By Bruce Geiselman
The Cybersecurity & Infrastructure Security Agency (CISA) is a federal agency that works with government and private-sector partners on reducing cybersecurity risks.
As tensions mounted early this year between Russia and Ukraine, CISA launched its Shields Up campaign to help protect individuals and organizations, including manufacturers, from cyber intrusions, especially from Russia.
“Evolving intelligence indicates that the Russian Government is exploring options for potential cyberattacks,” according to a recent message posted on the CISA website. “Every organization — large and small — must be prepared to respond to disruptive cyber incidents. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyberattacks.”
CISA has issued guidance recommending all organizations, regardless of size, “adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.” To assist companies, including plastics processors, in meeting the challenging demands of adopting security improvements, CISA offers a variety of free cybersecurity services and tools.
“The services include multiple things,” said Alex Reniers, chief of the industrial control systems section with CISA. “For instance, we have our assessment services that do a wide variety of vulnerability scanning and remote penetration. We have folks that do assessments where they’ll go out to the team, they’ll work directly with an owner and operator and sit there for about two or three days. They’ll go over network diagrams. They’ll go over software and hardware inventories. They’ll go over their configurations, how they might be vulnerable, and they’ll look at service network diagrams and will do walkthroughs with them.”
One of the major issues CISA looks for is if a company’s IT environment is directly connected to its operational technology [OT] environment, where critical processes are. CISA can also work with an owner/operator to study network traffic to see if they can spot anything they shouldn’t be seeing,
“If an owner/operator believes that they’re identifying anomalous behavior on their network, they might reach out to us and request assistance,” Reniers said. “Maybe it is something we can handle with just a couple of phone calls, but if it seems to be something a bit more malicious, maybe we deploy a team there to work with them.”
While CISA can help private companies with cybersecurity issues, they have limited resources, and businesses should have their own incident response plan in place, so they are ready to respond to any cybersecurity issues.
“All owner/operators should have an incident response plan because it is very likely at some point your organization will have some form of an incident, whether it be minor or major, and you should have a plan in place to react to it,” Reniers said. “I would caution that your incident response plan should not be, ‘we’ll call the government.’ That is not a very solid approach. It’s certainly not because we don’t want to be a part of your response; we want to help you, but we are just as resource-strapped as other organizations.”
Among the agency’s recommendations for organizations:
- Require multifactor authentication to ensure that only authorized users gain remote access to an organization’s computer network.
- Ensure all software is up to date with priority given to updates that address known exploited vulnerabilities identified by CISA.
- Disable all ports and protocols that are not essential for business purposes.
- Strengthen security configurations to defend against attackers targeting cloud services.
- Sign up for CISA’s free cyber hygiene services, including vulnerability scanning, to reduce exposure to threats.
CISA also recommends that organizations’ cybersecurity or IT personnel focus on quickly identifying any unusual network behavior, in part by enabling logging to better identify and investigate unusual activities. They should ensure that networks are protected by up-to-date antivirus and antimalware software. Companies working with Ukrainian organizations should take extra care to monitor, inspect and isolate traffic from those organizations, according to CISA’s website.
Organizations should plan for a possible intrusion by designating a crisis-response team with team members having clearly defined roles and responsibilities. CISA also recommends conducting a tabletop exercise to ensure all participants understand their roles during an incident.
Organizations should ensure they are regularly backing up data and testing backups to ensure critical data can be rapidly restored in the event of a ransomware or destructive cyberattack and that backups are isolated from network connections.
As an additional precaution, manufacturers using industrial control systems or operational technology networks should conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or data cannot be trusted.
CISA also has prepared a ransomware response checklist and a ransomware guide to help companies respond to ransomware attacks. Among those recommendations: determining which systems were impacted and isolating them, powering them down to avoid further spread of the infection if necessary; engaging internal and external teams and stakeholders to help in understanding, mitigating and recovering from the attack; and consulting with federal law enforcement regarding possible decryptors that are available for some ransomware variants.
CISA offers workshops and online training sessions for organizations that also offer networking and information sharing opportunities.
CISA issues cybersecurity alerts and advisories on its website, some of which are device specific.
Reniers encouraged business owners and operators to reach out to CISA’s regional offices with questions or if seeking advice.
“We would really push you to develop a relationship with our regional staff,” Reniers said. “We have PSAs [protective security advisors] and CSAs [cybersecurity advisors] and regional analysts all over the country,” Reniers said. “That’s a great way to put a face to the name of CISA. It’s not just CISA in Arlington, Va., in the Washington, D.C., area; we have staff out in the regions.”
It’s a great way to build a relationship with the government agency so that if something happens, or if cybersecurity information is needed, a business will immediately know who to call, he said.
Among the more commonly known tools on the CISA website is what it calls the CSET or cybersecurity evaluation tool.
“This is a great tool,” Reniers said. “It’s downloadable, free, open source. It’s a great way for organizations to do an assessment of their environment.”
The software “guides asset owners and operators through a step-by-step process to evaluate industrial control system (ICS) and information technology (IT) network security practices,” according to the CISA website. “Users can evaluate their own cybersecurity stance using many recognized government and industry standards and recommendations.”
Malcolm is another popular open-source software tool available through CISA for analysis of network traffic. “Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs,” according to CISA’s entry on the github website.
“The biggest takeaway is to do something,” Reniers said. Companies need to adopt a cybersecurity plan before a cybersecurity incident occurs, he said.
Bruce Geiselman, senior staff reporter
Contact information:
Cybersecurity & Infrastructure Security Agency, Arlington, Va., 888-282-0870, www.cisa.gov
Bruce Geiselman
Senior Staff Reporter Bruce Geiselman covers extrusion, blow molding, additive manufacturing, automation and end markets including automotive and packaging. He also writes features, including In Other Words and Problem Solved, for Plastics Machinery & Manufacturing, Plastics Recycling and The Journal of Blow Molding. He has extensive experience in daily and magazine journalism.
