CISA Launches Pilot Program to Help Critical Infrastructure Manage Cybersecurity Vulnerabilities

March 16, 2023 - The Cybersecurity and Infrastructure Security Agency (CISA) launched its Ransomware Vulnerability Warning Pilot (RVWP) with the goal of helping critical infrastructure entities remain aware of and mitigate risks associated with cybersecurity vulnerabilities.

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which was signed into law in March 2022, specifically required CISA to establish the RVWP.

“Organizations across all sectors and of all sizes are too frequently impacted by damaging ransomware incidents. Many of these incidents are perpetrated by ransomware threat actors using known vulnerabilities,” CISA noted.

“By urgently fixing these vulnerabilities, organizations can significantly reduce their likelihood of experiencing a ransomware event.”

Ransomware groups have been known to target known vulnerabilities to exploit their victims. But in order to take steps to patch and mitigate these vulnerabilities, critical infrastructure owners and operators must be aware of their existence.  

Through the RVWP, CISA aims to proactively identify critical infrastructure information systems that contain vulnerabilities. In doing so, CISA can alert system owners to these known vulnerabilities, ideally allowing the owners to take steps to shut down potential attack vectors and prevent ransomware attacks.

CISA will leverage its Cyber Hygiene Vulnerability Scanning service (which it offers to federal, state, local, tribal and territorial governments, and public and private sector critical infrastructure organizations at no cost) as well as its Administrative Subpoena Authority to support the pilot.

After discovering a vulnerable systems, CISA regional staff members will notify system owners by phone or email.

“Notifications will contain key information regarding the vulnerable system, such as the manufacturer and model of the device, the IP address in use, how CISA detected the vulnerability, and guidance on how the vulnerability should be mitigated,” CISA stated.

Entities that receive a notification from CISA are not required to use any of CISA’s recommendations, nor does a notification mean that their systems have been compromised. Rather, the notification can serve as a warning about potential system vulnerabilities and may help organizations mitigate cyber risk.