It should come as no surprise that our nation’s critical infrastructure is under concerted threat from malicious cyber actors.
To illustrate, just recently, the Office of the Director of National Intelligence’s 2023 Threat Assessment stated that “China almost certainly is capable of launching cyber-attacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines, and rail systems” and that “Russia is particularly focused on improving its ability to target critical infrastructure, including underwater cables and industrial control systems, in the United States as well as in allied and partner countries, because compromising such infrastructure improves and demonstrates its ability to damage infrastructure during a crisis.”
Facing such a challenging threat environment, we must focus our efforts on a two-pronged strategy of defense – on driving adoption of strong cybersecurity measures, and on ensuring effective visibility into cyber threats targeting our nation’s critical infrastructure.
The second line of effort, in particular, is what I want to talk about today.
Right now, we are able to achieve a portion of this visibility by partnering with critical infrastructure organizations and cybersecurity companies, forging and maintaining crucial relationships with our partners for the betterment of our nation.
But for some of the nation’s most critical entities, we need to do more. And that leads us to CyberSentry.
We can distill down CyberSentry’s mission to this – through unique partnerships with industry, CISA is able to supply commercial detection capabilities that provide three key benefits:
- Enables the operational use of sensitive information prior to broader dissemination to the cybersecurity community
- Allows CISA’s analysts to correlate threat activity targeting multiple critical infrastructure entities and understand evolving campaigns
- Provides participating entities with access to their own CyberSentry dashboard, enabling integration into the partner’s cyber operations.
CyberSentry is governed by an agreement between CISA and voluntarily participating critical infrastructure partners. CyberSentry technology supports sensing and monitoring for information technology (IT) and operational technology (OT) networks. CyberSentry has added significant value to both CISA’s national mission and to our partners’ enterprise cybersecurity efforts.
Recent successes include:
- Infected OT Equipment: CyberSentry discovered an infection on a partner’s Human Machine Interface (HMI) equipment that had not been properly patched and secured. CISA analysts quickly notified the partner about the issue and offered guidance on preventive techniques for the future.
- Unintentional Exposure: CyberSentry tools spotted cleartext authentication occurring on a partner’s network, and further investigation revealed that a misconfiguration had caused the issue. A detailed report was provided to the partner, including specific guidance on remediating the situation.
- Private Sector Coordination: During the Colonial Pipeline disruption, CISA analysts coordinated closely with its pipeline partners to share information and monitor for adversary activity.
- SolarWinds Response: CyberSentry data helped to quickly identify partners affected by the SolarWinds supply chain compromise. All impacted partners were notified, and the program worked closely and expediently with these partners to confirm remediation of the threat.
- Identification of Malicious Activity: On multiple occasions, CISA analysts identified possible malicious activity at partner sites and worked with affected partners to identify the root causes of activity.
- Malware Discovery: CyberSentry tools quickly discovered and identified malware in a partner’s IT network. Working with the partner, CISA analysts were able to locate the infected device so the partner could remove it from the network and verify that the threat was contained.
- Attacker Exfiltration Detected: CyberSentry discovered that an attacker was actively exfiltrating information. CyberSentry worked with the partner to identify information that had been exfiltrated. After conferring with CyberSentry analysts, the partner was able to isolate infected systems that same evening, eliminating the threat.
CISA is looking to partner with a select number of additional Critical Infrastructure organizations who operate systems supporting National Critical Functions – functions so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on our Nation.
As malicious cyber activity continues to evolve, and nation state actors continue to aggressively target National Critical Functions, CyberSentry’s capabilities and critical partnerships directly enhance CISA’s goal of a stronger collective defense for our Nation.
For more information visit our CyberSentry webpage.
Author: Jermaine Roebuck, Associate Director for Threat Hunting
