Welcome to your essential briefing on threats at the intersection of cybersecurity and critical infrastructure, brought to you by Neeve, the edge cloud security platform for smart buildings, making built spaces secure, intelligent, and sustainable.

This Week’s Cyber Insights

• 💰 Hamilton Faces $18.3M Cyberattack Bill as Insur …

• 🇺🇸 Commission Plans U.S. Cyber Force Roadmap Ahe …

• 🤖 GPT-5 Jailbreaks Enable Zero-Click AI Attacks o …

• 📰 Further Alerts & Insights

💰 Hamilton Faces $18.3M Cyberattack Bill as Insurer Denies Claim

Ontario city must pay full cost of devastating 2024 ransomware attack after insurance company denied claim due to incomplete multi-factor authentication implementation, highlighting critical gaps in municipal cyber coverage.

• February 2024 attack disabled 80% of network, impacting business licensing, property tax, transit planning, finance systems for weeks

• Attackers demanded $18.5M ransom, covertly studied systems before encrypting data and attempting to destroy backups

• City spent $18.3M on recovery ($14M on external experts), chose not to pay ransom citing unreliable decryption tools

• Insurance policy excluded coverage where absence of MFA was root cause of breach, insurer sought MFA implementation in late 2022

• Some systems unrecoverable including permit applications, fire department records, traffic signal management

• Councillor: "full knowledge we were not compliant with exclusion in 2023," criticized lack of accountability

🤔 The Bigger Picture:

Hamilton's insurance denial exposes widespread gaps in municipal cyber coverage that threaten smart city operations. Facility managers must ensure MFA implementation across all building systems and verify insurance policies cover operational technology failures, as incomplete security controls can void coverage even for infrastructure attacks that disrupt essential services and public safety systems.

Read the full article

🇺🇸 Commission Plans U.S. Cyber Force Roadmap Ahead of 2026 Defense Bill

Bipartisan panel of former Pentagon officials and retired cyber warfare chiefs launches Commission on Cyber Force Generation to develop detailed roadmap for establishing separate U.S. Cyber Force as seventh military branch.

• 17-member board includes former NSA deputy director, Pentagon's first cyber policy chief, and cyber commanders from all military branches

• Panel assumes presidential order to establish Cyber Force and will design implementation ahead of 2026 defense authorization act

• Current military branches chronically fail to provide U.S. Cyber Command with personnel ready for digital warfare against China

• Separate congressional study by National Academy of Sciences evaluating feasibility expected to conclude later this year

• Commission co-chair: "threat is increasing, technology adding speed to domain, we can't sit around for four or five years"

🤔 The Bigger Picture:

A dedicated Cyber Force signals recognition that critical infrastructure protection requires specialized military capabilities distinct from traditional warfare. Facility managers should expect increased government focus on defending building automation, energy systems, and industrial controls as military cyber operations expand to protect domestic infrastructure from nation-state threats targeting operational technology.

Read the full article

🤖 GPT-5 Jailbreaks Enable Zero-Click AI Attacks on Cloud and IoT Systems

Security researchers successfully bypass GPT-5 ethical guardrails using "Echo Chamber" technique combined with narrative steering, while demonstrating zero-click attacks against AI agents managing cloud storage and IoT systems.

• Echo Chamber method uses indirect references and multi-step inference to trick AI into producing prohibited content through storytelling

• GPT-5 jailbreak combines poisoned conversational context with narrative continuity to minimize refusal triggers

• AgentFlayer attacks exploit ChatGPT Connectors for Google Drive, Cursor code editor, and Microsoft Copilot Studio

• Zero-click attacks embed prompt injections in documents, Jira tickets, and emails to exfiltrate API keys and sensitive data

• Smart home attack via Google Gemini AI enables remote control of lights, shutters, boilers through poisoned calendar invites

• SPLX testing finds raw GPT-5 "nearly unusable for enterprise out of box," GPT-4o outperforms on security benchmarks

🤔 The Bigger Picture:

AI agent vulnerabilities pose direct threats to smart building operations as facility management systems increasingly integrate AI assistants for energy optimization and maintenance scheduling. Building operators must implement strict output filtering and red teaming for AI systems controlling HVAC, security, and safety protocols, as prompt injection attacks can manipulate building controls through seemingly innocent documents or calendar events.

Read the full article

Further Alerts & Insights