CISA CyberSentry program works on national efforts to defend critical infrastructure networks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Thursday details on the CyberSentry program, a CISA-managed threat detection and monitoring capability with critical infrastructure partners that operate significant networks supporting National Critical Functions (NCFs). Through the program, CISA supports national efforts to defend U.S. critical infrastructure networks. It also monitors for both known and unknown malicious activity affecting information technology (IT) and operational technology (OT) networks.
CyberSentry is a CISA-managed threat detection and monitoring capability, governed by an agreement between CISA and voluntarily participating critical infrastructure partners who operate significant systems supporting NCFs. The program enables trusted partnerships between CISA and each participating organization for mutual benefit and the benefit of critical infrastructure entities nationwide.
Additionally, CyberSentry’s unique partnerships provide an added layer of defense for partners by securely leveraging sensitive government information and providing shared opportunities for visibility and mitigation of highly consequential cyber threats targeting critical infrastructure. Relevant insights gained from the program are used for the collective defense of infrastructure across partners and nationwide.
CyberSentry is comprised of integrated hardware and software capabilities that CISA strategically positions at critical infrastructure partner facilities to achieve visibility into internal IT/OT networks without disrupting partner operations. Working with each critical infrastructure partner, CISA monitors partner-supplied information alongside cybersecurity-related government information.
The agency notifies partners when a cybersecurity concern is found and then works with partners to help resolve the concern. If necessary, CISA analysts can deploy additional resources to work together with partners to hunt down active cyber threats in real-time or provide other support. It also supports partners whenever needed to mitigate cyber threats and protect partners’ critical operations. CISA analysts use their unique insights from these activities to search for related activity affecting other partners and to inform other CISA missions that disseminate actionable, unattributable threat information to stakeholders.
Participating in the CyberSentry program is voluntary and is provided without fees or equipment costs to partners.
CyberSentry partners with the industry to provide commercial detection capabilities with three key benefits. It enables the operational use of sensitive information prior to broader dissemination to the cybersecurity community; allows CISA’s analysts to correlate threat activity targeting multiple critical infrastructure entities and understand evolving campaigns; and provides participating entities with access to their own CyberSentry dashboard, enabling integration into the partner’s cyber operations.
Jermaine Roebuck, associate director for threat hunting, wrote in a CISA blog post on Thursday that recent CyberSentry successes include infected OT equipment, unintentional exposure, private sector coordination, SolarWinds response, identification of malicious activity, malware discovery, and attacker exfiltration detected.
CyberSentry discovered an infection on a partner’s Human Machine Interface (HMI) equipment that had not been properly patched and secured. CISA analysts quickly notified the partner about the issue and offered guidance on preventive techniques for the future. When it comes to unintentional exposure, CyberSentry tools spotted cleartext authentication occurring on a partner’s network, and further investigation revealed that a misconfiguration had caused the issue. A detailed report was provided to the partner, including specific guidance on remediating the situation.
During the Colonial Pipeline disruption, CISA analysts coordinated closely with its pipeline partners to share information and monitor for adversary activity. Also, CyberSentry data helped to identify partners affected by the SolarWinds supply chain compromise. All impacted partners were notified, and the program worked closely and expediently with these partners to confirm the remediation of the threat.
On multiple occasions, CISA analysts identified possible malicious activity at partner sites and worked with affected partners to identify the root causes of the activity. CyberSentry tools quickly discovered and identified malware in a partner’s IT network. Working with the partner, CISA analysts were able to locate the infected device so the partner could remove it from the network and verify that the threat was contained.
Additionally, CyberSentry discovered that an attacker was actively exfiltrating information. CyberSentry worked with the partner to identify information that had been exfiltrated. After conferring with CyberSentry analysts, the partner was able to isolate infected systems that same evening, eliminating the threat.
Roebuck added that CISA is “looking to partner with a select number of additional Critical Infrastructure organizations who operate systems supporting National Critical Functions – functions so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on our Nation.”
“As malicious cyber activity continues to evolve, and nation-state actors continue to aggressively target National Critical Functions, CyberSentry’s capabilities. and critical partnerships directly enhance CISA’s goal of a stronger collective defense for our Nation,” according to Roebuck.
Earlier this month, news reports disclosed that ‘several’ U.S. federal agencies have been affected in a global cyberattack that exploits a vulnerability in widely used software. Available details have not identified who carried out the hack of federal agencies and how many such agencies have been affected.
Related
