CISA IDs Government, Critical Structure Entities at Hijack Risk

A pilot program co-run by the Cybersecurity and Infrastructure Agency (CISA) and the Joint Ransomware Task Force has notified hundreds of government and critical infrastructure organizations that their devices may be vulnerable to cyber hijackers.

The Ransomware Vulnerability Warning Pilot (RVWP) made 1,754 notifications in 2023 to organizations with internet-facing devices vulnerable to attack. Of those, 852 or roughly half, were either “patched, implemented a compensating control, or taken offline after notification from CISA.”

More than 641 of those notifications went to government entities, including schools, state, local, tribal, and territorial governments (SLTT) and federal agencies. Another 440 went to organizations in the healthcare sector while 173 were delivered to energy and 127 to financial services. Taken together, those four industries totaled nearly 80% of the overall notifications for 14 of 16 critical infrastructure sectors.

Notifications include key information regarding the vulnerable system, such as the manufacturer and model of the device, the IP address in use, how CISA detected the vulnerability, and guidance on how the vulnerability should be mitigated, RVWP said in a blog post. Receipt does not mean the organization has been compromised but does indicate it is at risk.

CISA leverages multiple open-source and internal tools to research and detect vulnerabilities within U.S. critical infrastructure.

The reports enable CISA to deploy resources and assist victims “suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information” with cyber defenders to inform other potential victims, officials said.

Following notification of the vulnerabilities, CISA regularly conducts vulnerability scans to determine whether the entities appear to have mitigated their vulnerable devices.

Origins of the RVWP Project

The RVWP project was launched in January, 2023 with a mission of “proactive risk reduction through direct communication with federal government, [SLTT] governments, and critical infrastructure entities to prevent threat actors from accessing and deploying ransomware on their networks,” CISA said in a blog post.

Its genesis was the signing into law of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) that required CISA to develop and implement regulations directing covered entities to report covered cyber incidents and ransomware payments to the agency. Under CIRCIA, critical infrastructure entities are required to report cyber incidents within 72 hours of occurrence and 24 hours after making a ransom payment.

Organizations with ransomware-related vulnerabilities can participate in CISA’s Cyber Hygiene Vulnerability Scanning, which monitors internet connected devices for known vulnerabilities that may go unmanaged. It is available free of charge.

CISA said that organizations participating in this service typically reduce their risk and exposure by 40% within the first 12 months and most see improvements in the first 90 days.

Currently, the service has detected exposed devices at more than 7,600 participating organizations across all sectors and has identified more than three million known vulnerabilities for participants since 2022.

CISA's Ransomware Prevention Actions

CISA urged organizations to take the following actions to stop ransomware: