On December 15, 2021, the U.S. Department of Homeland Security Cybersecurity & Infrastructure Security Agency (“CISA”) announced the publication of a warning for “critical infrastructure owners and operators to take immediate steps to strengthen their computer network defenses against potential malicious cyber attacks” before the upcoming holiday season.  CISA’s warning emphasizes that “[s]ophisticated threat actors . . . have demonstrated capabilities to compromise networks and develop long-term persistence mechanisms” and have “demonstrated capability to leverage this access for targeted operations against critical infrastructure with potential to disrupt National Critical Functions.”

CISA’s warning includes recommended actions for executives and senior leaders, additional recommended actions for organizations with operational technology (“OT”) and industrial control systems (“ICS”), recommendations for organizations that have experienced a cybersecurity incident, and a list of resources that organizations confronting cyber threats and evaluating cybersecurity best practices may find helpful.

Actions for Executives and Senior Leaders.  Specifically, in light of these “persistent and ongoing cyber threats,” CISA’s warning urges critical infrastructure owners and operators to undertake a series of “immediate actions” to proactively bolster their organizations’ cyber defenses before the upcoming holiday season, including by:

  1. Increasing Organizational Vigilance: Ensuring that the organization has “no gaps in Information Technology (IT)/Operational Technology (OT) security personnel coverage” and is continually “monitoring for all types of anomalous behavior.”  CISA’s warning notes that such coverage is “particularly important during the winter holiday season when organizations typically have lower staffing.”
  2. Preparing For Rapid Response: Adopting “a state of heightened awareness” by:  creating, updating, or reviewing the organization’s “cyber incident response procedures”; ensuring that personnel are familiar with “key steps they need to take during and following an incident”; checking reporting processes and exercising “continuity of operations plans” to test the organization’s ability “to operate key functions in an IT-constrained or otherwise degraded environment”; and considering the potential cross-sector impacts of incidents that may occur, both at the organization and at other organizations across critical infrastructure sectors.
  3. Implementing Cybersecurity Best Practices: Implementing key best practices, including:  enforcing “multi-factor authentication and strong passwords”; installing “software updates” while “prioritizing known exploited vulnerabilities”; and securing “accounts and credentials.”
  4. Staying Informed: Monitoring the latest updates about cyber threats and malicious techniques, including by subscribing to CISA’s mailing list and feeds.
  5. Engaging in More Information Sharing: Lowering the threshold for “threat and information sharing,” including by immediately reporting “cybersecurity incidents and anomalous activity to CISA and/or the FBI.”

Organizations with OT/ICS Systems.  CISA’s warning also notes that organizations with OT and ICS can “improve their cyber posture and functional resilience” by undertaking a series of additional steps, which include:

  1. “Identifying and securing” the critical processes that must continue without interruption;
  2. “Developing and regularly testing workarounds or manual controls” to ensure that such processes “can be isolated and continue operating without access to IT networks, if needed;” and
  3. “Ensuring backup procedures” are in place and “regularly tested,” and “that backups are isolated from network connections.”

Recommendations for Organizations Impacted by an Incident.  CISA’s warning recommends that organizations impacted by an incident:

  1. Implement the organization’s incident response plan;
  2. Immediately report “incidents or anomalous activity” to CISA; and
  3. Consider obtaining support from “a third-party IT organization to provide subject matter expertise.”

Resources.  CISA’s warning also includes a list of resources that organizations confronting cyber threats and evaluating cybersecurity best practices may find helpful, including CISA’s Cyber Essentials, Questions Every CEO Should Ask About Cyber Risks, and resources specific for owners and operators of operational technology systems, including Rising Ransomware Threats to Operational Technology Assets, among others.

Potential Implications.  CISA’s latest warning follows its earlier Cybersecurity Reminder on November 22, 2021, urging public and private sector organizations to be vigilant and implement precautions leading up to the holiday season, and emphasizes the heightened risks that organizations may face from cyber threats around the holiday season.

Looking Forward.  These warnings are consistent with the U.S. Government’s ongoing focus on strengthening critical infrastructure cybersecurity, follow shortly after TSA issued new cybersecurity requirements for the rail and air sectors, and align with the White House’s continued emphasis on U.S. Cybersecurity.  All organizations—in the U.S. critical infrastructure sectors and beyond—should expect continued developments in these areas into 2022.

Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.

Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other…

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Photo of Moriah Daugherty Moriah Daugherty

Moriah Daugherty advises clients on a broad range of cybersecurity, data privacy, and national security matters, including government and internal investigations, regulatory inquiries, litigation, and compliance with state and federal privacy laws.

As part of her cybersecurity practice, Moriah specializes in assisting clients…

Moriah Daugherty advises clients on a broad range of cybersecurity, data privacy, and national security matters, including government and internal investigations, regulatory inquiries, litigation, and compliance with state and federal privacy laws.

As part of her cybersecurity practice, Moriah specializes in assisting clients in responding to cybersecurity incidents, including matters involving Advanced Persistent Threats targeting sensitive intellectual property and personally identifiable information. Moriah also assists clients in evaluating existing security controls and practices, assessing information security policies, and preparing for cyber and data security incidents.

As part of her litigation and investigations practice, Moriah leverages her government experience to advise clients on national security and law enforcement related compliance issues, internal investigations, and response to government inquiries.

Prior to becoming a lawyer, Moriah spent eight years working for the Federal Bureau of Investigation and U.S. Department of Justice.

Photo of Matthew Harden Matthew Harden

Matthew Harden is a cybersecurity and litigation associate in the firm’s New York office. He advises on a broad range of cybersecurity, data privacy, and national security matters, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, and regulatory inquiries. He…

Matthew Harden is a cybersecurity and litigation associate in the firm’s New York office. He advises on a broad range of cybersecurity, data privacy, and national security matters, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, and regulatory inquiries. He works with clients across industries, including in the technology, financial services, defense, entertainment and media, life sciences, and healthcare industries.

As part of his cybersecurity practice, Matthew provides strategic advice on cybersecurity and data privacy issues, including cybersecurity investigations, cybersecurity incident response, artificial intelligence, and Internet of Things (IoT). He also assists clients with drafting, designing, and assessing enterprise cybersecurity and information security policies, procedures, and plans.

As part of his litigation and investigations practice, Matthew leverages his cybersecurity experience to advise clients on high-stakes litigation matters and investigations. He also maintains an active pro bono practice focused on veterans’ rights.

Matthew currently serves as a Judge Advocate in the U.S. Coast Guard Reserve.