The Cybersecurity and Infrastructure Security Agency said Friday that a recent breach of the company's chemical plant security tools related to a flawed Ivanti product could affect more than 100,000 individuals, and that Congress is required to comply with federal cybersecurity laws. The government notified lawmakers that the incident had triggered the disclosure of information to the government.
Given the scale of the breach, it is a “serious incident” that falls below the standards set by the Federal Information Security Management Act. The hacker stole the Chemical Security Assessment Tool (CSAT), which stores information about chemical plants' security plans, and his CISA Gateway, another of his CISA systems that is a portal for tools to ensure the security of critical infrastructure. Infringed. The agency also We are beginning to notify affected people and businesses.
CISA officials said there was no evidence that hackers exploited vulnerabilities in Ivanti products to steal data and that the breach did not impact operations, even though CISA was forced to take systems offline. Stated.
Brandon Wales, executive director of CISA, told CyberScoop: “This is something we've been looking for very hard, and we wanted to see if we could find evidence of a breach, which is why we waited so long.'' That was one of the reasons.” He said the agency is also sharing additional details in the spirit of transparency.
An internal investigation led by the agency's chief information officer and threat hunting team has concluded, and an investigation into the incident found that the attacker deployed a web shell against the CSAT tool, resulting in a “loss of control of the system.” It turned out, Wales said. He also urges authorities to release information to Congress. In contrast, he said the Gateway breach was “fairly limited” and the hackers did not deploy a web shell.
News of the CISA breach broke earlier this month, but Welsh said the breach dates back to January. It was at this time that details of the Invanti vulnerability were first made public. CISA itself issued a warning about the vulnerability that hackers used to break into his CISA's systems.
Wales said CISA implemented the vendor-recommended fix on January 11 and performed daily checks using a tool created by Ivanti aimed at finding compromised devices. On January 26th, CISA discovered that his CSAT application had been compromised. It turns out the attacker had access to the device for two days, he said.
Welsh said the hackers were able to bypass Ivanti's mitigations and Ivanti's “integrity checker.”
CSAT is used under the Chemical Facility Counterterrorism Standards Program, which requires people with access to high-risk chemicals to be screened against a terrorist screening database. CSAT maintains information about these individuals and their affiliates. But the law that created the program expired last July, and CISA's CSAT website notes that as a result, facilities are no longer required to submit information to CSAT.
Wales said CSAT is being taken offline until CISA completes technical improvements to the system and until the Chemical Plant Safety Act is reauthorized.
He said CISA had already briefed Hill on the details of the incident. Friday to the House and Senate Appropriations Committees, the Senate Homeland Security and Governmental Affairs Committee, the Senate Commerce Committee, the House Homeland Security Committee, the House Oversight and Accountability Committee, and the House Science, Space, and Technology Committee. Notification is a requirement under federal cybersecurity law.
The government has not identified the perpetrator of the Ivanti vulnerability, but cybersecurity companies have pinned the blame on China-linked hackers.
The breach at CISA taught important lessons, Wales said. First, the agency had an incident response plan in place and quickly took action at the first sign of a problem. Second, CISA used the information gleaned from the breach to alert other companies. This demonstrates the value of information sharing that CISA is campaigning for across industries.
“Third, I think every company and government agency that suffers from a breach is going to learn where they need to improve. We're going through that process right now, and CIOs are going to learn where they need to improve. We are learning lessons about what we need to do.'We will improve our system based on this incident and the findings of our investigation,'' Wales said. “This improves the security of all CISA systems.”
