Another day, another breach. While the French were busy worrying about their Christmas parcels during the La Poste outage, a much nastier game of shenanigans was unfolding in the background. We aren’t just talking about a website going dark because of a DDoS tantrum; we are talking about bad actors live streaming their access to water treatment SCADA systems. If you think your “secure” fortress is safe because you have a firewall and an air gap, I have a bridge in Brooklyn — or perhaps a water pump in Denmark — to sell you. The recent wave of pro-Russian hybrid warfare proves one thing: that fortress you built is likely made of plywood, and the wolves are already inside.

And, for much more details, I encourage you to read “Cyber Insight: Z-PENTEST ALLIANCE” from Cyber Intelligence Bureau

Let’s dispel a myth right now: these attackers aren’t digital ninjas. If you’re picturing a sophisticated state-sponsored team burning million-dollar zero-day exploits to breach a fortress, stop. The reality is far more embarrassing. Groups like the Cyber Army of Russia Reborn and the Z-Pentest Alliance are essentially script kiddies playing with live ammunition. They aren’t picking the lock; they are just walking down the street checking every door handle until one opens.

Their primary weapon isn’t custom code; it is Shodan and password spraying. They scan for Operational Technology left naked on the internet — specifically exposed VNC connections that should never see the light of day. This is where the “Air Gap” fairy tale falls apart. You might believe your water pumps are isolated, but that integrator you hired five years ago likely punched a hole in your firewall for “remote maintenance convenience.” Now, that Human Machine Interface (HMI) is sitting there, waiting for anyone with a default password list to log in.

The recent CISA and FBI advisory hit the nail on the head: these actors possess “low level technical knowledge.” That makes them *more* dangerous, not less. A professional spy might steal data silently. These guys are blindly mashing buttons on a control panel they don’t understand. They intend to cause damage, but they cannot accurately anticipate the impact. When you let an amateur loose in a SCADA system, the **blast radius** isn’t just digital; it is physical pipes bursting and tanks overflowing because someone thought “admin/1234” was adequate defence for critical infrastructure.

The recent joint advisory from CISA and the FBI hit the nail on the head, noting these actors possess “low level technical knowledge.” But ignorance is weaponised here. When you let a script kiddie access an HMI controlling hydraulic pressure, they don’t know if they are turning on a light or over-pressurizing a main. They are just clicking buttons to see what breaks. The blast radius of this incompetence is physical damage — overflowing tanks, burst pipes, and manual overrides that operators can’t reverse. It is, quite literally, Russian Roulette with critical infrastructure.

So, the script kiddies are rattling your doorknobs, and the standard industry response is to throw money at a bigger firewall or deploy a VPN. Let me be blunt: that is a dumpster fire of a strategy. A VPN is essentially just a very long Ethernet cable. It offers zero control over lateral movement. Once a bad actor breaches that perimeter — and they will, thanks to the password spraying we just discussed — they are inside your soft, chewy centre, free to roam from the corporate email server straight to the sludge pumps.

You need to stop relying on “security by obscurity” and start treating the internet like the hostile territory it is. The “air gap” is a lie we tell ourselves to sleep better at night. The answer isn’t more plywood; it is Zero Trust principles. Here is how you actually lock the door:

• Identity is the new perimeter: Implement strict Identity controls like Multi-factor Authentication and Single-Sign-On everywhere. Yes, even for Operational Technology. If you are relying on shared passwords or sticky notes on a monitor, you have already lost.
• Go invisible: Use an Identity-Aware Proxy to hide your infrastructure. If your HMI is visible to Shodan, you are painting a target on your back. Make your assets invisible to the public internet so scanning scripts find nothing but a black hole.
• Precise Authorisation: Stop connecting networks; connect users to resources. Enforce rules where User A can talk to Machine B, and absolutely nothing else. This limits the blast radius if a credential is stolen.

This is the essence of Defence-in-Depth. We need to move past the broken promise of the VPN. If you are drowning in vendor warnings and don’t know where to start, check out our guide on practical steps for protecting critical infrastructure. Stop buying plywood and build something that actually withstands the storm.

The attacks on La Poste and Danish utilities are a wake-up call, but are you hitting snooze? The barrier to entry for causing physical damage to critical infrastructure has dropped to the floor. These aren’t elite spies; they are opportunists walking through doors you left open. You can keep patching your VPNs and praying, or you can actually secure your identity perimeter. The choice is yours, but remember: when the water stops flowing, ‘we followed standard pre-cloud-ai-firewall-online procedure’ isn’t going to look good on the press release. Lock it down properly.

#1. The women have taken over the top 5 in our ranking this year. So it only seems appropriate that “I’m with Her” would lead the way. This year the trio released their second album; the first appearing way back in 2018. Why did it take so long? Of course, they have always been with us, as three individual, creative performers who have all featured in our year end playlists on a regular basis. All three are consummate songwriters and solo performers well known to indie-folk audiences. Sara Watkins is a charter member of Nickel Creek, and has worked with everyone from Jackson Browne to Decemberists. “Sun Midnight Sun” persists as one of the best folk roots albums ever made. Aiofe O’Donovan is a much sought after collaborator. She was regularly featured on A Prairie Home Companion / Live from Here. Her song Call My Name , performed with this trio, won a Grammy in 2020. Sarah Jarosz won a Grammy for Best Folk Album in 2016. She leans more to her Texas roots in her songwriting. Individually, each is a musical artist and performer of significant gravitas. Together, well …

“I’m with Her” released half a dozen YouTube video performances this year, all highly rated by our panel of seven reviewers (Henry, Josh, Anna, Andrea, Nancy, John and Emily). They all featured sumptuous harmonies and strong lyrics. Their performance video of ‘Wild and Clear and Blue’ stands out for its exquisite harmonies and the deeply sentimental statement of the value of a childhood nurtured in music.

The rest of our top ten performance videos for the year include:

#10. Lyrra, The Hymn of Acxiom. This is a Vienna Teng composition. Teng wrote the gripping Atheist Christmas Carol. While this choral composition isn’t strictly indie-folk, we are liberal in including adjacent genres. The composition and performance are absolutely gorgeous.

#9. mxmtoon, rain. mxmtoon first featured on our year end list of 2019 with a buried “Paste Studios” track feelings are fatal. We are not surprised to see her with a polished band in an Amazon feature production.

#8. Hayley Reardon, In My Country. Reardon had three great tracks under consideration by our panel, and by a hair, this was considered the best. But seriously, only 855 views at present? This has to change.

#7. Nation of Language, Inept Apollo. A deep track buried in KEXP’s copious video output, this throwback prog-rock track won over the panel. The band has been performing since 2016, and their fourth album Dance Called Memory was released this year. Highly original and a great listen.

#6. Freya Ridings, I Can’t Hear it Now. This English singer-songwriter was previously included in year end lists in 2024, 2023, 2020 and 2019. Consistently great.

#5.One Voice Children’s Choir, cover of K-Pop Demon Hunters’ Golden. You likely recognize this as it’s everywhere these days. One Voice Children’s Choir specialize in covering various pop tunes. The 200 audio track K-Pop original is great, but we like this better.

#4. Daisy the Great, Rest of my Life. Daisy the Great were first featured on our year end list of 2022 with a Paste Studios’ deep track. This one is a simply produced bedroom performance, a venue not to be diminished, given that Billie Eilish’s initial album was largely produced in the bedroom of her parents’ house. Daisy the Great’s song has a strong pop melody and velvety vocal harmonies.

#3. Cat Burns, alone. Cat Burns is a young England-based singer songwriter, first featured in 2023. The setting with a backup chorus won us over.

#2. Rose Betts, Take This Body Home. Betts’ coloratura vocal phrasings combined with a winning Irish list perfectly render this melancholy song. Excellent lyric.

Here is the link to the complete playlist, 40+1 sterling performances released in the year 2025:

Or use this link: www.youtube.com/playlist?list=PLIXSweDP-2hhCOMSI2Nu_TYLMWHrc5a5r

This particular playlist is only available on YouTube, but we have other year end playlists as well on Spotify and Youtube Music.

Search any of these repositories on “Artsfols 2025” to find all our recent playlists including our Discovery playlist with hundreds of indie-folk performances.

Search on “Artsfols” to see all our playlists including previous years back to 2013.

A few things about our list:

Our panel this year includes Anna, Andrea, John, Josh, Nancy, Emily and Henry. We live in three Canadian provinces and in the USA.

We like to see the performers perform and play instruments, that is, we want to see the music being made. If we make an exception to this rule, it is with cause – i.e. for a dance, or for an animation. We prepare this list as a labour of love; there is no attempt to monetize anything. The list is not definitive; we use an objective process to rate and score the songs to obtain a ranking, but mainly the list just reflects our taste. We don’t all hear the songs in the same way, one panel member might love a song that another thinks shouldn’t be on the list. Nevertheless, every song on the list has something going for it that appealed strongly to someone – a lyric, a melody, a harmony, a memory, an instrumental line – and while that resonated with one person, it may not have with someone else. But, we also learn to listen from each other through dialogue. Finally, we all love live performance; we attend concerts and folk festivals, we listen to recorded music. Winters are long here in Canada, and this process helps get us through. Ars longa, vita brevis.

Start your engines, or rather, grab your walkie-talkies. The Romanian National Administration “Apele Române” just got a nasty holiday present: a massive ransomware attack taking down over 1,000 systems. They claim their Operational Technology (OT) is fine, but when you are coordinating flood defences via radio because the dashboard is dark, “fine” is doing a lot of heavy lifting. This isn’t just about Romania; it is a symptom of a global disease where critical infrastructure is protected by prayers and plywood. As geo-political tensions rise, water is the new frontline. We are seeing an increased attack surface on these utilities, and frankly, our defences are looking pretty porous. If you think your air gap will save you, I have a bridge to sell you.

Let’s look at the recent catastrophe at the Romanian National Administration, ‘Apele Române,’ to see what a bad week really looks like. Over 1,000 systems — we are talking GIS servers, databases, workstations, and email — got scrambled. The weapon of choice? Good old Windows BitLocker. The attackers didn’t need a fancy zero-day exploit; they just locked the digital doors using the building’s own security keys. But here is the part that makes my eye twitch: the official statement claims Operational Technology was not affected.

Fantastic news, right? Except in the next breath, they admit staff are coordinating flood defences using phones and radios. Let’s be very clear: if you have to manually call Bob at the dam to ask him to turn a valve because your SCADA screens are dark, your OT is decidedly affected. The pumps might still be spinning (the muscle), but the brain of the operation has been lobotomised. It is a modern utility reverting to the Stone Age, relying on oral tradition and walkie-talkies to manage critical water levels. This isn’t just a glitch; it is a terrifying loss of situational awareness.

The attackers left a ransom note with a seven-day timer, and the Romanian National Cyber Security Directorate (DNSC) has rightly advised them not to pay. But looking at the map, with the geopolitical temperature rising next door between Russia and Ukraine, this smells less like a random cash grab and more like a calculated disruption of a soft target. As I’ve noted before, nation-state actors are increasingly treating water infrastructure as low-hanging fruit. The Romanians are now finding out that when the IT network goes down, the “secure” OT network is just a submarine running silent and deep — blind, deaf, and dangerous.

Let’s address the elephant in the server room: the Air Gap. It is a fairy tale we tell ourselves to sleep better at night. In the Romanian incident, the officials claimed the operational hardware wasn’t encrypted. Great. But if your SCADA system — the eyes and ears of your operation — is down, it doesn’t matter if the pumps *can* run. You are effectively commanding a submarine with the sonar cut; the engine is turning, but you are running blind, praying you don’t hit a mountain.

This scenario highlights the fatal flaw of relying on ‘perimeter’ security. Firewalls and VPNs are relics. They are porous. Once a bad actor breaches the IT network (usually via a phishing email or a compromised laptop), pivoting to the OT network is trivial. It is classic lateral movement. As I discussed in our article Avoid Exploitation of Unitronics PLCs used in Public Water Systems, it is terrifyingly easy to find these devices naked on the internet. Tools like Shodan act as a search engine for negligence, highlighting devices with default passwords or open ports that should never see the light of day.

We build these complex networks and call them fortresses, but they are just plywood painted to look like stone. One kick and the whole thing falls over. CISA has been shouting from the rooftops regarding the vulnerability of water sector infrastructure, noting that these systems are often “target rich, cyber-poor.” If you think your VPN is saving you, you are wrong. It is just a very long Ethernet cable that bypasses your security controls. It is time to admit the air gap is gone and stop pretending a firewall is a defence strategy.

Since we have established that your perimeter is about as effective as a screen door on a submarine, we need a different approach. Stop trying to secure the wire and start securing the identity. This is the core of Zero Trust. It means assuming your network is already compromised — because, statistically, it is. You do not need to rip out every legacy PLC (which is good, because you won’t). You need to wrap them in a protective layer that cares about who is knocking, not just where they are plugging in.

Here is how you actually plug the leaks:

• Robust Multi-factor Authentication: And for the love of sanity, no SMS. SMS is insecure, easily spoofed, and functionally broken. Use hardware keys or biometrics.
• Single Sign-On: Eliminate the ‘sticky note password’ problem. If your operators have to remember fifteen passwords, they will write them down on a Post-it note stuck to the HMI. Centralise it.
• Precise Authorisation and Segmentation: Stop letting the receptionist’s compromised PC talk to the flood control dams. Access should be granular — down to the specific device for the specific user.

The tool for this is not a better VPN; VPNs are dangerous tunnels into your soft underbelly that facilitate the very lateral movement we are trying to stop. You need an Identity-Aware Proxy, like Agilicus AnyX. It acts as a bouncer, checking ID before anyone even sees the application. As we detailed in our internal webinar Nation State Attacks on Critical Infrastructure, modern authentication can stop these breaches dead in their tracks without requiring you to replace all that rusty legacy hardware. Secure the user, and the network can take care of itself.

So, the Romanian authorities are running flood defences with pen and paper while their IT team rebuilds 1,000 servers. Sounds fun, right? It is a stark reminder that the “air gap” between IT and OT is a fairy tale we tell ourselves to sleep better. It does not work. The bad actors are already inside, or at the very least, knocking on the front door with a digital battering ram. If you want to stop being the next headline, stop relying on 1990s perimeter defence. Implement strong identity, use multi-factor authentication that actually works, and for the love of sanity, stop putting PLCs on the open internet. Secure the user, not just the wire.

In this episode of The Cordial Catholic, I'm joined by my friend Jeff Lukich, author and revert to the Catholic faith, to talk about his miraculous Christmas Eve return to the Catholic Church, all of the factors and facets that led up to that experience, and how others can follow in his footsteps. 

Jeff's written a fantastic book – The Long Way Home – featuring not only his story but his research and experience in what it takes to bring others back to the Catholic Church – and he shares that with us this week, too. 

It's a fantastic story. Jeff's a remarkable guest!

For more from Jeff including how to get a hold of his book visit his website.

Send your feedback to cordialcatholic@gmail.com.

Sign up for our newsletter for my reflections on  episodes, behind-the-scenes content, and exclusive contests.

To watch this and other episodes please visit (and subscribe to!) our YouTube channel.

Please consider financially supporting this show!

For more information visit the Patreon page.  All patrons receive access to exclusive content and if you can give $5/mo or more you'll also be entered into monthly draws for fantastic books hand-picked by me.

If you'd like to give a one-time donation to The Cordial Catholic, you can visit the PayPal page.

Thank you to those already supporting the show!

Theme Music: "Splendor (Intro)" by Former Ruins. Learn more at formerruins.com or listen on Spotify, Apple Music,

A very special thanks to our Patreon co-producers who make this show possible: Amanda, Elli and Tom, Fr. Larry, Gina, Heather, James, Jorg, Michelle, Noah, Robert, Shelby, Susanne and Victor, and William.

Support the show

Find and follow The Cordial Catholic on social media:

Instagram: @cordialcatholic
Twitter: @cordialcatholic
YouTube: /thecordialcatholic
Facebook: The Cordial Catholic
TikTok: @cordialcatholic