Introduction

The ongoing efforts to enhance cybersecurity within critical national infrastructure (CNI) sectors have yielded significant improvements in addressing known exploited vulnerabilities and adhering to cyber hygiene best practices. These advancements are crucial in safeguarding essential services against evolving cyber threats.

Description

Critical national infrastructure (CNI) providers have made significant strides in addressing known exploited vulnerabilities and enhancing their adherence to cyber hygiene best practices. The Cybersecurity and Infrastructure Security Agency (CISA) reported a 50% reduction in remediation times for critical-severity known exploited vulnerabilities (KEVs) and a 25% reduction for high-severity KEVs since 2022 [2]. Specifically, the average time to resolve Secure Sockets Layer (SSL) vulnerability-related tickets decreased from approximately 200 days in 2022 to under 50 days [2]. Furthermore, the average remediation times for critical infrastructure organizations improved from 60 days to 30 days during this period [6].

CISA’s enrollment in its vulnerability scanning service nearly doubled [6], reaching 7,791 organizations by August 2024 [6]. This increase in participation has contributed to a decline in the average number of known exploited vulnerabilities among these entities, with most averaging just 0.5 vulnerabilities in their systems [6]. The average number of KEVs in internet-accessible assets has also decreased [3], reflecting a focused effort on addressing network flaws as outlined in CISA’s KEV catalog [3]. Additionally, SSL misconfigurations improved [3], dropping from an average of 3.8 to 2.5 over the past year [3]. The number of exploitable services monitored by CISA Vulnerability Scanning per enrollee fell from 12 in August 2022 to around eight in August 2024 [2]. The adoption of Cybersecurity Performance Goals (CPGs) [1] [4] [5], introduced on October 27, 2022 [3] [4], and updated on March 21, 2023 [4], has had a particularly positive impact on US critical infrastructure, especially in sectors such as healthcare and public health, water and wastewater systems [1] [5] [6], communications [5] [6], and government services and facilities [5] [6]. CISA continues to enhance partnerships across all 16 critical infrastructure sectors to encourage further CPG adoption [5].

Despite these advancements [6], the threat landscape remains challenging. The number of ransomware attacks surged by 74% globally from 2022 to 2023, with projections indicating further increases in 2024. Zero-day vulnerabilities continue to be a significant concern, being among the most frequently exploited [6]. Notably, the aforementioned sectors have particularly benefited from CISA’s partnerships aimed at enhancing cyber hygiene, including initiatives like the 12 Cybersecurity Fundamentals for Water and Wastewater Utilities promoted by WaterISAC. However, operational technology protocols remain a concern [3], with the government accounting for 63% of the highest occurrences of exposed Industrial Control System protocols on the public internet [3], affecting sectors such as IT, energy [3], healthcare and public health [3] [5] [6], and financial services [3].

Conclusion

The improvements in cybersecurity practices within critical national infrastructure sectors underscore the importance of continued vigilance and proactive measures. While significant progress has been made, the persistent and evolving nature of cyber threats necessitates ongoing collaboration and innovation. Future efforts should focus on mitigating emerging risks, particularly in operational technology protocols, to ensure the resilience and security of essential services.

References

[1] https://www.waterisac.org/portal/cyber-resilience-%E2%80%93-cisa-releases-cybersecurity-performance-goals-adoption-report
[2] https://www.infosecurity-magazine.com/news/remediation-times-drop-cyber/
[3] https://mail.executivegov.com/2025/01/cisa-cybersecurity-performance-goals-report-critical-infrastructure/
[4] https://insidecybersecurity.com/daily-news/cisa-releases-findings-adopting-cross-sector-cyber-performance-goals-critical
[5] https://www.darkreading.com/cybersecurity-operations/cisa-releases-the-cybersecurity-performance-goals-adoption-report
[6] https://www.cybersecuritydive.com/news/cisa-performance-goals-analysis/737281/