The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), set to go into effect next year, requires critical infrastructure organizations to report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA).
The guidelines, as outlined by CISA, were open to public comment over the summer, and the resounding consensus was that many critical infrastructure companies don’t feel prepared to report cyberattacks within the 72-hour required window and ransomware payments within 24 hours.
The hours following a cyberattack are hectic, confusing, and overwhelming, with many often finding that hours can quickly turn into days. If organizations do not have a plan in place before an attack occurs, it’s difficult to coordinate internal efforts to report an attack and identify what needs sharing, all while simultaneously dealing with potential ransom demands, outages in operations, and general chaos.
As companies prepare for CIRCIA there are at least three steps they can take: engage a breach counsel, develop a plan of action should primary infrastructure be taken offline, and strengthen their backup infrastructure. These steps will help to ensure compliance with upcoming regulations while prioritizing business continuity.
- Engage a breach counsel: Critical infrastructure companies will need a legal team that can offer guidance and advice in the case customer data becomes exposed during an attack. This team can help stay on top of regulations such as CIRCIA and the U.S. Securities and Exchange Commission (SEC)’s cybersecurity disclosure rules to ensure compliance and coordinate a legal response. Having a breach counsel offers a sense of calm and security during the storm – a group of people with experience in cyberattacks who bring a third-party perspective and can approach decision-making from an informed and impartial point of view.
- Develop a plan of action: Create a response plan that all relevant stakeholders have access to and assign roles so that everyone knows what they should do following an attack, whether engaging other team members, handling external communications, or triggering a restore. One often overlooked step that can become a logistical nightmare if not considered in advance is how the team will communicate during a cyberattack lockdown. Threat actors may take systems offline, or internal teams may need to shut down systems to prevent further damage, preventing employees from being able to access corporate email accounts and directories. Find alternative methods of communication with colleagues, such as LinkedIn, so that everyone can stay in contact.
- Strengthen the organization’s backup plan: It’s essential to have backups of any important documents that the company needs to access in the event of an attack, such as legal procedures, potentially impacted clients, and how to contact them. Backups are something that everyone cares about only when it’s too late. These backups are the star of the show following an attack, when they’re the last hope to recover essential company data, but are often glanced over during day-to-day prioritization. IT teams are likely already intimately familiar with the company’s backup infrastructure. Still, for effective and informed decision-making following an attack, leaders outside of the IT team also need to understand how they can restore data. Companies will want to avoid downtime as much as possible and keep core business functions running.
Start by identifying a Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RPO measures how often data gets uploaded from the primary network to the backup. The lower the RPO, the more up-to-date the backup, meaning there’s less data lost when it comes time to recover. RTO measures how long it takes to restore systems from the backup. Both objectives determine how much data the company can restore and how fast; crucial information that informs a post-attack strategy. However, it's nearly impossible to maximize resiliency without testing before an attack. While it’s desirable to shorten RPO and RTO, it’s not possible get there without running simulations and recovery tests. Conduct a staged restore or other test run to work out the kinks and optimize RPO and RTO to what works best for the business. Ensuring the content of the backups are protected and consequential, as cybercriminals now target backups to try to leave organizations without any option but to pay the ransom to get their data back. Immutable object storage ensures that data cannot be encrypted or deleted by anyone once it has been written, including employees and threat actors alike.
Having a plan for what immediate actions to take following an attack and how to restore data to bring operations back up and running mitigates the disruption and confusion following an attack. This will make it much easier for companies to report breaches, cyberattacks, and ransom payments to the government, law enforcement, impacted customers, and other stakeholders faster -- and with more information.
Anthony Cusimano, technical director, Object First