Critical Infrastructure Seeing Benefits of Government Program, CISA Says
CISA in 2022 laid out a series of voluntary steps that critical infrastructure organizations could follow to improve their protections against the mounting number of cyberattacks, and a year later the federal agency updated the policies.
More than two years after the introduction of its Cybersecurity Performance Goals (CPGs), the Cybersecurity and Infrastructure Security Agency (CISA) is gauging their effectiveness in enhancing the security posture of entities in such sectors as food and agriculture, health care, financial services, and communications.
Among the most encouraging figures is the number of organizations that have signed up for CISA’s Cyber Hygiene services, a portfolio of free services, the agency said in a report. The services include vulnerability scanning for monitoring and assessing internet-accessible network components like static IPv4 addresses, web application scanning for publicly accessible web apps, and a video outlining the benefits of signing up for vulnerability scanning.
There were 3,874 organizations on board when the Cyber Hygiene program launched in August 2022, and that figure now stands at 7,791, with every sector seeing significant growth since the CPGs were published in October that year, according to CISA. Communications, emergency services, critical manufacturing, and water and wastewater systems were the sectors seeing the most growth.
Critical Infrastructure Under Attack
Protecting critical infrastructure from cyberattacks – particularly those from threat groups linked to U.S. adversaries like China, Russia, and Iran – has been a priority for the Biden Administration. The White House has delineated 16 critical infrastructure sectors, including those listed above.
The importance has grown as sectors like health care, communications, and water systems have come under increasing attack and Chinese state-sponsored groups like Volt Typhoon and Salt Typhoon have ramped up their targeting of critical infrastructure in the United States.
‘Moderate Impact’ of CPGs
CISA collected the information for its report from data collected from the organizations signed up for the vulnerability service.
“Overall, CISA initiatives, programs, and products are directly influencing critical infrastructure sector service enrollments and adoption of CPGs,” they agency wrote in its report. “General analysis of CISA data reveals a moderate impact of CPG adoption across critical infrastructure sectors.”
It pointed to four sectors – healthcare, water systems, communications, and government services – that have seen the most benefits from adopting performance goals, noting the strong collaboration they have with CISA.
Improvements Made, But More Needed
Key among the report’s findings was that services monitored by the vulnerability scanning service that could be exploited by threat groups – such as File Transfer Protocol (FTP), Remote Desktop Protocol (RDP), Remote Procedure Call (RPC), and Server Message Block (SMB) – have dropped from 12 services per organization enrolled in the program in August 2022 to about eight two years later.
In addition, the time it took to remediate known exploited services vulnerability (KEV) and secure sockets layer vulnerability (SSL) tickets dropped, including by half for critical KEVs and 25% for high-severity KEVs. In August 2022, it took about 200 days to resolve a SSL ticket. Two years later, that had dropped to less than 50 days.
CISA also found that by August 2024, about 83% of organizations that started with the program two years earlier had eliminated all instances of exploitable services on the internet.
There are areas that need to be improved, including the operational technology (OT) protocol that are exposed to the internet. Government services were the primary culprit, with a 63% exposure rate. Others include IT and energy, both with 10%, healthcare (5%), and financial services (4%).
A Good Start
CISA received kudos for the program from some cybersecurity pros, though they noted that more needs to be done.
“CISA’s Cyber Hygiene service growth reflects the critical sectors’ increasing focus on cybersecurity, but the report also highlights persisting risks, like high exposure of operational technology protocols,” said Emily Phelps, cybersecurity evangelist and director of marketing and communications at security firm Cyware. “Improved remediation times are encouraging, but organizations must go beyond addressing vulnerabilities to build resilience against evolving threats.”
Lawrence Pingree, vice president of technical market at cybersecurity vendor Dispersive, applauded organizations that were taking advantage of CISA’s vulnerability scanning service, noting that “seeking to find any vulnerabilities in your external attack surface is certainly one of the first priorities that enterprises should have.”
