"CISA Program Warns Critical Infrastructure Organizations Vulnerable to Ransomware Attacks"
The US Cybersecurity and Infrastructure Security Agency (CISA) has recently launched a pilot program to warn critical infrastructure organizations if their systems contain vulnerabilities that may be exploited in ransomware attacks. The new Ransomware Vulnerability Warning Pilot (RVWP), which kicked off on January 30, is meant to help those organizations that might be unaware that a vulnerability targeted by ransomware groups is lurking in their networks. According to CISA, when such a security defect is identified, CISA's regional cybersecurity personnel notify the impacted entity via phone or email so that the issue can be resolved before it's exploited. CISA noted that the RVWP uses "existing authorities and technology" to proactively discover information systems affected by flaws known to be exploited in ransomware attacks. The agency stated that it accomplishes this work by leveraging its existing services, data sources, technologies, and authorities, including CISA's Cyber Hygiene Vulnerability Scanning service and the Administrative Subpoena Authority granted to CISA under Section 2209 of the Homeland Security Act of 2002. CISA stated that as per the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), critical infrastructure entities are required to report cyberattacks and ransom payments. CIRCIA also mandates that CISA proactively identifies systems vulnerable to ransomware attacks. CISA noted that the notifications sent to vulnerable entities will include details about the vulnerable system, including manufacturer and model, the IP address in use, how the vulnerability was detected, and guidance on how to address the issue. CISA stated that receiving a notification through CISA RVWP is not indicative of a compromise. However, it does indicate you are at risk, and the information system requires immediate remediation. CISA noted that the notified entities are not required to comply with the provided recommendations.