The US Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations to incorporate the Covered List created by the Federal Communications Commission (FCC) into their risk management plans.
The list encompasses a number of communications equipment and service providers that have been determined by the US government to pose a potential national security risk according to the Secure and Trusted Communications Networks Act of 2019.
“Organizations that are bound to CISA’s directives are required to follow them and take the necessary actions, while for civilian organizations, CISA directives are simply a recommendation,” Vulcan Cyber senior technical engineer Mike Parkin told Infosecurity in an email. “However, from a cybersecurity perspective, they have historically been sound recommendations and are well worth following.”
Some of the companies included on the list are Huawei, ZTE, Dahua and China Unicom, among others.
Read more on the China Unicom ban here: US Revokes China Unicom's License
“In the case of Chinese telecommunications equipment, the concern is largely from a general distrust of this kit and the concern that the Chinese government required the manufacturer to include backdoors they could use for their own purposes,” Parkin said.
At the same time, the security expert added that some organizations may find it difficult to comply as removing and replacing their telecom gear may be cost-prohibitive.
CISA also urged all critical infrastructure organizations to enroll in its free vulnerability scanning service for assistance in identifying vulnerable or otherwise high-risk devices such as those on FCC’s Covered List.
“It is helpful that CISA offers a persistent vulnerability scanning service,” Tanium chief security advisor, Timothy Morris, told Infosecurity.
“That will do target discovery and vulnerability scanning of internet-accessible devices. It is equally important to scan internal networks that are not accessible via the internet to have a complete picture of what devices are being used.”
In related news, CISA unveiled its Ransomware Vulnerability Warning Pilot (RVWP) program last month.
Editorial image credit: WESTOCK PRODUCTIONS / Shutterstock.com