a clear moral compass. It means building teams that understand both the technical and human implications of AI deployment.

Human-Centered Stability

Building resilient policies in volatile times isn't about predicting every possible regulatory shift. It's about anchoring your governance in something more fundamental: human thriving. This might sound abstract, but when you consistently prioritize human outcomes over regulatory minimums, your policies become naturally resilient to political shifts.

What does this look like in practice? It means designing AI systems that enhance rather than replace human capability, implementing robust testing frameworks that assess societal impact, and creating clear escalation paths for ethical concerns.

The Ethics Advantage

Which all adds up to the plot twist: companies that treat ethics as their operational foundation rather than their compliance checklist aren't just doing good—they do better. They're more innovative, more trusted, and more resilient to market shifts.

These organizations understand that ethical AI isn't about restriction—it's about direction. It's about channeling innovation toward outcomes that create sustainable value for both the business and society. They recognize that the strongest competitive moats aren't built with technology alone, but with technology guided by strong ethical principles.

The future belongs to organizations that understand this fundamental truth: In an era of constant change, where AI advances faster than our ability to regulate it, ethical governance isn't just a responsibility—it's a competitive advantage. The question isn't whether to lead on governance, but how quickly you'll step up to do it.

Your organization's approach to AI governance in this regulatory void won't just determine your short-term success—it will define your legacy in shaping the future of human-centered technology. Choose wisely.

We've featured the best todo list app.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

El Paso County District Attorney James Montoya said that his decision in the prosecution of Patrick Crusius was driven by a majority of victims' relatives who wanted the case behind them.

(Image credit: Andres Leighton)

The weapons, which are illegal in Serbia, emit sound waves which can trigger sharp ear pain, disorientation, eardrum ruptures or even irreversible hearing damage.

(Image credit: AP)

A 1,300-year-old Buddhist temple, houses, factories and vehicles were among the structures destroyed in the wildfires that have burned 43,330 acres and injured 19 people.

(Image credit: Yun Kwan-shik)

The order tests the power of Trump's authority and would require voters using a federal form to show proof of citizenship to register to vote in federal elections. It's sure to be tested in court.

(Image credit: Jeffrey Phelps)

A pilot and two girls survived on the wing of a plane for about 12 hours after it crashed and was partially submerged in an icy Alaska lake, then were rescued after being spotted by a good Samaritan.

(Image credit: AP)

Discover high-speed internet plans and compare internet providers in Providence.

From arcade classics to modern indie darlings, we've collected the best games you can carry in your pocket.

From the fastest internet to the most affordable fiber plans, we found the best internet service in Oakland.

Here are the answers for The New York Times Mini Crossword for March 26.

During a heated Senate Intelligence Committee hearing on Tuesday, Sen. Mark Warner described the actions of the nation's top intelligence officials as "sloppy, careless, incompetent behavior.

(Image credit: Andrew Harnik)

A House subcommittee led by Rep. Marjorie Taylor Greene and named after Elon Musk's government-efficiency team has set its sights on the public broadcasters.

(Image credit: StephenVoss/NPR and Alberto E. Rodriguez/Getty Images)

The reasoning AI race is getting heated.

Second lady Usha Vance announced on Sunday that she would visit Greenland and watch the territory's famed dog sled race. But now the vice president is joining, and they'll go to a U.S. base instead.

(Image credit: Ian Langsdon)

The Atlantic's editor-in-chief was mistakenly added to a government Signal group chat discussing war plans. Meme-makers could not leave that alone.