The Cybersecurity and Infrastructure Security Agency has reported significant progress in improving critical infrastructure cybersecurity and resilience since the implementation of its cross-sector Cybersecurity Performance Goals. The agency on Friday published the results of its analysis of 7,791 critical infrastructure organizations enrolled in its vulnerability scanning service from 2022 through 2024.
The CPG, issued in October 2022, is a set of voluntary practices designed to empower critical infrastructure operators to defend their networks against cyberthreats. The CPG offers guidance for organizations that may lack the knowledge and resources to adopt tools or roll out programs that could strengthen their network resilience.
Table of Contents
CISA Shares Cyber Hygiene Enrollment Rate
CISA’s Cyber Hygiene service enrollment rate over the past two years increased by 201 percent. The communications sector saw the largest enrollment jump at 300 percent, with enrollments across emergency services, critical manufacturing, and water and wastewater system sectors also seeing over 200 percent growth.
Improved Cybersecurity Across US Critical Infrastructure Sector
One of the progress points the agency shared in the report is the decline in known exploited vulnerabilities, or KEVs, among entities enrolled in the government’s vulnerability scanning service. Since 2022, the average number of KEVs in assets accessible to the internet among critical infrastructure organizations declined. The trend shows that companies are prioritizing the remediation of network flaws based on CISA’s KEV catalog.
The agency also saw improvements in Secure Sockets Layer misconfigurations, which decreased on average from 3.8 in the first 11 months of the CPG implementation to 2.5 in the past 12 months.
Also highlighted in the report the persistence of operational technology protocols exposed to the internet. The government, according to the agency, accounts for the highest OT/Industrial Control System protocols exposed to the public internet at 63 percent. IT, energy, healthcare and public health, and financial services make up the top five of the sectors with the highest occurrences.