CISA is requesting input on a new proposed rule that introduces a requirement for critical infrastructure organizations to report substantial cyber incidents and ransomware payments within specific timelines. The rule was called for in the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) that was signed into law in 2022. According to CISA, the intent of the rule is to promote the protection of U.S. critical infrastructure from cyber adversaries through greater visibility into incidents in near real-time.
The key requirements are that the covered incidents must be reported within 72 hours and ransomware payments within 24 hours. CISA puts forward examples of substantial incidents including:
- Any cyber incident that encrypts one of a covered entity’s core business systems or information systems.
- A cyber incident that significantly increases the potential for a release of a hazardous material used in chemical manufacturing or water purification.
- A ransomware attack that locks a covered entity out of its industrial control system.
CISA also lists examples of incidents that would NOT be considered substantial including:
- Cyber incidents that result in minor disruptions, such as short-term unavailability of a business system or a temporary need to reroute network traffic.
- A malicious actor exploits a known vulnerability, which a covered entity has not been able to patch but has instead deployed increased monitoring for TTPs associated with its exploitation, resulting in the activity being quickly detected and remediated before significant additional activity is undertaken.
Although the primary goal of the rule is to enhance resilience of the nation’s critical infrastructure, CISA has a spectrum of enforcement mechanisms including request for information (RFI), issuing a subpoena for information, referring the matter to the Attorney General for possible enforcement and potential acquisition-related penalties, such as suspension and debarment.
CISA has defined 16 critical infrastructure sectors that are considered to be vital to the United States. Many manufacturing organizations may fall under the critical infrastructure sectors, e.g. Chemical, Critical Manufacturing, Defense Industrial Base and Food and Agricultural Sectors that would be required to comply with the proposed rule. SBA defined small businesses of 100 to 1500 employees (depending on the industry) that are proposed to be exempt to the rule–however, even small businesses may be covered under certain elevated criteria under the proposed rule.
The proposed rule has some overlap with the SEC cybersecurity rules. The SEC rules, introduced in 2023, require public companies to report material cybersecurity incidents within four days of a materiality determination. The incidents are reported publicly using a Form 8-K and the cybersecurity industry has followed how the 8-K filings have evolved. CISA’s proposed rule, however, requires incidents to only be reported confidentially to CISA, but that agency may further share the information with the pertinent federal agencies or do aggregate level reporting. Reports are proposed to be submitted through a web-based portal.
Generally speaking, the proposed rule is motivated by the increased cyber threat activity targeting critical infrastructure. According to the 2023 Unit 42 Network Threat Trends Research Report, the threat activity the OT/ICS industries faced grew 238% YoY. Manufacturers have been particularly hard-hit with 78% responding to a survey for the 2024 State of OT Security Report that they had experienced a cyber-attack in the past year. The industry even observed damage caused by hacktivism with CyberAv3ngers campaign against Unitronics controllers. CISA’s increased visibility to threat activity could enable it to more effectively detect adversarial cyber campaigns and facilitate response on the sector, industry and national levels, with the potential to support individually impacted organizations.
While the full impact of the proposed CIRCIA rule remains to be seen, it will be an additional reporting requirement for many organizations already subject to the SEC cyber reporting rules. But the manufacturing industry also includes a significant number of smaller, non-publicly traded organizations–which have not previously been subject to cyber incident reporting requirements. According to the National Association of Manufacturers, 74% of manufacturing organizations employ less than 20 people. While small businesses are generally exempt from the CIRCIA rule, there will be a subset of small companies that are privately owned but will be subject to the proposed rule under certain criteria, due to the nature and sensitivity of their products or services. The proposed rule will mostly be a net new requirement for these organizations. Some manufacturing organizations may already be subject to other sector-specific or geographically-based rules including CFATS (Chemical Industry), UNECE (Automotive), SEMI (Semiconductor), FDA (Food and Pharmaceuticals), NIS 2 (EU focused) and others.
The public will have until July 3, 2024 to provide comments on the proposed rule and it is expected to be finalized by late 2025.
What capabilities will be key for manufacturers looking to implement the proposed rule?
Visibility to the full infrastructure across the enterprise and cloud will be critical to be able to consistently detect malicious activity. In particular, stability of Operational Technology (OT) environments within the plants is paramount for manufacturers’ ability to produce critical goods and it is important to establish full visibility to these environments.
Endpoint security is one of the most important defenses to detect and prevent ransomware and phishing attacks. Endpoints are one of the most common initial entry vectors for successful ransomware attacks. Manufacturers are the most targeted industry segment by ransomware gangs according to the Unit 42 Ransomware and Extortion Report 2023.
SOC automation is in a key role to reduce mean-time-to-detect (MTTD) and mean-time-to- resolve (MTTR). The industry average to remediate a cyber attack is currently six days. The latest trend for threat actors to advance to the exfiltration stage is hours, whereas earlier measured in weeks. [Source: Unit 42 Engagement Experience]. It is highly advantageous for organizations to drive towards shortened investigation and response times. This has the compounded benefit of identifying incidents sooner and hopefully preventing them from rising to a reportable “substantial” incident and understanding impacts earlier to accurately determine if an incident is required to be reported under the CIRCIA rule. Augmenting SOC teams with AI-powered automation capabilities is key to reducing MTTD and MTTR. Palo Alto Networks has reduced its MTTD in its SOC to just 10 seconds. The company has also made changes for MTTR so that high priority alerts are now addressed within one minute.
Incident response services can help augment the organization’s own resources in an incident situation where the resource need may temporarily exceed the organization’s capacity. Setting up an incident response retainer ahead of time ensures the availability of the needed resources. The CIRCIA rule does not limit organizations from leveraging third party resources as part of their security processes.
Attack surface management is important for keeping track of an organization’s exposed assets to direct prioritization of defenses and patching. Exploiting publicly exposed vulnerabilities is another key entry vector for ransomware attacks. Specifically, cloud environments are prone to misconfigurations that can expose workloads like ERP, MES or historians which many manufacturers are at least partially migrating to the cloud.
While there is always a certain amount of adjustment required in the face of new standards and regulations, the proposed CIRCIA rule has the potential to generate a step-level change in responsiveness to threat activity. This could enable US critical infrastructure to be more agile and resilient in the face of adversarial cyber campaigns. A good place to start would be to review the strategic defense-in-depth recommendations in the OT Security Insights Secure OT-IT Convergence to Keep the Production Lines Working white paper.