CISA’s 2023 Year in Review highlights efforts to safeguard critical infrastructure, manage cyber and physical risks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released its fourth annual Year in Review showcasing the agency’s work to protect the nation from cyber and physical threats, while working to increase the resilience of critical infrastructure Americans rely on every day. The 2023 Year in Review reflects on the agency’s accomplishments across its broad cybersecurity, infrastructure security, and emergency communications missions as the nation and the world adapted to technological advances, spillover from international events, and other major events. 

In 2024, CISA will continue to develop and deliver tools, training, technical expertise, and other resources to help critical infrastructure partners increase their resilience and defenses against evolving risks.

“This Year in Review report demonstrates CISA’s exceptional work in 2023 to protect critical infrastructure,” Jen Easterly, CISA director said in a media statement. “It not only celebrates our progress from the past year but also spotlights groundbreaking milestones and pioneering ‘firsts’ achieved by the agency. These efforts are a testament to and reflect the dedication of CISA’s workforce. Because of their commitment to the mission, the critical infrastructure systems that Americans rely on every day are more secure and resilient than ever.” 

CISA strengthens the security and resilience of cyberspace by offering a range of services and resources focused on operational resilience, cybersecurity practices, and other key elements of a robust and resilient cyber framework.

In October 2023, CISA and 17 U.S. and international partners published an update to ‘Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software,’ originally released on April 13, 2023. The updated guidance integrated feedback received from hundreds of individuals, companies, and nonprofits, and eight new international agency co-sealers.

The move urges software manufacturers to revamp their design and development programs to permit only secure-by-design products to be shipped to customers and lays out three core principles – take ownership of customer security outcomes, embrace radical transparency and accountability, and lead from the top. CISA additionally released its first Secure by Design alerts reflecting the real-world harm created by technology products that are released with known defects, such as exposed web interfaces and default passwords.

CISA notifies thousands of organizations about intrusions and vulnerabilities, allowing mitigation before damage occurs, and avoiding millions of dollars of impacts and real harm to public health and safety. “In 2023 we conducted more than 1200 pre-ransomware notifications to include 7 Water and Wastewater sector entities, 20 Transportation System sector entities; 17 Energy sector entities; 117 U.S. and 19 international K-12 school districts; 111 U.S. and 27 international institutes of higher education; 154 U.S. healthcare organizations; 39 U.S. Emergency Services sector entities; and 94 U.S. state, local, tribal, and territorial governments. 294 pre-ransomware notifications were also shared with 27 partner countries,” the agency disclosed. 

In February, CISA supported a Fortune 500 company suffering a US$60 million ransomware attack, which led the company to establish a Chief Information Security Officer (CISO) position, make significant investments in their IT architecture, and implement improved security controls to be more cyber resilient, the 2023 Year in Review report identified. Additionally, CISA and the FBI held a joint cyber threat brief to provide more regional support. In 2023, CISA also provided a notification to a mass transit partner, preventing a $350 million ransomware attack on critical transportation infrastructure.  

Through its Administrative Subpoena authorities granted by Congress in 2021, CISA identified and drove mitigation of over 690 vulnerable devices used to control critical infrastructure such as power plants and water utilities.  

Through its Ransomware Vulnerability Warning Pilot, CISA conducted over 1,700 notifications to organizations, including hospitals, and water utilities about open vulnerabilities on their networks that are specifically exploited by ransomware actors and enabled timely mitigation before intrusions occurred. The program is driven by the agency’s Vulnerability Scanning efforts, which now cover nearly 7,000 critical infrastructure and SLTT (State, Local, Territorial, and Tribal) entities in every state. 

The 2023 Year in Review report also identified that in 2023, CISA conducted more than 240 Cybersecurity Performance Goals (CPGs) assessments across the agency’s 10 regions nationwide. CISA released the CPGs in late 2022 to provide organizations of all sizes, across all sectors, and at every level of cyber maturity with clear, plain-language cybersecurity recommendations. When implemented, the CPGs can help these entities reduce the impact of the most common or most impactful cyberattacks.

In 2023, CISA’s Joint Cyber Defense Collaborative (JCDC) initiated a collaborative cyber defense planning effort to support the awareness, security, and cyber resiliency of open-source software in Operational Technology and Industrial Control Systems. By embracing open-source principles, CISA not only champions inclusivity but also fortifies the nation’s defenses against evolving threats.

Last November, CISA published its first Roadmap for Artificial Intelligence (AI). This Roadmap outlines a whole-of-agency plan aligned with the national strategy to promote the beneficial uses of AI to enhance cybersecurity capabilities, ensure AI systems are protected from cyber-based threats, and deter the malicious use of AI capabilities to threaten the critical infrastructure Americans rely on every day.

Shortly after the Roadmap publication, CISA and the U.K.’s National Cyber Security Centre jointly released Guidelines for Secure AI System Development addressing the intersection of AI and cybersecurity. Developed in cooperation with 21 other agencies and ministries from across the world, the Guidelines for Secure AI System Development are the first of their kind to be agreed to globally and will help AI system developers make informed cybersecurity decisions at every stage of the development process.

The 2023 Year in Review report disclosed that the agency identified and drove mitigation of more than 14 million Known Exploited Vulnerabilities across the federal government using its Continuous Diagnostics and Mitigation (CDM) program and our Vulnerability Scanning tools. Across non-federal partners, CISA has driven mitigation timelines to be 36 days faster than a year ago. 

The agency has also onboarded 97 agencies onto its Protective Domain Name System service, which blocked 900 million malicious connections targeting federal agencies, disrupting a significant number of attempted attacks. “Using new authorities from Congress, we are now deploying this same capability to under-resourced critical infrastructure organizations such as K-12 school districts and water utilities, with over 20 organizations already on board and nearly 100 in the deployment process,” according to the 2023 Year in Review report.

It has also onboarded 46 agencies onto the Vulnerability Disclosure Policy Platform, leading to the identification and remediation of 1,054 confirmed vulnerabilities before they could be exploited by malicious actors. It also released multiple new open source tools to help the cybersecurity community, including Secure Cloud Business Applications tools for both Microsoft and Google cloud services, and issued two Binding Operational Directives, BOD 23-01 and BOD 23-02, resulting in real-time asset visibility across every federal agency and remediation of hundreds of exposed Network Management Interfaces. 

The 2023 Year in Review report said that the CISA continued to deploy advanced endpoint protections to nearly 50 federal agencies, reaching over 900,000 devices. These technologies give CISA unsurpassed visibility into threats and incidents targeting federal networks, allowing faster detection. “Using new authorities and resources provided by Congress, we can now help agencies respond to cyber events in minutes rather than days or weeks,” it added. 

CISA conducts specialized security and resilience assessments on the nation’s critical infrastructure, the 2023 Year in Review report recognized. These voluntary assessments assist CISA and its partners—federal, state, tribal, territorial governments, and private industry—in better understanding and managing risk to critical infrastructure.

In 2023, CISA delivered 141 Infrastructure Visualization Platform Projects that use high-resolution, interactive visual data of critical facilities and surrounding areas to enhance planning and response and delivered 360 Infrastructure Survey Tool Dashboards and three Multi-Asset and System Assessments in coordination with facilities owners and operators to identify and document the overall security and resilience of their facilities.

The agency also delivered 10 Regional Resiliency Assessment Program reports that identify a range of security and resilience issues that could have significant consequences, the 2023 Year in Review report identified. It also published a Marine Transportation System (MTS) Resilience Assessment Guide to help federal agencies, local governments, and industry conduct resilience assessments of MTS components, and released Launchpoint to assist users in determining which parts of the Infrastructure Resilience Planning Framework apply to their needs.

The 2023 Year in Review report said that in August, CISA kicked off a broad effort to promote resilience across critical infrastructure by communicating the imperative principles and priorities of resilience in accessible and meaningful ways and empowering stakeholders to take action where they are and ask for support for where they want to be. A key part of this effort was the November launch of Shields Ready, CISA’s campaign to encourage the critical infrastructure community to focus on strengthening resilience.

CISA has taken strides in 2023 to promote interoperability on a global level by building, sustaining, and advancing international partnerships. In 2023, CISA released 48 joint-sealed cybersecurity advisories, including first-time co-sealed products with South Korea, Germany, Israel, France, and Japan. 

The 2023 Year in Review report also identified that the CISA is dedicated to working across the broader community to ensure qualified individuals from every background and walk of life have an equal opportunity to work in the field of cybersecurity. As the threat landscape evolves, so too has CISA adapted to bring on the best talent and brightest minds in the field to stay ahead of our adversaries. The agency hired its first Chief People Officer to drive its ‘people-first’ culture and ‘One CISA’ initiative. 

In its conclusion, the 2023 Year in Review report recognizes that as the agency looks forward to 2024, “the risks we face now will continue to evolve. Advanced persistent threat actors like China threaten the integrity of our critical infrastructure. Increasingly severe weather, wildfires, and other natural hazards are creating additional risks that critical infrastructure facilities must work into their planning. Extremists are likely to continue to target organizations that are meant to be open and welcoming—such as faith-based communities.” 

It also identifies that artificial intelligence will continue to evolve at an awe-inspiring pace, bringing with it both potential for good and new opportunities for cyber hackers.  

“Despite the risks surrounding us, America was designed to be resilient. This country has faced and overcome numerous challenges since its inception, and we will continue to do so—together,” according to the 2023 Year in Review report. “There is no total guarantee of a risk-free, completely secure environment, so we must all plan and prepare to be recover quickly if—and when—we face a crisis.”  

As the nation’s cyber defense agency and national coordinator for critical infrastructure security and resilience, CISA will continue to develop and deliver tools, training, technical expertise, and other resources to help critical infrastructure partners increase their resilience to evolving risks, the 2023 Year in Review report said. “It is also incumbent on every organization, large or small, to take responsibility for their own security and resilience. Therefore, we challenge everyone to make 2024 the year we Resolve to be Resilient.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.