Monday, April 26, 2021

CFATS and Pulse Connect

It has been nearly a week since the DHS Cybersecurity and Infrastructure Security Agency (CISA) issued their Emergency Directive 21-03, “Mitigate Pulse Connect Secure Product Vulnerabilities”. As with all such emergency directive’s CISA’s authority to require compliance extends only to agencies of the Federal government. To date, there has been no public move by CISA to expand their Alert AA21-110A: Exploitation of Pulse Connect Secure Vulnerabilities by specifically reaching out to CFATS facilities in the same way that they did with the Microsoft® Exchange server vulnerabilities.

Earlier Incident

The importance of the letter that CISA sent to CFATS registrants and covered facilities in the last incident was found in its suggestion that:

“If any evidence of threat actor activity is found, CISA recommends you reach out to CISA [emphasis added] and submit an incident report via CISA’s Incident Reporting Form. When completing the form, indicate you are “critical infrastructure” and within the chemical sector. In the “Incident Description” section of the reporting form indicate you are regulated under CFATS and include your facility identification number.”

Those response would have allowed CISA to reach out directly to affected facilities and organizations as they updated their earlier emergency directive on March 11th and April 13th as new indicators of continuing compromise and additional mitigation measures became available.

Reach Out Again

Since CISA has repeatedly recommended that industrial control system owners and operators use VPNs like Pulse Connect when they find it necessary to remotely access their control systems, it seems to me that they have a special obligation to reach out to that community, especially that portion of the community affected by the CFATS program when a VPN is affected by vulnerabilities as egregious as these.

They may have already reached out to CFATS covered facilities and those other facilities that have submitted Top Screens as they did in the Microsoft incident. It took them five days that time to announce that they had reached out to those facilities. If they have, great. If they have not, then it is past time that they or the Office of Chemical Security should have made the notification.

Action Without Notification

Of course, non-federal facilities do not have to wait until they are specifically invited to review the CISA Alert and Emergency Directive. Once those were published, any facility, and particularly regulated facilities under either CFATS or MTSA security rules, were free to take the actions outlined in the Emergency Directive. If indicators of compromise are detected as a result, immediate regulatory notification should be made to OCS or the Coast Guard as appropriate. Just as important, however, would be to make notifications to CISA so as to ensure that as new information and mitigation measures become available, they would be sent to the affected organizations.

Expanding Outreach

When agencies of the federal government receive emergency directives like this, they should immediately consider sharing the information with entities in the private sector that they regulate if there is any reasonable chance that those entities could also be affected. This is especially true when the agency includes cybersecurity in their regulatory oversight of the entities. Perhaps, CISA ought to consider making that information sharing a requirement in their emergency directives just to make sure that there is as much information sharing as possible.

No comments:

/* Use this with templates/template-twocol.html */