View of a large coal-fired power plant showing critical infrastructure warning of ransomware attacks by CISA

New CISA Program to Warn Critical Infrastructure Companies of Vulnerabilities That Could Invite Ransomware Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced a proactive new program to keep tabs on potential vulnerabilities in critical infrastructure sector companies, in the interest of curtailing ransomware attacks.

The Ransomware Vulnerability Warning Pilot (RVWP) kicked off in mid-March with a scan for the dangerous ProxyNotShell vulnerability in Microsoft Exchange, something that has provided the foothold for numerous ransomware attacks at this point. CISA notified 93 critical infrastructure organizations of the presence of this vulnerability, and plans to scale up the program and provide more warnings in the coming months.

CISA to scan 16 critical infrastructure sectors for vulnerabilities

Authorized as part of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March of that year, the critical infrastructure scans look for common and dangerous vulnerabilities that are known to open the door for ransomware attacks. CISA notifies organizations by phone or email, and provides its own dedicated phone and email addresses to verify the authenticity of notifications.

CISA is scanning only for the presence of vulnerabilities, not for signs of active compromise or ransomware attacks that are already underway. While the basic program appears to only sporadically scan critical infrastructure for well-known and dangerous vulnerabilities, critical infrastructure organizations (as well as state and local government entities) can opt in to the free “Cyber Hygiene Services” program to receive weekly scans along with regular vulnerability reports.

CIRCIA has also created new requirements for critical infrastructure organizations to report ransomware attacks and other major data breaches, particularly those that involve payments to criminals. Applicable cyber incidents must be reported within 72 hours of when the organization “reasonably believes” the incursion occurred, and any payments made in connection with ransomware attacks must be reported within 24 hours.

CISA stresses that these notifications are not indications that ransomware attacks are taking place, or even that the organization is being targeted. The agency is simply using the same sort of scanning tools that criminal actors (and state-backed hacking teams) use to probe for known vulnerabilities, and hoping to beat them to the punch in discovering them. Any critical infrastructure organization that receives such a notification should treat it as a high priority item to address, however, because the bad guys are likely not far behind.

The program should be particularly helpful to smaller organizations that struggle to maintain an adequate IT and security budget. However, it is important to note that it only addresses known and published vulnerabilities of the highest risk.

Naveen Sunkavalley, Chief Architect of Horizon3.ai, points out that CISA assistance alone will not be adequate to secure critical infrastructure outfits: “CISA’s program is not a panacea … Many vulnerabilities are exploited as zero days, and there is often a delay of at least a few days between the time a new vulnerability is disclosed and when CISA adds that vulnerability to its Known Exploited Vulnerabilities catalog. Understanding which vulnerabilities are likely to be exploited and notifying prior to any known exploitation would be valuable. Moreover, exploiting vulnerabilities isn’t the only method ransomware actors have at their disposal. Phishing attacks and leaked credentials are used just as often (for instance with the Colonial Pipeline attack). Organizations need to operate under the mindset that a breach will eventually happen, and critically evaluate their attack surface, both external and internal, against a wide spectrum of possible attacks.”

CISA budget, responsibilities expanded as ransomware attacks plague both government and private organizations

A flurry of activity has followed the ransomware attacks on critical infrastructure that caused real-world chaos in 2021, and CISA has tended to be at the forefront of new responsibilities in this area.

After the 2021 attacks the agency quickly added the Ransomware Readiness Assessment (RRA) module to its Cyber Security Evaluation Tool (CSET), a solid self-auditing tool for organizations that had not previously thought much about defending against or recovering from ransomware attacks. CISA has also since released a series of tools meant to aid in detecting the presence of specific malware and activity in the wake of compromise, such as Aviary for Azure Active Directory exploits and CHIRP for suspected SolarWinds breaches, and has published assorted guidance meant to aid both government agencies and private companies in bolstering ransomware defenses.

The government has also begun to reach out to the private sector by forming the Joint Cyber Defense Collaborative, a risk-sharing and analysis working group that includes Microsoft, Amazon Web Services, AT&T, Google Mandiant and Verizon among other assorted partners. These partners confer with federal, state and local agencies on stopping ransomware attacks on critical infrastructure companies. CISA additionally established the Known Exploited Vulnerabilities (KEV) catalog in late 2021, a publicly available index of vulnerabilities that emerge in widely used software.

Though some studies show that ransomware attacks receded in 2022 as compared to the prior year, activity levels are still very high as compared to the years prior to 2019 and it remains a major threat. As major players like REvil and Conti are disbanded, new groups such as Hive and ALPHV quickly step in to fill the void, and the “double extortion” practice of leaking stolen files has become increasingly common. The Biden administration has requested $3.1 billion in funding for CISA in 2024, a $145 million increase from the current budget (and much of which is earmarked for CIRCI implementation).

Dror Liwer, Co-founder at Coro, notes that CISA’s efforts thus far have been of particular benefit to the smaller organizations in the critical infrastructure space that struggle to properly defend themselves against ransomware attacks: “While we applaud the initiative to protect and inform critical organizations, it is the smaller companies, those that make up the economic backbone of the US, that have been completely overlooked by the government as well as the cybersecurity industry.  Especially in times of an economic downturn, an attack on a mid-market or small business could put it out of business forever.”