CRITICAL INFRASTRUCTURE PROTECTION: Agencies Need to Enhance Oversight of Ransomware Practices and Assess Federal Support
SCALE
-
-
the total value of U.S. ransomware-related incidents reached $886 million in 2021
-
-
870 critical infrastructure organizations were victims of ransomware in 2022, affecting 14 of the 16 critical infrastructure sectors
-
-
half of ransomware attacks in 2022 affected four sectors—critical manufacturing, energy, healthcare and public health, transportation systems and their adoption of leading practices to address ransomware is largely unknown
COMPLIANCE FOCUS
-
-
National Defense Authorization Act
-
-
Cyber Incident Reporting for Critical Infrastructure Act of 2022
-
-
Homeland Security Act of 2002
-
-
Cybersecurity Enhancement Act of 2014
-
-
Presidential Policy Directive 21
-
-
National Infrastructure Protection Plan of 2013
-
-
National Cybersecurity Strategy of 2023
PERFORMANCE ASPECT
-
-
impact of ransomware attacks on four critical infrastructure sectors
-
-
cooperation between Sector Risk Management Agencies (SRMAs) and critical infrastructure sectors
The implementation (…) requires covered entities across critical infrastructure sectors to report “covered cyber incidents” to CISA [Cybersecurity and Infrastructure Security Agency] within 72 hours of reasonably believing that a “covered cyber incident” occurred and ransom payments resulting from a ransomware attack within 24 hours of making payment. According to CISA, it is still developing the rules for such reporting and expects to issue the notice of proposed rulemaking in March 2024 and the final rules by September 2025. If implemented effectively, CISA’s reporting rules could help to provide the federal government more complete and comparable data on ransomware impacts on the nation’s critical infrastructure.
Officials from the critical manufacturing, energy, and transportation systems sectors identified several reasons for not tracking implementation of practices included in the NIST ransomware profile or other practices used to address ransomware. For example, six of the eight (…) stated that they were not familiar with the ransomware profile or did not identify it as one of the adopted sets of practices within the sector.
3.
Responsibility
- Scope
In addition, officials noted that they lacked mechanisms or resources for tracking implementation of the ransomware profile and other cybersecurity practices they used, did not see it as their role to measure adoption , or that they lacked the regulatory authority to collect such data.
4.
Design
- Outcome measures
The SRMAs have not fully assessed the effectiveness of their support to sectors in addressing ransomware. Specifically, three of the six selected SRMAs have evaluated aspects of their support and three SRMAs did not demonstrate efforts to evaluate any of their support.
Code (gexf) to continue analysis with GephiTerminology graph
