CyberHuntsville Update: CISA Issues “Shields Up” Advisory to DIB Companies

With rising geopolitical tensions in Eastern Europe, the U.S. Department of Homeland Security’s Cyber and Infrastructure Security Agency (CISA) has recently issued a “shields up” advisory. This advisory includes the Defense Industrial base (DIB), which is one of 16 official U.S. critical infrastructure sectors.

Over the past year, cyber incidents have negatively impacted many organizations here in the United States. These organizations are of varying sizes and range across multiple sectors of the economy. 

There is no one single business entity that is immune to the risk of cyber threats – These threats can range from minor inconveniences to significant disruptions of essential services, carrying with those disruptions, a major impact to public safety. 

In the last decade, the Russian Government has increased the use of cyber as a part of strengthening their power objectives.

By disabling or even worse – destroying critical infrastructure, such as a country’s power supply and communications systems, key elements which are particularly vital – can generate fear and panic, thus foisting additional strains on a country’s government, military, and general population. 

Currently, there are no tangible threats to the U.S. homeland. However, it is important for organizations to be aware that the potential exists. It would not be a stretch for the Russian government to escalate its destabilizing tactics in ways that might impact others well outside the Ukraine borders.

Because of the current situation, CISA has been working closely with critical infrastructure partners over the past several months to ensure awareness of potential threats. 

CISA recommends that all organizations implement a heightened posture when it comes to minimizing the likelihood of cyber intrusion. Many of these strategies are reviewed each year in mandatory government agency-based cyber security training. The information below may merely serve a refresher to some, but it could be very important new information to others.

First off, it’s very important to have multi-factor authentication for all remote access to the organization’s network, as well as privileged or administrative access. Prioritizing software and system updates to mitigate known exploited vulnerabilities identified by CISA is essential.

The organization’s IT personnel need to ensure that all non-essential ports and protocols have been disabled. If an organization relies on cloud-based services, it is important that their IT personnel has reviewed and implemented strong controls, as outlined in CISA’s guidance. 

It is also vital that an organization’s cybersecurity/IT personnel are focused on quickly identifying and assessing any unexpected or unusual network behavior.

It should be confirmed that the organization’s entire network is protected by antivirus/anti-malware software, along with the signatures in these tools are updated. 

If an organization is working with Ukrainian organizations, it should take extra care to monitor, inspect, and isolate traffic from those organizations, as well as closely review access controls for that traffic.

For the potential of an intrusion, an organization should designate a crisis-response team with main points of contact for a suspected cybersecurity incident and roles/responsibilities within the organization, including technology, communications, legal and business continuity.

Other actions suggested include: Assure availability of key personnel; identify means to provide surge support for responding to an incident. Be sure to ensure that all participants understand their roles during an incident, a tabletop exercise is advised.

To maximize the organization’s resilience to a destructive cyber incident, test backup procedures to ensure that critical data can be rapidly restored, it’s also important that backups are isolated from network connections.

If using industrial control systems or operational technology, routinely conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable.

While recent cyber incidents have not been attributed to any one specific organization or government, CISA urges cybersecurity/IT personnel at all organizations to review “Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure.” CISA also recommends organizations visit StopRansomware.gov, a centralized, whole-of-government webpage providing ransomware resources and alerts.

As the nation’s cyber defense agency, CISA is available to help organizations improve cybersecurity and resilience, including through cybersecurity experts assigned across the country. Organizations should report incidents and anomalous activity to CISA and/or the FBI via the local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

Additionally, CISA is strongly advises that business entities report Cyber Incidents. DFARS 252.204-7012 stipulates a contractor’s requirement to rapidly report cyber incidents impacting Covered Defense Information (CDI) and/or the ability to perform operationally critical support within 72 hours of discovery to https://dibnet.dod.mil. For additional assistance, refer to the following three organizations:

• DoD Cyber Crime Center’s (DC3) DoD- Defense Industrial Base Collaboration Information Sharing Environment (DCISE) – www.dc3.mil; DC3.DCISE@us.af.mil; 24/7 Hotline – 1-877-838-2174
• National Security Agency’s Cybersecurity Collaboration Center (CCC): https://www.nsa.gov/About/Cybersecurity-Collaboration-Center
• National Defense Information Sharing and Analysis Center (ND-ISAC). ND-ISAC is a private sector self-organized and self-governing entity. It also is a trusted partner providing exceptional technical solutions and support to its members. Email: Info@NDISAC.org to contact the team or see ND-ISAC’s public-facing website at: www.ndisac.org.

For more information, go to: www.cisa.gov/shields-up