Critical Infrastructure Falls Short on Ransomware Readiness, Mitigation, Recovery -

When hit by a ransomware attack, how adept are critical infrastructure companies at identifying, fending off and recovering from a cyber hijack? Not so much, according to a 2021 study crafted by CyberRisk Alliance’s (CRA) business intelligence unit.

(Full disclosure: CyberRisk Alliance is the parent company of MSSP Alert and ChannelE2E.)

According to findings in CRA’s Cybersecurity in U.S. Critical Infrastructure report, less than 30 percent of critical infrastructure organizations have set a baseline reference to monitor for suspicious activity. And, fewer than one in four have the ability to enforce configuration policies on target systems with unpatched vulnerabilities.

The survey’s questions mapped to the U.S. Commerce Department’s National Institute of Standards and Technology five cybersecurity domains-- Identify, Protect, Detect, Respond, Recover-- a set of NIST cybersecurity framework guidelines and best practices to help organizations build and improve their cybersecurity posture.

Here are some of the study’s key findings (by percentage/input of respondents):

On identifying and protecting systems, assets, data, and capabilities from cyber attacks.

28% of organizations have established integrity baselines of files and systems to monitor for potentially suspicious changes.

24% can enforce configuration baseline/policies on target systems with unaddressed vulnerabilities.

On financial services’ and insurance firms’ progress to detect and respond to cyber events.

43% have implemented a formal crisis management program that includes internal stakeholders, legal teams, and enforcement agencies.

10% have no plans to create a crisis management program.

On ransomware recovery and backups.

40% of healthcare organizations have the full ability to back up their data and recover their backups based on priority.

45% can protect their backup files and ensure those backup files remain unaltered.

On top security gaps of companies in financial services and insurance, healthcare, chemical and critical manufacturing.

Identify & Protect:

Enforcing configuration baselines/policies on target machines across the enterprise with unresolved vulnerabilities.

Establishing integrity baselines of files and systems to monitor change activity.

Detect & Respond:

Implementing forensics and analytics capabilities to discover the source and effects of any destructive event on data and enable security teams to make necessary changes.

Implementing mitigation and containment capabilities to limit a destructive event’s effect on the enterprise.

Recovery:

Implementing a corruption testing capability to verify the last known good state and oversee restoration of data to that state.

Implementing methods for reviewing and auditing security and crisis management programs for effectiveness and improvement.

The survey spanned 380 security security professionals, including members of InfraGard, a nonprofit public-private partnership between U.S. businesses and the Federal Bureau of Investigation. Participants spanned the manufacturing, chemical, healthcare, and financial services sectors.

Managed detection and response (MDR) providers eSentire and Palo Alto Networks' Cortex XDR sponsored the work.