Global cybersecurity risk measurement standard is needed to build cyber-resilience and address critical infrastructure trust deficit, says SecurityScorecard. Recognising the persistent threat posed by ransomware attacks to organisations of all sizes, the Cybersecurity and Infrastructure Security Agency (CISA) has announced the establishment of its new pilot to actively warn critical infrastructure entities about such vulnerabilities.
SecurityScorecard, a global leader in cybersecurity ratings, recently announced the results of its report, Addressing the Trust Deficit In Critical Infrastructure, which revealed 48% of critical manufacturing organisations ranked ‘C’, ‘D’, or ‘F’ on SecurityScorecard’s security ratings platform. Published duringthe World Economic Forum (WEF) Annual Meeting, the report analysed the current state of cyber-resilience in the critical infrastructure sectors such as Energy, Chemical, Healthcare and others, as designated by the Cybersecurity and Infrastructure Security Agency (CISA). Organisations with an ‘A’ security rating are 7.7x less likely to sustain a breach than those with an ‘F’ rating.
“Security ratings are a trusted barometer of cyber-resilience and the time is now for policymakers and organisations to make cyber-risk measurement mandatory,” said Aleksandr Yampolskiy, Co-founder and CEO of SecurityScorecard. “Cyberattacks in the last 10 years have gotten much worse, more complex and increasingly have targeted critical infrastructure, thereby undermining the public’s trust in the cyber-resilience of our global economy.”
SecurityScorecard provides comprehensive security ratings, automated assessments and guidance from industry experts, providing patented and easy-to-understand A-F graded scorecards for improved communication, effective compliance reporting and more informed decision-making.
According to the World Economic Forum, only 19% of cyber leaders feel confident that their organisations are cyber-resilient. SecurityScorecard recently joined the World Economic Forum Global Innovators Community, contributing to WEF’s Centre for Cybersecurity’s initiative to address systemic challenges, improve trust and build cyber-resilience.
Critical manufacturing patching cadence falls amid escalating attack cadence
Cyber incidents affecting critical infrastructure, once comparatively rare, have become far more frequent in recent years as nation-states and their proxies escalate their pursuit of geopolitical objectives. Data from the Federal Bureau of Investigation showed that 14 of the 16 sectors considered critical infrastructure by the US Government experienced at least one ransomware attack in 2021.
SecurityScorecard assessed these industries to measure their current state of cyber-resilience. It found that critical manufacturing is highly vulnerable based on analysis of all organisations under that category in The Forbes Global 2000 list. SecurityScorecard considers 10 factors when developing an organisation’s security rating. Of those 10, the patching cadence ‘factor’ for critical manufacturing experienced a significant drop from 2021 to 2022, moving from 88 (B) to 76 (C).
High and medium-severity CVEs strain resources
The decline in patching is likely due to an increased volume of vulnerabilities. Critical manufacturing experienced a 38% year-over-year increase in high severity vulnerabilities. In 2022 alone, 76% of critical manufacturing organisations have high and medium-severity CVEs.
These CVEs may, in some cases, facilitate ransomware groups’ targeting of organisations in the sector. Manufacturers experienced an increase in malware infections from 2021 to 2022. In 2022, 37% of critical manufacturing organisations had malware infections.
“While investing in more technology might seem burdensome to resource-constrained critical infrastructure operators, the reality is that cybersecurity ratings technology is extremely cost-effective, especially when you consider the catastrophic cost of a breach is US$9.44 million on average for US organisations,” said Yampolskiy. “By leveraging security ratings, these organisations have a simple way to build resilience and make more informed decisions to strengthen their cyberdefences by confidently measuring risk and quantifying the trustworthiness of their partners, contractors, third-and fourth-party vendors and supply chains.”
Recognising the persistent threat posed by ransomware attacks to organisations of all sizes, the Cybersecurity and Infrastructure Security Agency (CISA) has announced the establishment of the Ransomware Vulnerability Warning Pilot (RVWP) as authorised by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. Through the RVWP, CISA will determine vulnerabilities commonly associated with known ransomware exploitation and warn critical infrastructure entities with those vulnerabilities, enabling mitigation before a ransomware incident occurs.
The RVWP will identify organisations with Internet-accessible vulnerabilities commonly associated with known ransomware actors by using existing services, data sources, technologies and authorities, including its free Cyber Hygiene Vulnerability Scanning service. Organisations interested in enrolling can email [email protected].
CISA recently initiated the RVWP by notifying 93 organisations identified as running instances of Microsoft Exchange Service with a vulnerability called ‘ProxyNotShell’, which has been widely exploited by ransomware actors. This initial round of notifications demonstrated the effectiveness of this model in enabling timely risk reduction as the RVWP is further scaled to additional vulnerabilities and organisations.
“Ransomware attacks continue to cause untenable levels of harm to organisations across the country, including target rich, resource poor entities like many school districts and hospitals,” said Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA. “The RVWP will allow CISA to provide timely and actionable information that will directly reduce the prevalence of damaging ransomware incidents affecting American organisations. We encourage every organisation to urgently mitigate vulnerabilities identified by this programme and adopt strong security measures consistent with the US Government’s guidance on StopRansomware.gov.”