Preventing ransomware attacks on critical infrastructure companies has been a major focus for the Biden administration, and a new program has tasked the Cybersecurity and Infrastructure Security Agency (CISA) with keeping tabs on these sectors and warning companies when major vulnerabilities are detected.
The Ransomware Vulnerability Warning Pilot (RVWP) was authorized in early 2023 but got underway recently, as companies in the critical infrastructure sectors that CISA oversees were scanned for a known Microsoft Exchange vulnerability that ransomware groups are on the prowl for. It appears that scans of this nature will be done on a sporadic basis, focusing on the biggest known vulnerabilities, but companies can individually sign up for a free program that provides them with weekly scans and reports.
Ransomware attacks on critical infrastructure a continuing focus for federal government
Though some recent studies show a decline in ransomware attacks in 2022, these incidents remain a central priority for critical infrastructure companies as the government seeks to avoid a repeat of the chaos caused by the Colonial Pipeline and JBS attacks two years ago.
CISA has recently put particular emphasis on smaller critical infrastructure outfits that may not have the tools and budget for proper cybersecurity, supplying them with an assortment of aid. In addition to free vulnerability scans, CISA has also made a self-auditing tool available and is now regularly releasing tools specific to certain vulnerabilities and recovery from certain ransomware attacks. The agency has had its funding bolstered in recent years as it has become more central to national defense, and the Biden administration is seeking an additional $145 million for it for 2024.
CISA’s scans appear to focus on high priority vulnerabilities found in commonly used business software in its Known Exploited Vulnerabilities (KEV) catalog. The periodic scans do not appear to be intended to be comprehensive, but the agency has said that it plans to scale the program up going forward.
Government actively keeps tabs on critical infrastructure as state-backed actors loom
Ransomware attacks are not the only concern for critical infrastructure companies; state-backed hacking groups are always probing the electric grid, water utilities and other sensitive points. The CISA notifications, which come by phone or email and can be verified by special phone numbers and email addresses listed on the agency website, are meant to close the door to any of these threats before damage is done.
With this total threat landscape increasing, smaller organizations may see particular benefit from the “Cyber Hygiene Services” program offered by CISA as part of this initiative. Instead of the sporadic scans for major vulnerabilities that all critical infrastructure companies get, those that opt in to this free program get a more focused weekly scan accompanied by a vulnerability report.
It is important to note that these scanning programs are not meant to detect ransomware attacks in progress, however, or provide defensive or remediation assistance. The idea is simply to provide warnings of vulnerabilities that might be exploited. It has yet to be seen if these warnings could play a role in determining penalties when critical infrastructure companies are compromised, however; these sectors are now required to report a breach within 72 hours of when they reasonably believe they have been attacked. If a warning was issued and not followed up on in a timely manner, regulators might have hard questions as to why.