Regulators across industries have started to pay closer attention to incident response and reporting practices for ransomware and other security events. The Securities and Exchange Commission (SEC), for example, released new rules for publicly traded companies last year as part of a drive for greater transparency into the impact of cyber incidents.

Now the Cybersecurity and Infrastructure Security Agency (CISA) has published incident reporting rules focused on critical industries in the Federal Register on April 4, 2024. These incident reporting rules are meant primarily for the 16 critical infrastructure sectors that CISA covers, including healthcare, financial services, and utilities companies. They could, however, also impact ancillary industries that serve those sectors.

The proposed rule describes how critical infrastructure companies will need to report cyber incidents within 72 hours and ransomware payments in 24 hours. These are the rules that CISA was charged with creating by the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which granted the agency rulemaking authority.

The rule is also indicative of the challenges facing critical infrastructure companies and the lack of structured information sharing between the public and private sectors over the years. These rules are not final, but they come at a time when critical industries face a flood of ransomware attacks.

Critical Infrastructure Under Ransomware Threat 

Companies considered critical infrastructure have been under threat from cyberattackers in increasing numbers. The FBI’s Internet Crime Complaint Center (IC3)’s 2023 annual statistics on cybercrime noted 1,193 ransomware incidents targeting 14 of the 16 critical infrastructure sectors throughout the year.

Of the ransomware incidents reported to the FBI, the healthcare sector was the most targeted with 249 reports, followed by critical manufacturing at 218 attacks, and government facilities with 156 attacks. The number of ransomware complaints increased 37% year over year from the 2022 report, demonstrating the rise in attacks against critical infrastructure. 

Ransomware has also become more damaging, with attacks like the one on Change Healthcare, SolarWinds, and Colonial Pipeline. Change Healthcare has been especially damaging, while also paying a $22 million ransom to their attackers to protect patient data.

CISA has long offered guidance to critical industries around best practices, but their recommendations have not historically held the force of law. Successful attacks on critical industries especially, including healthcare, financial services, water and wastewater, energy, and pharmaceuticals, can and do have cascading impacts deep into society. As a result, there needs to be cohesive guidance around incident reporting. These CISA rules aim to provide that. 

Further, CISA seems to be taking a position that disclosure helps the industry more than secrecy helps defenders. Depending on the final language, it is possible that detection techniques and defensive measures will be required to be disclosed. This helps attackers. However, CISA seems to feel that it helps defenders even more.

Key Features of the CISA Incident Reporting Rules 

The CISA rules are in the public comment phase until June 3, 2024. Following that, the agency will have 18 months to make revisions and then will give Congress an additional 60 days for review. This rulemaking timeline means that companies will not need to comply until early 2026 at the soonest. 

Despite this timeframe, it’s worth understanding the key features of the proposed rules. The bulk of the rules define which companies, or “covered entities,” need to comply and what types of cyber incidents would need to be reported. 

What Is a Covered Entity? 

A “covered entity” is a company performing functions within one of the 16 critical infrastructure sectors. Within the 16 sectors, that definition does change slightly. For the most part, size is the main criteria. Only companies that exceed the definition of a small business according to Small Business Association (SBA) guidelines will need to report an incident to CISA. 

There are also specific industry-level carveouts. For example, only hospitals with more than 100 beds or rural facilities that are considered critical access must follow the guidelines. In the water and wastewater industry, this means a community water system or publicly owned treatment works, as defined in 42 U.S.C. § 300f(15) or 40 C.F.R. § 403.3(q) respectively, for a population greater than 3,300 people. Different sectors have different criteria like that.

What Type of Incidents Need to be Reported? 

The bulk of the CISA proposed rule defines what types of incidents do and do not need to be reported to the agency. They determine this based on several criteria that move a cyber incident into what’s considered a Substantial Cyber Incident. 

To qualify as a Substantial Cyber Incident, an attack has to occur against a covered entity and meet four specific criteria: 

• Substantial Loss of Confidentiality, Integrity, or Availability. A cyber incident needs to first result in what CISA calls a “substantial” loss of confidentiality, integrity, or availability of a covered entity’s information system or network. “Information system” could mean IT or OT in this definition, and “substantial” relates to the type, volume, impact, and duration of the loss. A ransomware attack would automatically qualify, as would a denial of service attack that results in loss of access for an extended period of time. 
• Serious Impact on Safety and Resiliency of Operational Systems and Processes. Whether an impact is serious and related to safety and resiliency could depend on the safety or security hazards associated with the system or process, and the scale and duration of the impact. An attack on a chemical company that increases the chance of harmful chemicals being released is one example. 
• Disruption of Ability To Engage in Business or Industrial Operations. The third criteria ties into disrupting operations, including delivering goods and services as well as the normal function of a business. This means, for example, a ransomware attack or exploitation of a zero-day vulnerability, against (I) an information system or network; or (II) an operational technology system or process; or unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a CSP, managed service provider, or other third-party data hosting provider or by a supply chain compromise.
• Unauthorized Access Facilitated Through or Caused by a: (1) Compromise of a CSP, Managed Service Provider, or Other Third-Party Data Hosting Provider, or (2) Supply Chain Compromise. This final criteria focuses on third-party or supply chain compromise, requiring incident reporting if someone gains unauthorized access because of a vendor or supplier relationship.

If any incident meets the first three criteria but doesn’t meet the last one, then it needs to be reported to CISA as part of the incident response rule. 

The Impact of CISA’s Incident Reporting Rule

CISA’s new proposed rule could cause reverberations throughout critical infrastructure industries and beyond. Needing to report an incident within 72 hours and a ransomware payment in 24 hours (unless the payment is part of an incident) could frustrate smaller organizations without extensive cybersecurity resources in place. 

Covered entities in the rule would need to potentially submit reports via a web form to notify the agency, but only if they do not already report cyber incidents to another federal agency. If that’s the case, then so long as the other agency can share reporting with CISA and there is substantially similar information in both reports. 

Ultimately, these new rules could serve to uplevel incident response and reporting across sectors. If CISA provides guidance to companies with minimal resources, it could also improve the defensive posture of critical industries at the exact time when they’re most in the crosshairs of attackers.

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.