This past month, President Joe Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act, as part of omnibus appropriations legislation.
That act would require owners and operators of critical infrastructure entities – including healthcare and public health organizations – to report “substantial” cyber incidents to the Cybersecurity and Infrastructure Security Agency within 72 hours, and ransomware payments within 24 hours.
In a fact sheet published this month, CISA says its next move will be to undertake a rule-making process to implement the statutory requirements. In the meantime, it offered entities information about how best to share details about cyber-related events in order to help mitigate current or emerging threats to infrastructure.
“When cyber incidents are reported quickly, CISA can use this information to render assistance and provide a warning to prevent other organizations and entities from falling victim to a similar attack,” said CISA.
WHY IT MATTERS
In its brief, CISA defined who should share – critical infrastructure owners and operators, along with federal, state, local, territorial and tribal government partners – and what they can do – observe the activity, act by taking local mitigation steps and report the event.
It also outlined what types of activities should be shared:
- Unauthorized access to systems.
- Denial of service attacks that last more than 12 hours.
- Malicious code on systems, including variants if known.
- Targeted and repeated scans against services on organizations’ systems.
- Repeated attempts to gain unauthorized access to systems.
- Email or mobile messages associated with phishing attempts or successes.
- Ransomware against critical infrastructure, with variant and ransom details included, if known.
In addition, it noted 10 key elements to share:
- Incident date and time.
- Incident location.
- Type of observed activity.
- Detailed narrative of the event.
- Number of people or systems affected.
- Company/organization name.
- Point of contact details.
- Severity of event.
- Critical Infrastructure Sector, if known.
- Anyone else informed.
“If you are a Federal or Critical Infrastructure partner that has completed one of our Incident Reporting Forms we encourage you to continue to use this method. If you have never reported to CISA, or don’t have the time or capability, we encourage you to send an email to [email protected] and be as detailed as possible using the guidelines identified above,” said CISA.
The fact sheet preceded an alert from CISA – along with the Department of Energy, the National Security Agency and the Federal Bureau of Investigation – released Wednesday warning that some advanced persistent threat actors have exhibited the capability to gain full system access to multiple industrial control system/supervisory control and data acquisition devices.
Although the alert was aimed at energy sector organizations, the agency urged critical infrastructure entities to implement detection and mitigation recommendations aimed at hardening ICS/SCADA devices.
THE LARGER TREND
This past month at HIMSS22, two FBI special agents also offered advice for communicating with federal law enforcement authorities after a cyberattack.
CISA’s new guidance comes amid an environment of ramped-up warnings of potential attacks on infrastructure, particularly where Russia is concerned.
Earlier this year, CISA warned organizations to put “shields up” and be prepared to defend against threats, as did the American Hospital Association. In March, Biden encouraged critical infrastructure to “immediately” harden defenses.
ON THE RECORD
“This information is … critical to identifying trends that can help efforts to protect the homeland,” said CISA in its fact sheet.