If you haven’t been living under a rock, it would be hard not to notice the cyber attacks and threats on public and critical infrastructures since 2020. Critical infrastructures have continued to see attacks increase as they are high-value targets because attacks on them can result in major damages and downtimes, as well as having major consequences that are a real threat to public safety.
The bill was created and signed to encourage companies to share information more openly about cyber-related events that will look to mitigate ongoing and potential future threats to critical infrastructure.
That law was signed following the attacks on critical infrastructure that included the Colonial Pipeline, among others.
You can take a look at some of the worst cyber attacks of 2021 related to critical infrastructure by downloading our webinar for free to watch on-demand: Lessons Learned from the Worst Cyber Attacks of 2021
Details on CIRCIA 2022
CIRCIA 2022 establishes new reporting guidelines for critical infrastructure companies and industries to follow when they are a victim of a cyber attack.
Here are the industries that are subject to following CIRCIA reporting guidelines:
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Bases
- Emergency Services
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials, and Waste
- Transportation Systems
- Water and Wastewater Systems
The covered entities in these industries will need report two specific types of cyber incidents under what is called “covered cyber incident” under the bill.
The rule will also require that if a ransom is paid from a cyber incident, it must also be reported within 24 hours.
As of now, any company that falls within those sectors must report all cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.
Here is a full list of the critical infrastructure sectors defined by CISA.
Reporting for CIRCIA 2022
As noted, all cyber incidents should be reported to CISA within 72 hours.
The rule will also require organization.
These are the guidelines that organizations should use for reporting types of cyber incidents seen:
- Unauthorized system access
- DOS attacks of over 12 hours
- Malicious code on systems
- Phishing attempts or successes
- Ransomware attacks
- Attempts to gain access to an organization’s system
When reporting any cyber incident to CISA, the following details also should be included:
- Incident date and time
- Incident location
- Type of activity observed
- A detailed narrative of the cyber event
- The number of systems or people affected by the cyber incident or event
- The name of the company or organization
- Point of contact details
- Severity of the cyber incident
- The sector of the critical infrastructure if known/applicable
- Anyone else informed
Any federal and critical infrastructure partners complete incident report forms or email CISA with all details.
“When cyber incidents are reported quickly, CISA can use this information to render assistance and provide a warning to prevent other organizations and entities from falling victim to a similar attack,” the guide explains.