CISA Posts Initial List of ‘Bad’ Cybersecurity Practices

The Cybersecurity and Infrastructure Security Agency has logged the first entries in its list of “bad” cybersecurity practices for critical infrastructure operators.

CISA warned organizations against using unsupported or end-of-life software for critical infrastructure and national critical functions.

Operators should also avoid using known passwords and credentials, especially in internet-accessible technologies, CISA said.

The Department of Homeland Security defines critical infrastructure sectors as those whose assets, systems and networks are essential for security, national economic security or national public health and safety.

DHS currently recognizes 16 critical infrastructure sectors, including the chemical, commercial facilities, defense, energy, health care and transportation sectors.

Lawmakers have introduced legislation that would add space systems to the list. The Space Infrastructure Act covers satellites, space vehicles, space-related terrestrial systems, launch infrastructure, space-related production facilities and space information technology.

While the list of risky cyber practices is aimed at critical infrastructure operators, CISA encourages all organizations to work toward addressing such practices.

CISA stressed that the list is not exhaustive and that exclusion of a particular practice does not indicate an endorsement by the government.

Eric Goldstein, executive assistant director at CISA, acknowledged in a blog post that most organizations cannot adequately address all cybersecurity elements due to resource limitations.

He said that CISA’s approach to risk management is based on the principle of “focus on the critical few.”

On May 12, President Joe Biden signed an executive order expanding CISA’s authorities to counter cyberattacks, which include the creation of a cyber incident response playbook.

Sign Up Now! Potomac Officers Club provides you with Daily Updates and News Briefings about Cybersecurity

Join Us Now