The Cybersecurity and Infrastructure Security Agency (CISA) has started a systematized registry that documents bad cybersecurity practices that are exceptionally risky for any organization, and are especially dangerous for those supporting designated critical infrastructure or National Critical Functions.
Such environments operate in the private sector, government agencies and other stakeholders to identify, analyze, prioritize, and manage significant risks, including cyber, physical and supply chain, as their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.
CISA highlighted that the use of unsupported (or end-of-life) software in service of critical infrastructure and National Critical Functions is dangerous, and elevates risk to national security, national economic security, and national public health and safety. This dangerous practice is especially egregious in internet-accessible technologies.
In addition, the use of known/fixed/default passwords and credentials in service of critical infrastructure and National Critical Functions is dangerous, CISA said. The adoption heightens the risk to national security, national economic security, and national public health and safety, thereby making it especially egregious in internet-accessible technologies.
Organizations must focus on stopping bad practices, including insecure and dangerous technology practices that are too often accepted because of competing priorities, lack of incentives, or resource limitations that preclude sound risk management decisions but result in untenable risks to our national security, economy, critical infrastructure, and public safety, the security agency added.
Leaders at all organizations, and particularly those that support National Critical Functions, should engage in urgent conversations to address technology bad practices, CISA said. There is certainly no lack of standards, practices, control catalogs, and guidelines available to improve an organization’s cybersecurity. While the body of guidance is invaluable, the sheer breadth of recommendations can often be daunting for leaders and risk managers, it added.
“Given the risk facing our nation’s critical infrastructure, as reflected by recent incidents, additional perspective is needed. Putting an end to the most egregious risks requires organizations to make a concerted effort to stop bad practices,” Eric Goldstein, CISA’s executive assistant director, wrote in a blog post.
The principle of ‘focus on the critical few’ is a fundamental element of risk management, according to Goldstein. Based on the understanding that organizations have limited resources to identify and mitigate all risks, it should also be an essential element of every organization’s strategic approach to security. Addressing bad practices is not a substitute for implementing best practices, but it provides a rubric for prioritization and a helpful answer to the question of ‘what to do first,’ he added.
The CISA registry comes as the latest in a string of other measures adopted by the U.S. administration to secure critical infrastructure environments. The security agency had earlier this month released guidelines for critical infrastructure owners and operators to review their operational technology (OT) assets and control systems, in direct response to the recent increase in ransomware attacks that have affected industries across sectors, disrupting operations at industrial units and within the critical infrastructure segments.
Ransomware attacks have in recent months impacted operations at fuel pipeline company Colonial Pipeline operations, manufacturing operations at Sierra Wireless, and at the world’s largest food producer JBS.
The National Security Agency (NSA) also released guidelines and an evaluation methodology, to improve OT and control systems cybersecurity. The advisory, described as a “significant shift,” includes understanding on how the OT systems are viewed, evaluated, and secured within the U.S., in order to prevent malicious cyber actors (MCA) from executing successful, and potentially damaging, cyber effects.