Only 49% of Critical Infrastructure Entities Acted on CISA Ransomware Vulnerability Warnings
In late 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) launched a Ransomware Vulnerability Warning Pilot (RVWP) program that involved sending warnings to critical infrastructure entities when vulnerabilities were identified in their internet-facing devices. The program concentrated on vulnerabilities that were known to have been exploited by ransomware groups.
CISA conducts scans of internet-exposed devices to identify known vulnerabilities that could potentially be exploited. If a vulnerability is detected on an internet-accessible device, CISA proactively sends a warning to allow action to be taken to correct the vulnerability before it can be exploited. When the pilot commenced, many warnings were sent about the ProxyNotShell vulnerabilities, which were being actively exploited by ransomware groups.
According to Verizon’s 2024 Data Breach Investigations report, there has been a 180% YoY increase in cyberattacks that used vulnerability exploitation for initial access. Ransomware groups are actively seeking vulnerabilities to exploit and are finding plenty of opportunities, since 85% of critical vulnerabilities are unpatched 30 days after discovery, 47% are still unpatched after 60 days, 20% are still not patched after 6 months, and 8% remain unpatched after a year.
Slow patching was highlighted by CISA, which reports that out of the 1,754 ransomware vulnerability warnings that were sent to critical infrastructure entities last year, only 852 were acted upon and had patches or compensating controls applied or resulted in the devices being taken offline. The program has clearly been a success, but there is still considerable room for improvement.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
CISA did not disclose details of the sectors that were slowest to patch but did say that one-third of the warnings were sent to government facilities, one-quarter to healthcare and public health organizations, and one-third to entities in the energy, financial services, critical manufacturing, transportation, and IT sectors.
In industries such as healthcare and critical manufacturing, devices need to be running around the clock and patching can therefore be problematic since systems need to be temporarily taken offline while the patches are applied. Given the number of attacks that are now being reported and the rise in vulnerability exploitation for initial access, it is more important than ever to ensure that downtime is scheduled to allow patches to be applied.
