CISA Reflects on Past Year, Upcoming Critical Infrastructure Security Priorities

January 17, 2023 - The Cybersecurity and Infrastructure Security Agency (CISA) released its 2022 Year in Review, in which the agency reflected on what it accomplished in 2022 and what it hopes to achieve in 2023.

The four-year-old agency was established to lead the United States’ efforts to protect its 16 critical infrastructure sectors from relentless cyber threats through public-private partnerships as well as the creation of useful cyber resources and tools.

“Protecting our nation’s critical infrastructure is foundational to our national security. That critical infrastructure includes everything from healthcare, water, and education to chemical, transportation systems, telecommunications, energy, and much more,” the Year in Review document stated.

“And it’s under constant risk from a wide array of threats. That makes CISA’s work to understand, manage, and reduce risk to the cyber and physical infrastructure that Americas rely on every hour of every day so important.”

CISA Reflects on 2022

“Over the course of FY22, we accomplished much to advance our vision of secure and resilience infrastructure, while laying the groundwork for ever deeper and increasingly substantial efforts in the coming years,” CISA noted.

READ MORE: CISA, FBI Alert Healthcare Sector of Cuba Ransomware Tactics

For example, in 2022, CISA issued new Cybersecurity Performance Goals (CPGs) with the goal of establishing a set of cybersecurity best practices that could be applied across critical infrastructure. The CPGs placed an emphasis on helping small and mid-sized organizations and can aid organizations in their efforts to improve Information Technology (IT) and Operational Technology (OT) security.

Also in 2022, CISA took part in 713 Coordinated Vulnerability Disclosure (CVD) cases and issued 416 vulnerability advisories. As previously reported, vulnerability disclosures are crucial to maintaining cybersecurity, particularly in the healthcare sector when it comes to medical devices.

CISA also triaged 37,875 cyber incident reports in 2022 and acted on 2,609 incidents that required the agency’s assistance.

CISA also highlighted the first year of the Joint Cybersecurity Defense Collaborative’s (JCDC) existence, which was established in 2021 to promote collaboration between public and private sector organizations and government partners. In April, CISA announced that it would expand the JCDC to include industrial control systems (ICS) and operational technology (OT) experts, looping in experts from companies such as Claroty, Siemens, GE, Honeywell, and Bechtel.

The President and Congress also recently enacted the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which addressed the importance of reporting cyber incidents in a timely manner.

READ MORE: HHS, FBI, CISA Warn Healthcare of Ongoing Hive Ransomware Threats

“As required by CIRCIA, CISA has started to develop regulations requiring covered entities to report covered cyber incidents and related ransom payments to CISA,” the agency stated.

CISA also highlighted its initiative aimed at maintaining secure elections and its focus on ensuring the security of K-12 schools.

Looking Ahead

As cyber threats continue to impact the healthcare sector at alarming rates, guidance from government agencies like CISA as well as industry coalitions are becoming increasingly crucial to ensuring that organizations of all sizes and resource levels can effectively manage risk.

At Mandiant’s mWISE conference in Washington, DC in October, CISA Director Jen Easterly announced that healthcare cybersecurity would be an upcoming focus area for CISA in 2023, alongside K-12 education and water.

Specifically, Easterly said the agency would narrow in on “target-rich, resource-poor entities” such as nonprofit hospitals, small water facilities, and K-12 school districts.

READ MORE: CISA: 3 Steps to Improve Cybersecurity Vulnerability Management

“All of those things are part of critical infrastructure, but they don't have large security teams,” Easterly stated at the time.

“They're not investing millions and billions of dollars like some in finance and energy are. And so, we have to figure out how to connect all of these entities together in a way that we can get information out that is useful to them, that is tailored to their ability to understand it and absorb it, and then to drive down risks to all of our national critical functions.”

Healthcare cybersecurity remains a pain point across the sector, but an influx of free resources, industry partnerships, and increased collaboration are all contributing to greater cyber awareness and prioritization throughout the industry. The healthcare sector can likely expect additional government guidance in the coming year.

“As one of the youngest agencies in the federal government, we’ve grown significantly each year in capability and capacity, collaborating with our myriad of partners to reduce risk to the cyber and physical infrastructure American’s rely on every hour of every day,” Easterly stated in a press release accompanying CISA’s Year in Review publication.

“2022 has been an especially productive year for our team and our partnerships and we look forward to continuing this momentum into 2023.”