CISA's New 'CyberSentry' Program to Tighten ICS SecurityProgram to Monitor IT, OT Networks of Enrolled Critical Infrastructure Partners
The United States is further fortifying its critical infrastructure security with a new Cybersecurity and Infrastructure Security Agency program that enhances the cyber resilience of participating partners leveraging the agency's advanced threat detection and monitoring capabilities.
CISA revealed last week details of its CyberSentry program, which is intended to provide critical, cross-sector, real-time monitoring of both the information technology and operational technology of critical infrastructure partners.
The CyberSentry program is part of several cybersecurity provisions in the National Defense Authorization Act signed by U.S. President Joe Biden in December 2021. The act provisioned $768 billion in defense spending including the cybersecurity component of various national and federal agencies (see: Biden Signs Into Law NDAA With Several Cyber Provisions).
The program aims to support CISA's efforts to defend U.S. critical infrastructure networks operators that support national critical functions such as power and water supply, banks and financial institutions and healthcare by monitoring both known and unknown malicious activity affecting IT and OT networks.
The CyberSentry program is based on a mutual agreement between CISA and participating critical infrastructure partners. The program is voluntary and is provided with no additional fees or equipment costs to the participating partners.
Under the program, CISA harnesses sensitive government information and provides visibility and mitigation of cyberthreats targeting critical infrastructure. The insights and critical information gained from the program will be used for the collective defense of infrastructure across the nationwide partners.
CISA will strategically integrate its own hardware and software stack at partner facilities to gain visibility into IT/OT networks without disturbing operations. The agency will notify partners when a cybersecurity event is detected and resolve it. CISA analysts can deploy additional resources, if needed, to hunt active cyberthreats in real time or provide other support to its CI partners.
Jermaine Roebuck, associate director of threat hunting for CISA, said, "CyberSentry has added significant value to both CISA's national mission and to our partners' enterprise cybersecurity efforts."
He said the program enables commercial detection capabilities with three key benefits: It enables the operational use of sensitive information even before it is disclosed to the broader cybersecurity community; allows CISA's analysts to correlate threat activity targeting multiple critical infrastructure entities and understand evolving campaigns; and provides participating entities with access to their own CyberSentry dashboard, enabling integration into the partner's cyber operations.
Roebuck said the CyberSentry program already has successful case studies, which include infected OT equipment, unintentional exposure, private sector coordination, SolarWinds response, identification of malicious activity, malware discovery, and attacker exfiltration detection.
CyberSentry data also helped CISA analysts identify partners affected during the Colonial Pipeline disruption, Roebuck said. CISA coordinated closely with its pipeline partners to share information and remediate the threat quickly. On multiple occasions, CISA provided its partners with specific guidance on remediating the situation and terminating attacks - at times, within a few hours.
"CISA is looking to partner with a select number of additional critical infrastructure organizations who operate systems supporting national critical functions - functions so vital to the United States that their disruption, corruption or dysfunction would have a debilitating effect on our nation," Roebuck said.