Fewer than half of the organizations that received direct warnings from the Cybersecurity and Infrastructure Security Agency about potential ransomware attacks took action to mitigate vulnerable devices in their system last year, the agency said last week.
CISA sent 1,754 ransomware vulnerability warnings to critical infrastructure organizations operating an internet-accessible vulnerable device in 2023. “Our findings indicated that 852 of the 1,754 notifications of vulnerable devices were either patched, implemented a compensating control, or taken offline after notification from CISA,” the agency said.
The pilot program, which got underway in late 2022, tracks exposed devices with known vulnerabilities commonly exploited in ransomware attacks, according to CISA.
“While these trends with ransomware vulnerability warning pilot and cyber hygiene vulnerability scanning represent progress in the right direction, CISA acknowledges that there is room for improvement — this is only the beginning,” a spokesperson for CISA said via email.
CISA sent more than one-third of the alerts to government facilities and one-quarter went to healthcare and public health organizations, according to CISA. Energy, financial services, transportation, critical manufacturing and IT sectors combined for almost one-third of the alerts.
CISA did not break down the extent to which each critical infrastructure sector performed in taking action after receiving an alert.
Without knowing more underlying measurements, it’s difficult to broadly gauge the success of CISA’s RVWP effort thus far, said Emily Austin, principal security researcher at Censys.
“Internet devices and services can be ephemeral, and it’s unclear how or if the analysis considers devices that, for whatever reason, may be online during one scan, offline during the next, but online again at some later date,” Austin said.
Yet, the collective lack of action on the part of critical infrastructure organizations overall highlights extraordinary challenges, such as uptime requirements, that sometimes prevent these organizations from taking prompt action to mitigate known vulnerabilities.
“Cybersecurity concerns that might prompt action in a typical enterprise might run into serious roadblocks when having to implement security controls that complicate uptime guarantees. Pumps need to run, surgery rooms need to operate, and nothing can be allowed to stop it,” Jason Soroko, SVP of product at Sectigo, said via email.
“I’m not surprised by the findings and have been discouraged for years about critical infrastructure organizations lagging behind their enterprise counterparts,” Soroko said. “Culturally, these organizations are not used to having to deal with security controls to the same extent as typical enterprises. It is going to be a long road to correcting this.”
These efforts aligned with the Joint Ransomware Task force are not magic solutions, but the number of attacks would be much higher without them, CISA Director Jen Easterly said last week at the Institute for Security and Technology’s annual ransomware task force event.