On July 3rd the period for public comment closed for the U.S. Cybersecurity and Infrastructure Security Agency’s proposed Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) reporting rules announced earlier this year. CIRCIA’s enhanced reporting obligations have the potential to drive greater transparency, accountability and, ultimately, much-needed improvements in cyber readiness and resilience across all U.S. critical infrastructure sectors.
Below, I’ll discuss what CIRCIA means to organizations covered by these rules, the reason for its focus on critical infrastructure, and how organizations can prepare to meet its reporting requirements. I’ll also explore how breach and attack simulation (BAS) programs can help organizations not only comply with the rules, but also prepare for future threats and regulations with new simulation, incident response, and reporting capabilities.
What CIRCIA Demands
The rules require covered organizations to report ransomware payments to CISA within 24 hours and all covered cyber incidents within 72 hours. The rules apply to a broad array of entities across 16 critical infrastructure sectors as defined by CISA, including energy, water, transportation, healthcare, and financial services, among others.
CISA anticipates CIRCIA will affect more than 316,000 entities, result in around 210,525 reports and cost critical infrastructure providers an estimated $2.6 billion in rule familiarization, data and record preservation, and reporting expenses.
Why Critical Infrastructure
We have substantial evidence from governments and private sector threat researchers that nation-state threat actors are attempting to compromise and pre-position cyber-attack infrastructure within U.S. and allied critical infrastructure systems.
The Volt Typhoon revelations of the last several months have helped expose the extent of these efforts. They also highlight that 85% of U.S. critical infrastructure is run by private sector organizations.
Any nation-wide effort to detect, contain, and recover from cyber attacks on U.S. critical infrastructure would require speed in situational awareness and greater visibility into the nature and scope of an adversary’s offensive cyber operations.
Without visibility into cyber incidents across critical infrastructure sectors, it will be very difficult for the government, private sector operators, and the threat research community to understand and pre-empt future attacks, let alone coordinate effective responses to minimize impact during major incidents.
What CIRCIA Means for CISOs
Every new rule, requirement and guideline initially tends to pose more questions than clarity. Fortunately, the CIRCIA draft rules will likely answer many CISOs’ questions around definitions, compliance requirements, and potential costs associated with them. The comprehensive nature of the rules demonstrates how serious the U.S. government is about the information sharing required to protect these systems. It also acknowledges previous private-sector concerns around reporting definitions, confidentiality, and accountability.
CISA acknowledged incident reporting concerns raised by the SEC reporting mandates of 2023. In areas such as the confidentiality of shared cyber attack information, CISA commits to only releasing such information as anonymized, aggregated data within quarterly reports. The agency states it will not consider information shared in good faith early in a cyber incident as false or misleading if subsequent information shows initial disclosures were inaccurate. CISA even commits to working with other agencies to harmonize all U.S federal incident reporting requirements, hopefully making the CISO’s already difficult role of complying with them somewhat easier.
As a former CISO myself, I understand the concerns that 72 hours may not provide many organizations adequate time to fully comprehend the nature, extent and potential impact of an incident in their environment. But such rules will force the discipline necessary for CISOs to implement a more proactive approach to security that is focused on developing a continuous understanding of the efficacy of their security tools and their vulnerability to security events, which in turn will allow them to take action faster and engage government partners in a more timely manner.
Increased reporting will likely enable CISOs to better prepare for cyber attacks through attack simulations trained on a much larger body of threat intelligence. Those essential preparations cannot be effective if information sharing fails to provide threat data specific to their critical infrastructure sectors and specific functions within those sectors.
How to Prepare for CIRCIA Reporting (and the Future)
To prepare for the reporting to come, CISOs must engage with legal, risk-management, and security teams to understand CIRCIA’s requirements, assess their cybersecurity postures, and implement robust detection, simulation and reporting mechanisms.
While CIRCIA poses a tremendous opportunity to operationalize intelligence in their defense, forward-looking operators will also take the initiative to implement solutions and processes that prepare them for greater scrutiny of their cyber readiness from regulators and cyber insurance auditors.
Industries such as the defense industrial base, healthcare, nuclear power, financial institutions, and electric power face higher minimum standards for required cyber defenses and practices. In some circumstances, operators are even required to detail incident response and recovery plans and produce posture assessments. Other critical infrastructure provider sectors are not required to present such plans to operate, but will increasingly be required to produce such plans and assessments for auditors.
How Breach & Attack Simulation Can Help
Breach and attack simulation (BAS) solutions can play an important role in helping critical infrastructure organizations prepare for and comply with these rules, as well as prepare for future assessments and audits. BAS solutions are designed to safely and continuously run real-world attacks—based on the tactics, techniques and procedures (TTPs) used by cyber adversaries—against an organization’s production applications and infrastructure to validate how their security controls are performing and identify gaps before attackers do.
At its core, BAS is about applying the cyber incident experiences of organizations to the defense of other organizations. It can be used to develop cyber risk mitigation and incident response plans that strengthen defenses and better prepare organizations to fend off future attacks. Both capabilities can benefit from sector information and help produce cyber-readiness reports for executive teams, insurers, and regulators.
Testing defenses with sector- & function-specific threats
To prepare themselves for future attacks, organizations can utilize BAS to simulate real-world attacks against their security ecosystem, recreating attack scenarios specific to their critical infrastructure sector and function within that sector, including specific TTPs.
The most effective BAS solutions are continuously and quickly updated with new cyber threat information, including incorporating the latest content from US-CERT and FBI Flash alerts. Attack simulations must also be informed by a broad base of industry research findings, making integration between BAS platforms and external threat intelligence networks essential.
A notable example can be found in the recent US-CERT alert around the indicators of compromise (IOCs) and TTPs for Akira Ransomware that were disclosed by the US FBI, CISA, Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL). The disclosure was based on research from the FBI, as well as an industry threat research partner.
Evidence suggests Akira has been targeting a wide range of businesses and critical infrastructure entities since March 2023 across North America, Europe, and Australia. During the initial attacks, threat actors leveraging Akira ransomware targeted Windows-only systems. However, in April 2023, they began targeting VMware ESXi virtual machines through a new Linux variant. It is believed that as of the beginning of this year, the Akira ransomware group successfully impacted over 250 organizations and extorted nearly $42 million USD from its victims.
BAS enables organizations with a similar profile to the victims of Akira Ransomware to implement information from such disclosures within their simulations and, in doing so, regularly validate their security controls—at scale and in a production environment—to ensure optimal performance against this and other new and evolving cyber threats.
Understanding exposure & developing mitigation responses
As simulations proceed, CISOs will be best served by utilizing BAS platforms that can not only create highly customized attacks, but also integrate into their solutions to inform their mitigation priorities and develop defensive strategies against the most novel of attack vectors.
For instance, a global financial services firm recently used BAS to validate the end-to-end efficacy of its security tools, alert and detection systems, and incident response workflows. They utilized simulations that included both known attacks and attacks customized to the organization’s specific architecture and industry. They also integrated both their ticketing system and security information and event management (SIEM) system with the BAS platform to determine whether their detection mechanisms and alert notifications were operational, effective, and capable of identifying and responding to specific security events.
The organization found that notifications around potential malicious activity often were not delivered to incident responders. In fact, many were being delayed for hours due to the complex pipeline of technologies the alerts were required to traverse. This created a critical time gap that real malicious actors could have exploited.
Given these revelations, the organization has made critical adjustments to its alert pipeline and now plans to expand the scope of these BAS-enabled health checks beyond endpoint alerts to cover a broader range of event types, such as web application firewall and email scenarios.
Such improvements begin with providing SOC teams with a clear understanding of how security controls detect, prevent, and mitigate attacks across the entire cyber kill chain. Teams should be able to leverage the MITRE ATT&CK framework to understand overall organizational risk exposure, and even visualize attack paths and explore alternative mitigation approaches. Such incident response plans have and will continue to become more relevant in the regulatory regimes and cyber insurance audits in the years to come.
Plan, measure & report progress
BAS platforms can enhance visibility when they incorporate customizable dashboards and reports to help stakeholders quickly understand existing security gaps, evaluate risks, and recognize security drift. Reports can also provide important security posture assessments that allow CISOs to measure their baseline, track improvement over time, and align security program reporting, KPIs, and investments with business goals.
These priorities require BAS platforms that are able to identify risk exposure with security scores, establish benchmarks against which improvement is measured, and help effectively communicate progress over time through personalized reports that define investment priorities.
Benchmarking, specifically, can be particularly useful where it allows organizations to compare their security posture to that of similar organizations within their industry. When given access to this type of information, organizations can evaluate their performance across different security control categories via side-by-side comparisons of blocked percentage scores and proactively identify areas for improvement to bring them more in line with industry standard performance. By communicating score differences compared to peers, key stakeholders are better able to make informed decisions about which cyber defenses must be prioritized for focus and investment.
Recover quickly with confidence
Finally, if an attack does occur, BAS frameworks can assist organizations not only in reporting the details of the incident, but they can also be transformative in identifying weaknesses that may have contributed, providing remediation advice, and retesting the resilience of the environment to ensure any gaps are closed.
Rising Waves of Accountability
CIRCIA should be understood within the context of the rising waves of government regulation, growing legal liabilities, and insurance costs commensurate with the scale and seriousness of today’s nation-state cyber threats to our critical infrastructure. These waves are inevitable given the stakes, and we should expect a continued drive toward greater public-private sector coordination in threat landscape awareness and cyber preparedness.
Ultimately, no organization can effectively prepare for future cyber attacks if it lacks an understanding of the threats specific to its sector and potential implications to its business. In this regard, the CIRCIA rules could prove an important step in opening a floodgate of shared security-controls-efficiency data specific to critical infrastructure providers and the life-supporting systems they operate.
This development, when combined with a comprehensive BAS program, will empower organizations to achieve their objectives of becoming more proactive in cyber defense, more efficient in risk reduction, and better informed to report on such matters to their executive teams and boards.
About the Author
Guy Bejerano, CEO, SafeBreach. Guy Bejerano has over 30 years of security leadership experience. He began his career as an Information Security Officer in the Israeli Air Force, where he oversaw security ops and red team efforts. He then continued his career in the private sector, where he defined and executed security strategies as CISO for several global, public companies. In 2014, Guy co-founded SafeBreach, where he currently serves as CEO.
Guy can be reached online at [email protected], https://www.linkedin.com/in/guy-bejerano-3a6524/, and at our company website https://www.safebreach.com/
