CISA Steps up Public and Private Sector Collaboration in 2021

We just concluded a very eventful year for the cybersecurity industry. Starting with an unprecedented wave of ransomware attacks on critical infrastructure targets, 2021 finished with the infamous Log4j vulnerabilities, which present a severe and ongoing threat to organizations and governments around the world.

In such a transformational year, it was great to see the Cybersecurity and Infrastructure Security Agency (CISA), under the leadership of Jen Easterly, launch several key initiatives to significantly increase government collaboration among federal agencies as well as with the private sector.

The latest example is aimed at reducing the risk of ransomware attacks that have emerged following mass exploitation of the popular open-source logging tool Log4j and its Log4Shell vulnerability. It’s an extremely critical vulnerability with a maximum Common Vulnerability Scoring System (CVSS) severity rating, as millions of servers are potentially vulnerable to the exploit. CISA issued an emergency directive on December 17 requiring federal agencies to immediately patch or mitigate Apache Log4J vulnerabilities by December 23 and urged every organization to follow the federal government’s lead and take action. Then on December 22, CISA, along with the FBI, NSA, and security agencies that comprise the Five Eyes intelligence alliance from countries including Australia, Canada, New Zealand, and the United Kingdom, issued an advisory with concrete guidance to help defenders block Log4Shell attacks.

This collaboration is very welcomed as the pace of cyber offense and defense accelerates and our lives increasingly depend on cyber-physical systems (CPS) that are interconnected. Hyperconnectivity is a trend that has been with us for a while and will intensify as we increasingly rely on online access to physical systems for greater automation, control, efficiency, and convenience. However, because many of these systems were not necessarily designed to co-exist seamlessly, we are, as expected, seeing many new attack vectors emerge from this transition.

It’s a natural byproduct in the cycle of evolution and it will take years, if not decades, until we see a new generation of CPS with more natively integrated security processes and pathways. In the meantime, as compensating controls, we need to introduce basic security hygiene practices which are missing from many of these newly integrated systems.

Why does this matter? Fixing exposures and playing the cat-mouse game of cyber defense and offense has been the status quo, but it’s time for a change. This “newer” wave of attacks that take advantage of cyber-physical integration is different in severity and priority because they put our lives and livelihoods at risk. While compromised IT networks and security breaches that exfiltrate personal data are very costly and have other financial implications, they don’t threaten the physical world we live in and the systems we depend on, as do the ransomware attacks against hospitals, oil pipelines, and other types of critical infrastructure. The 2021 incidents involving Colonial Pipeline, JBS Foods, the Oldsmar, Florida water supply (just to name a few) brought this into sharp focus.

Threat actors and criminals have figured out that distressed organizations are paying ransoms when important CPS are being held hostage, so these attacks will inevitably continue. While you cannot prevent bad actors from making you a target, you can make it harder for them to achieve their mission and thus move on to easier targets. And if an attack does happen, you can mitigate risk by planning how to respond.

[ Read: ICS Vendors Respond to Log4j Vulnerabilities ]

In my previous column, I discussed the most important steps to take to make yourself a difficult target, including:

• Add CPS to your cyber governance model. What systems do you have in your organization that you’re currently not aware of? You can’t monitor and protect what you can’t see.

• Assess your security posture. Just as you do for the rest of your IT devices, you need to know what vulnerabilities are present within your CPS. If those cannot be patched, what compensating controls can you deploy? Understanding your level of exposure will help you decide how to spend your attention and money.

• Monitor for deviations and lateral movement. Ideally, your monitoring technology stack can extend to cover CPS and the ways in which they are interconnected to the rest of your network. This helps ensure communication across systems is done securely.

Lastly, planning for a ransomware attack is extremely important. Ideally, you’ve protected your most important systems and critical processes. But regardless, you should always have contingencies in place: whether that’s shutting down critical processes that are impacted, moving to manual methods, such as involving humans to monitor patients in the case of hospital ransomware, or whatever measures apply to your specific situation. Figuring this out on the fly, after you’ve become a victim, usually leads to disaster.

As the famous quote goes: Plans are worthless, but planning is everything. We see this reflected in CISA’s moves to step up public-private collaboration to mitigate risk in the face of severe and ongoing threats. With the pervasive growth of CPS and the additional risks they present, these welcomed initiatives include critical guidance and resources to help every organization better protect themselves and adapt more effectively during times of crisis.