The Cybersecurity and Infrastructure Security Agency ("CISA") in the US has published a list of bad practices.  This is guidance from a US based regulator and is focussed on cybersecurity for critical infrastructure, where CISA considers these bad practices to be "exceptionally dangerous" and increases risk to infrastructure relied on for "national security, economic stability, and life, health, and safety of the public".  Having said that, the bad practices identified are highly relevant outside of the US and for companies that do not operate critical infrastructure.  This is particularly the case for companies supplying in to organizations operating critical infrastructure, or are subject to NIS or GDPR style obligations to deploy appropriate technical and organisational security measures. In recent penalty notifications, the ICO has referred to guidance or industry knowledge from regulators outside the United Kingdom, and we expect this approach to continue.  

Two bad practices are on the list at the moment:

  1. use of unsupported or end of life software.
  2. use of default passwords or other credentials. 

In both cases, CISA considers these practices to be especially egregious when using internet accessible technologies. This is a critical concern which has been exacerbated by the need to introduce remote working arrangements (often on quite a condensed timeline) as a result of government measures designed to limit the spread of coronavirus in various countries.

The list is not exhaustive and CISA intends to update this catalogue over time.  CISA has also made it clear that it is not endorsing any particular cybersecurity practices by omitting them from this list, or considering that practices which are not mentioned are acceptable or in line with good industry practice.  

While we expect neither of the bad practices currently catalogued are surprising of themselves, in our experience they are quite common issues in industrial systems particularly in long established infrastructure networks.  These were often initially set up long before remote access and IoT capability was possible, and have been incrementally developed and added to since then because it is operationally very challenging to keep systems offline for a long period of time to perform transformative upgrades.  Also as a result of various competing priorities for resources, cybersecurity has not always been seen as a business priority for industrial companies.  However recent successful cyber attacks, such as the ransomware attack against Colonial Pipeline and high profile supply chain attacks, have brought cyber defence strategy higher up the list of corporate priorities for many organisations for whom it was not necessarily previously viewed as high risk.  

If you identify a bad practice or potentially bad practice, the guidance from CISA  is to engage in "necessary actions and critical conversations to address Bad Practices", although clearly the precise actions to be taken will need to be considered case by case.  It would also be prudent for cybersecurity planning to be rigorously considered as part of any digital transformation projects to ensure that bad practices are not inadvertently introduced - this could include a combination of:

  • technology and process steps - for example, including cybersecurity requirements as part of any RFP, evaluating bids to identify security issues and ensuring that security by design principles are incorporated into the project.  A key component of this will be documenting the nature of the security measures taken and being able to justify why these are appropriate in the circumstances, 
  • contractual obligations - ensuring that robust terms are agreed regarding technical and organisational security commitments, and a process for ensuring they evolve over the duration of the project/service delivery; and 
  • implementation activities - having a cybersecurity incident plan in place to ensure that security practices are monitored, bad practices can be effectively eliminated and that the organisation is prepared to deal with unforeseen cybersecurity issues (such as being locked out of key systems or losing access to data).  

Cybersecurity risk management in networks which commonly include older hardware which it can be difficult to upgrade necessitates careful consideration of the risks of networking such devices.  This involves identifying what those devices should (or should not) be able to communicate with, what could happen if those devices are vulnerable endpoints that could be attacked, and defence in depth to manage the risk of networking those devices.