The Cybersecurity and Infrastructure Security Agency (CISA) has established the Ransomware Vulnerability Warning Pilot (RVWP) in an effort to mitigate ransomware attacks against critical infrastructure entities. This new program, authorized by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, recently sent out an initial round of vulnerability notifications to 93 organizations.

Critical infrastructure organizations provide vital services like power, clean water, and health care. They face mounting challenges when it comes to preventing ransomware, including “…a lack of visibility across the entire enterprise, outdated IoT/OT devices, which have built-in vulnerabilities with no patches available (that ransomware can easily take advantage of), lack of resources (both people and technology) to combat ransomware attacks, and the fact that they are facing increasingly sophisticated attack techniques,” says Gary Barlet, federal CTO at cloud security company Illumio and a former Air Force cyber operations officer and USPS OIG CIO.

How will CISA’s RVWP program help critical infrastructure organizations in the fight against ransomware?

How RVWP Works

The RVWP program leverages data from CISA’s Vulnerability Scanning program, as well as public and commercial sources, to identify vulnerabilities commonly exploited by ransomware actors. “In the latter category, CISA leverages commercial data from trusted partners with broad visibility into vulnerability prevalence across American networks,” says Eric Goldstein, executive assistant director for cybersecurity at CISA.

CISA’s regional personnel then send notifications to organizations with these vulnerabilities. “CISA’s regional personnel have direct connections and relationships with critical infrastructure owners and operators,” says Rick Driggers, critical infrastructure cyber managing director at IT service management company Accenture Federal Services and former CISA assistant director for integrated operations. “The more they can be integrated into the agency’s broad cybersecurity mission the better.”

Critical infrastructure entities can email [email protected] to sign up for CISA’s Vulnerability Scanning Service to receive vulnerability notifications. Additionally, CISA will use open-source tools and data to notify organizations that are not enrolled in the scanning service.

These vulnerability notifications will serve as a useful resource for organizations. “Notifications will contain key information regarding the vulnerable system, such as the manufacturer and model of the device, the IP address in use, how CISA detected the vulnerability, and guidance on how the vulnerability should be mitigated,” according to CISA.

CISA has sent out the first round of RVWP notifications. It alerted 93 organizations running Microsoft Exchange Service with the “ProxyNotShell” vulnerability. CISA plans to further scale this program to identify more vulnerabilities and alert more critical infrastructure organizations.

“Organizations need all the help they can get. This new program mirrors a pretty effective program CISA has run for the federal government for years. While not perfect, it provides an ‘extra set of eyes’ looking for publicly exposed vulnerabilities and bringing them to the attention of system owners,” Barlet says.

The Continued Fight Against Ransomware

An RVWP notification can help organizations mitigate the risk of ransomware, but it is just an initial step in achieving that goal. “While CISA has a role to play, it is ultimately the responsibility of both the private and public companies, which maintain the critical infrastructure, to manage any vulnerabilities in their systems,” says Ben Stirling, global director of industrial control system (ICS) cybersecurity at safety and risk management advisory company ABS Group.

What can entities do if they receive a notification via the RVWP program? Barlet recommends signing up for the scanning service and designating a primary point of contact within the organization. “Upon notification, that PoC should quickly assess the notification to understand systems impacted, patch if possible, mitigate in other ways if patching isn’t possible (segment, limit public access, update OS if able, take offline if no longer needed, etc.), look for the same vulnerability in other systems in which CISA may not have scanned, and then rescan looking for the same vulnerability to measure the effectiveness of the mitigations,” he says.

Pete Lund, VP of products, OT security at critical infrastructure cybersecurity company OPSWAT, suggests critical infrastructure organizations also work with their vendors after receiving a vulnerability notification. “Organizations should work with the vendor or OEM to mitigate vulnerability while introducing minimal risk to the operational environment,” he says.

Cybersecurity is becoming more of a national priority as cyber threats continue to escalate. The Biden-Harris Administration released a National Cybersecurity Strategy in March. This new strategy emphasizes the importance of defending critical infrastructure, along with four other pillars to support national cybersecurity.

Barlet hopes to see more national focus on cybersecurity. “More resources (people and tools and legislation with teeth) need to be made available to make cybersecurity a national priority. We need programs that encourage our best and brightest to join the cybersecurity battle,” he says.

What to Read Next:

What Does the National Cybersecurity Strategy Mean for Public and Private Stakeholders?

The Cost of a Ransomware Attack, Part 1: The Ransom

The Cost of a Ransomware Attack, Part 2: Response & Recovery