This post was just supposed to be about the U.S. Government Accountability Office (GAO) report, recently released - on how federal agencies lack insight on ransomware protections for critical infrastructure.

But then, we saw (source: Reuters, etc) a story on 1/31/2024 where ‘US Officials deliver warning that Chinese hackers are targeting U.S. infrastructure.’

The FBI just warned that “hackers linked to the Chinese government are targeting critical U.S. infrastructure, preparing to cause "real-world harm" to Americans, FBI Director Christopher Wray told a congressional committee on Wednesday. Water treatment plants, the electric grid, oil and natural gas pipelines and transportation hubs are among the targets of state-sponsored hacking operations, he told the House of Representatives Select Committee on competition with China

Sources:

1. ‘Reuters’ - https://www.reuters.com/technology/cybersecurity/chinese-hackers-are-targeting-us-infrastructure-fbi-chief-testify-2024-01-31/

2. ‘The Hill’ - https://thehill.com/policy/national-security/4440146-fbi-warns-china-havoc-water-electric/

3. CNN - https://www.cnn.com/2024/01/31/politics/china-hacking-infrascture-fbi-director-christopher-wray/index.html

Getting back to what this post was originally supposed to be about - on how the GAO is saying that agencies that oversee critical infrastructure sectors actually do not know if protections against ransomware were implemented by companies.

Hearing that federal agencies that are supposed to monitor the energy, manufacturing, transportation, health care, etc. sectors are not sure if companies are following the ransomware guidelines that were spelled out is a worrying thought.

As per the GAO,  “none have fully assessed the effectiveness of their support to sectors” [in the Department of Homeland Security’s (DHS) 2013 ‘National Infrastructure Protection Plan’] and they have also have not “determined the extent of adoption of the National Institute of Standards and Technology’s recommended practices for addressing ransomware.” 

Without thorough assessments from the six sector risk management agencies examined in the report — the Cybersecurity and Infrastructure Security Agency, the Department of Energy, the Department of Health and Human Services, the U.S. Coast Guard, Transportation Security Administration, and the Department of Transportation — their respective sectors are missing out on “communication, coordination, and timely sharing of threat and incident information,” the GAO stated.

The GAO’s report was based on an audit from August 2022 to January 2024. And, it’s at a time that is more critical than ever – with a rise in ransomware attacks on manufacturing  plants, energy systems, etc.

With all of the attacks, the ‘Cybersecurity and Infrastructure Security Agency’ (CISA)  is trying formulate standardizations on how ransomware attacks are reported. Since,  as per the GAO, this lack of reporting “makes it more challenging for SRMAs (Sector Risk Management Agencies) to know the full impact of ransomware on their respective sectors”

This obviously make sense, since companies need these SRMAs to assess risks - so organizations can better protect themselves from these ransomware threats.

What can you do if you are in charge of security for your company or have the ear of senior management that should always be concerned about ransomware attacks?  In a word, connect with cybersecurity experts and security forums outside of your organization so you are staying on top of the latest threats and of course, know how to counteract them.

 And, there are companies like SpaceBound Solutions that can provide Managed IT Services such as Endpoint Security: https://www.spaceboundsolutions.com/ContentPage/148 and Network Assessment & Review: https://www.spaceboundsolutions.com/ContentPage/152 To learn more about what SpaceBound  Solutions can offer, email us at: Services@SpaceBoundSolutions.com

Original Source on GAO report on Ransomware: ‘Cyberscoop’

https://cyberscoop.com/gao-ransomware-attacks-critical-infrastructure/