Critical national infrastructure (CNI) providers are getting better at remediating exploited vulnerabilities and other cyber hygiene best practices, according to the US Cybersecurity and Infrastructure Security Agency (CISA).
The agency’s new Cybersecurity Performance Goals Adoption Report analyzed the performance of close to 7800 CNI organizations since 2022.
It found that:
- Remediation times for Secure Sockets Layer (SSL) vulnerability and known exploited vulnerability (KEV) tickets decreased by 50% for critical-severity KEVs and 25% for high-severity KEVs over the period
- Time taken to resolve SSL vulnerability-related tickets fell from around 200 days in 2022 to under 50 days
- Exploitable services monitored by CISA Vulnerability Scanning decreased from 12 per enrollee in August 2022 to around eight services per enrollee in August 2024
- There was a 201% increase in enrolment to CISA’s Cyber Hygiene (CyHy) service by CNI organizations between August 2022 and August 2024; rising even higher for organizations in the Communications (300%), Emergency Services (268%), Critical Manufacturing (243%), and Water and Wastewater Systems (242%) sectors
CISA’s CyHy offering is a set of free services designed to reduce the threat exposure of enrolled organizations. It includes vulnerability and web app scanning.
Read more on CNI risk: Trust in Cyber Takes a Knock as CNI Budgets Flatline
However, experts warned that it’s not time for CNI firms to celebrate just yet.
“Seeking to find any vulnerabilities in your external attack surface is certainly one of the first priorities that enterprises should have. But bear in mind, it doesn't necessarily represent the only way that attackers can breach an environment, and there’s no guarantee that a zero day isn’t used instead,” argued Dispersive.io VP, Lawrence Pingree.
“Attackers just rotate to whatever they need to in order to accomplish their goals. So, if the external surface is too much of a challenge, they rotate to third parties, or malware and phishing, or even social engineering.”
For this reason, organizations should be more proactive about their security strategy, rather than playing “whack-a-mole” with vulnerability patching, Pingree added.
The CISA report also highlighted the continued risks posed by operational technology (OT). It revealed that, in the Government Services and Facilities sector, 63% of OT protocols were found exposed to the public internet.