Ransomware Vulnerability Warnings Are Coming To A Critical Infrastructure Near You

The US Cybersecurity and Infrastructure Security Agency (CISA) launched the Ransomware Vulnerability Warning Pilot (RVWP) in January 2023 in response to ongoing concerns about the threat of ransomware. This is the CISA’s ransomware-centric take on external attack surface management for critical infrastructure. The RVWP pilot program is one of the outcomes of the Cyber Incident Reporting for Critical Infrastructure Act signed into law in March 2022 by President Biden. The CISA is using existing open source and internal tools to identify perimeter systems of US critical infrastructure environments that have vulnerabilities known to be exploited by ransomware. The RVWP includes all critical infrastructure industries. CISA regional staff members will notify affected organizations and offer guidance on how to mitigate the vulnerabilities. Companies can also leverage other CISA Cyber Hygiene services such as its vulnerability scanning service at no cost.

This Is A Positive, Proactive Step In The Right Direction

Many organizations in critical infrastructure industries are struggling to defend against cyberattacks while also dealing with limited resources and the sheer volume of vulnerabilities. The risk is so severe that Strategic Objective 2.5: Counter Cybercrime, Defeat Ransomware of the US National Cybersecurity Strategy for 2023 explicitly states that “Ransomware is a threat to national security, public safety, and economic prosperity.” The CISA is actively identifying vulnerable, internet-facing critical infrastructure systems that are easy targets for ransomware threat actors, which should lead to quicker remediation and prevent disruptions to critical infrastructure. A little assistance can go a long way.

DO NOT WAIT OR RELY ON THE CISA SOLELY TO PROTECT YOUR ENVIRONMENT

Do not view this pilot program as a convenient way to avoid investing in additional cybersecurity controls. This is the wrong approach. The CISA cannot assess every critical infrastructure environment. It is mainly providing a secondary method to ensure that publicly exposed vulnerabilities commonly targeted by ransomware threat actors are identified and mitigated in a timely manner. Critical infrastructure organizations must continue to implement a sound cybersecurity strategy and invest in foundational security controls such as vulnerability risk management and other operational-technology security measures such as restricted remote access control, threat detection, and network segmentation to keep systems secure.

Critical infrastructure organizations must update their incident response procedures to include steps outlining how to respond to notifications from the CISA. As our Forrester colleague recently learned, it is essential to ensure that you are prepared to receive notifications by updating relevant contact information such as email and phone numbers. Check that this information is available to the CISA. Many companies use aliases or shared mailboxes, so it is important that these are properly monitored and that any notifications are distributed to the rightful constituents who can act upon them quickly. Practice responding to a CISA notification. If you are officially contacted, act upon the recommendations in a timely manner, seeking third-party security consulting assistance if you don’t have the means to do it in house.