Today the Cybersecurity and Infrastructure Security Agency (CISA) published a copy of the letter that I described last week. The letter informed facilities regulated under the Chemical Facilities Anti-Terrorism Standards (CFATS Program) about the Microsoft Exchange On-Premise Product Vulnerabilities. The letter was also sent to over 33,000 facilities that have submitted Top Screen notifications to the Infrastructure Security Compliance Division (the organization that runs the CFATS program) but were not designated as high-risk facilities.
In addition to providing links to the CISA alert about the vulnerabilities and two Microsoft advisories (here and here), the letter explained that:
“While CFATS facilities are not being required to implement heightened security measures under Risk-Based Performance Standard 14 of their security plans or under other CFATS authorities at this time, CISA may activate these requirements in the future.”
They then went on to explain:
“If any evidence of threat actor activity is found, CISA recommends you reach out to CISA [emphasis added] and submit an incident report via CISA’s Incident Reporting Form. When completing the form, indicate you are “critical infrastructure” and within the chemical sector. In the “Incident Description” section of the reporting form indicate you are regulated under CFATS and include your facility identification number.”
It is disappointing that CISA only recommends that CFATS
covered facilities report compromise of their mail servers when it is widely
known that that compromise set the facilities up for further nearly
undetectable attacks. CISA should have taken the same steps that the Coast
Guard did with the SolarWinds compromise; MISB
03-20 ordered MTSA facilities and vessels to report a security breach if
they downloaded a trojanized SolarWinds Orion plug-in or they noted any system
with a critical security function displaying any signs of compromise.
No comments:
Post a Comment