Key takeaways from CISA’s new CPGs

The Cybersecurity Infrastructure and Security Agency (CISA) has released new Cross-Sector Cybersecurity Performance Goals (CPGs) as guidelines for small and medium businesses to strengthen their IT and OT infrastructure against cyberattacks?

These CPGs are valuable guidelines to organisations that have limited resources and skills to secure their critical infrastructure.?

Here are the key takeaways from the new release:?

It is a stepping stone for NIST Cybersecurity Framework Implementations?

For the organisations opting for cybersecurity best practices to better manage and reduce their cyber risks, NIST Cybersecurity Framework (CSF) is one of leading frameworks used across industries. However, for small organisations with a limited skills and resources may find it very difficult even to understand the whole framework.?

CISA’s new CPGs are a lite version of NIST CSF. These CPGs are a great start to implementing basic cybersecurity practices. Each module of CPG has a clear Outcome, Scope, Recommended Action and the risk that is addressed by the action along with the reference to NIST CSF.?

These CPGs are very closely aligned to the most popular IEC 62443 framework and that will help wider acceptance of the CPGs.?

Helping the Cyber-Poor Critical Infrastructures?

Most of the privately owned Critical Infrastructure has poor cybersecurity infrastructure. They have a lot to lose if compromised as it would cause horrible situation in the society. Yet, their revenues are not that strong. And because of that, even if they decide to, they cannot prioritise strengthening their cybersecurity.?

Public utilities are more susceptible to attacks as it takes very less effort to attack them and it help the attacker create chaos in the society. Recent attacks on the water treatment facilities highlighted the vulnerabilities and helplessness of the sector.?

CPGs, however can help the industries significantly reduce their exposure to threats and strengthen their security practices quickly and cost-effectively.?

OT Cybersecurity is now in focus?

The criminals and state sponsored threat actors are now increasingly targeting Critical Infrastructure to obtain financial or geopolitical objectives. There has been news about state sponsored attacks on critical infrastructure in Ukraine, including their national PowerGrid.?

Even though the risks are increasing every day on OT assets, very long life of OT systems and proprietary legacy vendor systems keeps them exposed and vulnerable. CISA has specifically mentioned OT oriented goals and actions to bust the myth that OT assets are not vulnerable or the practices do not apply to them.?

Some of the highlights:?

• Personnel are our first line of defence and they must be properly train, otherwise no amount of security will be enough.?
• It is accepted that OT assets cannot be patched frequently, but patching them should be a priority and should be strategically planned during downtimes?
• Get rid of default and easy passwords?
• Remote access should be provided only if necessary and when provided, it should be a secure remote access?
• There should be accountability for OT Assets and CISA suggests a dedicated leadership for the same.?

A future oriented guideline?

CPGs may not have been made mandatory, but as the time progresses, there will be more regulations that will be built upon this one. Cyber insurer may also include these guidelines as one of the criteria. The underwriter can easily use this as the baseline for future cyber insurances.?

As awareness progresses, this guideline seems very doable and necessary so it is safe to assume that this will no longer be just a piece of paper.?

You can refer the official document for the guidelines from CISA here.