The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released on Friday its Cybersecurity Performance Goals Adoption Report, emphasizing the advantages of implementing Cybersecurity Performance Goals (CPGs) for the nation’s critical infrastructure sectors. The CISA CPG adoption report is based on an analysis of 7,791 critical infrastructure organizations enrolled in CISA’s Vulnerability Scanning service from Aug. 1, 2022, through Aug. 31, 2024.
Data reveals that four critical infrastructure sectors are most impacted by CPG adoption: healthcare and public health, water and wastewater systems, communications, and government services and facilities. These four sectors have strong partnerships with CISA. As the lead cybersecurity agency strengthens partnerships across the 16 critical infrastructure sectors, the agency hopes that CPG adoption will continue to expand.
Initially introduced in October 2022, CISA’s CPGs are voluntary measures that critical infrastructure owners can adopt to safeguard against cyber threats. These voluntary cybersecurity practices were in March 2023 reorganized, reordered, and renumbered to align closely with NIST Cybersecurity Framework functions to help organizations use the CPGs to prioritize investments as part of a broader cybersecurity program built around the CSF, following feedback from the critical infrastructure community,
The CISA CPG adoption report disclosed that exploitable services routinely monitored by CISA Vulnerability Scanning have been steadily decreasing from 12 services per enrollee in August 2022 to about eight services per enrollee in August 2024. Across the period of analysis, remediation times for Secure Sockets Layer (SSL) vulnerability and known exploited vulnerability (KEV) tickets decreased by 50 percent for critical-severity KEVs and by 25 percent for high-severity KEVs.
Also, in August 2022, SSL vulnerability-related tickets were resolved in about 200 days. During the later months, resolution time decreased to under 50 days. As of Aug. 31, 2024, CISA observed the highest occurrence of operation technology (OT) protocols exposed to the public internet within the government services and facilities sector at 63 percent exposure.
CISA reported that throughout the analysis, the total Cyber Hygiene (CyHy) service enrollment increased by 201 percent. This increase is likely a result of CISA programs and initiatives, such as the CPGs, targeted risk analysis and intel products, and other efforts. All sectors exhibited an average of 208 percent growth in enrollment since the CPGs were published. The sectors that showed the highest enrollment increase were the communications (300 percent), emergency services (268 percent), critical manufacturing (243 percent), and water and wastewater systems (242 percent) sectors.
The CISA CPG adoption report identified the top OT/Industrial Control Systems (ICS) protocols commonly used with OT/ICS products exposed to the public internet. CISA port scans have only been available for the past 90‒150 days; therefore, CISA is not able to determine OT/ICS exposure before CPG publication.
As of Aug. 31, 2024, CISA observed the highest occurrence of OT protocols exposed to the public internet and observed the top five publicly exposed OT/ICS protocols from Oct. 11, 2023, to Aug. 31, 2024. Port scans do not reveal specific ICS devices associated with these protocols; however, these are common protocols associated with OT connections that are being exposed to the public internet.
As of September 2024, CISA observed OT protocols exposed to the public internet and determined five sectors with the highest occurrences. Exposure of the most observed OT/ICS protocols across most of the critical infrastructure sectors was observed, as well as the percentage of findings from CyHy enrollees from Oct. 11, 2023, to Aug. 31, 2024. The government services and facilities sector primarily exposes the OPC Unified Architecture protocol which is widely used within ICSs.
The CPG adoption report highlighted the most frequently observed OT/ICS protocols exposed to the public internet during the analysis period. The OPC UA platform accounted for 43 percent of exposures; the Distributed Network Protocol (DNP) was exposed 22 percent of the time; Niagara-Fox had a 21 percent exposure rate; Ethernet/IP was exposed 10 percent; and Metasys was exposed 4 percent.
CISA disclosed that since the publication of the CPGs, entities enrolled in the Vulnerability Scanning service demonstrated a continued decline in the average number of KEVs on their networks. This indicates that critical infrastructure organizations are successfully prioritizing the remediation of vulnerabilities based on KEVs.
CISA CPG adoption report provided data on the top 10 KEVs over the review period revealing notable trends in the cybersecurity landscape for CyHy enrollees. A significant portion of the vulnerabilities involved open-source software, with PHP and Apache-related vulnerabilities collectively accounting for over half of the cases (58 percent). This includes high-prevalence KEVs such as PHP-CGI OS Command Injection Vulnerability (25.3 percent) and Apache HTTP Server-Side Request Forgery (23.1 percent), highlighting the widespread use and potential risks in these platforms.
Cisco-related vulnerabilities, though less frequent, represent 9.8 percent of observed KEVs. The recurrence of vendors like PHP, Apache, and Cisco indicates that vulnerabilities in popular and widely used software platforms continue to be a critical challenge for CyHy enrollees. This data underscores the importance of targeted mitigation strategies focused on the most exploited platforms.
Organizations should remain up to date on cybersecurity hygiene and best practices to protect against adversary threats related to gaps in network infrastructure. Internet-facing exposed services and assets should remain a priority for remediation in conjunction with the above key findings. CISA also encourages sector entities to review NIST Special Publication (SP) 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations, and the NIST Cybersecurity Framework for additional best practices.
The CISA CPG adoption report identified that the agency’s initiatives, programs, and products are directly influencing critical infrastructure sector service enrollments and adoption of CPGs. A general analysis of CISA data reveals a moderate impact of CPG adoption across critical infrastructure sectors. This is most evident in the healthcare and public health, water and wastewater systems, communications, and government services and facilities sectors, where there appears to be strong partnership and collaboration with the CISA.
It added that as the CISA strengthens partnerships across all sectors, CPG adoption will continue to expand. Additionally, as CISA continues to evolve CPG guidance, CPG adoption analytics will be more granular and apparent. Over time, this advancement will allow CISA to infer the adoption of more CPGs.
As the U.S. critical infrastructure sector operates under continuous threat from nation-state cyber adversaries and cybercriminal organizations around the globe, the mission of the CISA has been to lead efforts to collaboratively and proactively reduce risk and enhance resilience across these installations, federal civilian branch assets, and the broader private sector.
Last week, Jeff Greene, CISA’s executive assistant director for cybersecurity focused on three transformative initiatives to illustrate this collective effort to reshape the cybersecurity landscape: the KEV Catalog, CPGs, and the Pre-Ransomware Notification Initiative (PRNI). The KEV Catalog, CPGs, and PRNI exemplify CISA’s commitment to fostering collaboration across public and private sectors. These initiatives have helped to reshape cybersecurity by prioritizing proactive defense, measurable outcomes, and resource-efficient solutions.