Stepping in to help entire industries better manage their connected devices, CISA is providing critical live vulnerability data directly to CPSOs. It remains unclear if teams are set up in a way to digest the data into vulnerability management and malware detection activities.
Last week, CISA announced their new Ransomware Vulnerability Warning Pilot (RVWP), which actually kicked off at the end of January 2023.
CISA lays out how it plans to bolster the cybersecurity posture of America’s infrastructure by taking an active role in patrolling and reporting on vulnerabilities that are being targeted by threat actors. This initiative shows how despite growing standards and regulations surrounding America’s infrastructure, many organizations are simply under-equipped or ill-prepared to handle the sheer flood of attacks that attempt to penetrate their networks on a daily basis.
The White House Cybersecurity Strategy 23’, released just two weeks before the CISA announcement, pointed out the challenges faced by the fractured nature of utility and infrastructure operators across the country. In response, the strategy spoke about shifting responsibility from the end users to infrastructure operators “To build the secure and resilient future we want, we must shape market forces to place responsibility on those within our digital ecosystem that are best positioned to reduce risk. We will shift the consequences of poor cybersecurity away from the most vulnerable, making our digital ecosystem more worthy of trust.”
Throughout the United States’ water, power, and other utility providers are operated independently by hundreds of organizations. This provides an unequal starting point for smaller organizations who have been provided with grants by the Federal Government to secure their OT networks, but still struggle to protect the devices that operate on those networks. In an attempt to elevate small and medium organization’s cybersecurity posture to match those of larger companies, the release highlights “…most organizations may be unaware that a vulnerability used by ransomware threat actors is present on their network.” It continued “Through the Ransomware Vulnerability Warning Pilot (RVWP), which started on January 30, 2023, CISA is undertaking a new effort to warn critical infrastructure entities that their systems have exposed vulnerabilities that may be exploited by ransomware threat actors.”
From utilities to healthcare
As made clear by President Biden’s administration, infrastructure goes well beyond water, power, roads, and telecom providers to healthcare as well.
When we think of a ransomware attack on a medical facility, the first thing that comes to mind may be an IT attack that locks computers and exposes patient records. However, that false sense of product security was shattered back in 2017 with the global Wanna Cry ransomware attack. As more complex machines became connected, some hospitals saw WannaCry take offline. Even more heartbreaking was the September 2020 OIG attack that resulted in a patient death, as a German hospital was unable to accept them for emergency treatment due to a then ongoing ransomware attack. Later in 2021, 50 patients at Southcoast Health’s cancer centers in Rhode Island, USA had to reschedule their cancer treatments due to a ransomware attack cutting off access to devices.
Unfortunately, this trend shows no signs of slowing down.
The time is ripe for RVWP
Back in 2017, internet security relied on IT departments and their tools. Acknowledging this need to shake up the way we approach attacks, the Federal Government implemented the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) which brought us to the implementation of RVWP.
The incidents mentioned above don’t take into account the impact of poor water treatment, power outages, or other catastrophes that can occur with a breach. Now that we have the field of product security, it is up to Chief Product Security Officers (CPSOs) to ensure that their devices remain secure, even if the network experiences a breach.
This is being achieved by companies across the medical, automotive, and industrial sectors with proper SBOM generation and management. SBOMs can then be used as a foundation for proper vulnerability management and threat mitigation activities that can only be achieved once it is clear exactly which software components exist within medical, automotive, or industrial devices.
Once properly managed, companies have the data they need to go beyond SBOMs. A proper security approach built upon a trustworthy foundation will incorporate automatic VEX reports, vulnerability reports, and even run malware detection programs based on the most up to date information.
Preparing for RVWP
Similar to the sweeping changes occurring in the medical device industry, automotive and industrial sectors should prepare for their relevant governmental authorities to require thorough and live SBOMs.
This document is a foundational piece in keeping devices secure and unprofitable for hacking groups by enabling automation of:
Vulnerability management– The FY’ 2023 Omnibus bill requires medical device manufacturers to create a reasonable schedule for scanning their devices for new publicly known vulnerabilities (CVEs, MITRE, etc.). Aside from being a recommended practice, it’s reasonable to expect that other agencies will require companies do the same.
That means companies who participate in CISA’s RVWP program will not only be tasked with discovering new vulnerabilities on their own, but they will also be prepared to identify, scan, and extract the needle that rests within a vulnerability haystack.
Cybellum’s Product Security Platform automates this process with workflows, allowing you to automatically scan up to date SBOMs, run vulnerability assessments, manage device risk scores, and keep your device secure from the software supply chain through post-production.
Patch assurance– Following US Federal requirements set in motion for medical devices, products need to remain updateable throughout their full life cycle. For other sectors, this means that devices must be able to receive patches, both on schedule and outside of normal schedules, and have that patch be installed properly.
With updated SBOMs, software engineers can confirm that components are secure before going live, ensuring proper security before deploying a patch and avoiding any lapse in compliance.and their versions to ensure that they are running the latest edition and there is no mismatch between what is on the SBOM and what exists within the machine.
Threat reporting– Sharing threats across the ecosystem is the natural evolution of wide-scale product security but done incorrectly and companies risk sharing more than necessary.
SBOMs hold a wealth of information that can tell you about what exists within a component along with the other components it operates alongside. This data then needs to be parsed, allowing you to drill down into the exploitability of each component, identify proper vulnerability mitigation techniques, and generate VEX reports that can help customers remain secure as well.
Compliance automation– The same automations that active SBOM generation, vulnerability assessment, and other activities mentioned in this section also act to identify compliance gaps based on the standards and regulations that apply to your product.
One all gaps are addressed, workflows act to take this information and turn it into compliance-ready reports, reducing the resources needed to meet growing regulations.
How to Approach RVWP?
One of the most important aspects of CISAs new initiative is that it doesn’t lay out any unique prerequisites or make demands of companies.
But is your organization ready to turn that information into action?
To fully take advantage of this initiative, companies will need to know what software components were embedded in which devices. That’s only possible with a list of all software “ingredients” for every device that’s managed and kept up to date, enabling teams to know exactly which devices to patch and which can be left alone. While many companies began SBOM management manually, the increased demand of teams to catalog open source, custom open source, and third-party software demands automation processes that keep all SBOMs up to date, without straining resources or risking human error.
It’s also important to have a multidisciplinary team made up of experts who understand the product intimately across variations. This can be a Product Security Incident Response Team (PSIRT) or an internal process that can handle a potentially large volume of critical warnings.
While we don’t exactly know which sectors will ultimately be brought into this program, it is crucial that we all become ready to take in such time-sensitive information if we want to gain the greatest benefits from this program. What’s more, preparing to receive this data will increase vulnerability sharing within industries as a way to harden their cybersecurity posture.
The below FAQs are taken directly from the RVWP release.
Q: What is CIRCIA?
A: The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is federal legislation that puts in place requirements for critical infrastructure entities to report cyber incidents and ransom payments to CISA.
Q: Why is CISA sending me a notification?
A: CISA routinely identifies security risks facing U.S. organizations, including information from government or industry partners. CISA additionally leverages commercial tools to identify organizations that may be at heightened cybersecurity risk. As required by CIRCIA, CISA proactively identifies information systems that contain security vulnerabilities commonly associated with ransomware attacks. After discovery, CISA notifies owners of the vulnerable systems.
Q: Who will notify me if I have a vulnerability?
A: CISA Regional staff members, located throughout the country, make notifications and may provide assistance and resources to mitigate the vulnerability.
Q: What can I expect in the notification?
A: Notifications will contain key information regarding the vulnerable system, such as the manufacturer and model of the device, the IP address in use, how CISA detected the vulnerability, and guidance on how the vulnerability should be mitigated.
Q: How should I expect to receive a notification?
A: CISA regional staff members will make notifications by phone call or email.
Q: How do I verify it is CISA notifying me?
A: If you receive a notification, you can verify the identity of the CISA personnel through CISA Central: [email protected] or (888) 282-0870.
Q: If I received a notification, does that mean I was compromised?
A: Receiving a notification through CISA RVWP is not indicative of a compromise. However, it does indicate you are at risk and the information system requires immediate remediation.
Q: Am I required to comply with CISA’s recommended actions?
A: No. Receiving a notification does not require you to comply with or institute any of CISA’s recommendations.
Q: How did CISA determine I was vulnerable?
A: CISA leverages multiple open-source and internal tools to research and detect vulnerabilities within U.S. critical infrastructure.