The federal government’s top cybersecurity agency wants to become the managed services provider for commercial critical infrastructure entities, which have become an increasing target of cybercriminals.

The Cybersecurity and Infrastructure Security Agency (CISA) is piloting a program that will enable such organizations to voluntarily tap into the shared services, support, and security expertise that federal civilian organizations have been leveraging for the past several years.

The pilot program comes from new authority granted to CISA by Congress, according to Eric Goldstein, executive assistant director for cybersecurity for the agency.

“Scaling CISA-managed cybersecurity services for the segments of our critical infrastructure community that need it most is a cost-effective way to gain greater insight into our evolving threat environment, establish a common baseline of cyber protection, and, most importantly, reduce the frequency and impact of damaging cyber events,” Goldstein wrote in a recent blog post.

Critical infrastructure – from energy and water organizations to education, healthcare, and communications – for the past few years have been coming under increasing attack. CISA counts 16 sectors that come under the critical infrastructure umbrella.

A study earlier this year by Waterfall Security reported a 140% year-over-year increase in attacks on operational technology (OT) entities in 2022 involving more than 150 industrial operations. High-profile attacks on Colonial Pipeline and JBS Foods in 2021 and, more recently, efforts by the China-linked threat group Volt Typhoon, illustrate the threat to such critical infrastructure organizations.

Such attacks have made protecting critical infrastructure a key part of the White House’s sprawling cybersecurity efforts.

“These types of cyber attacks have the potential to disrupt critical functions on which we all depend, and in the worst cases, lead to the loss of human life,” Goldstein wrote.

The goal of the pilot program is to show how CISA can deliver needed cybersecurity services to critical infrastructure organizations that most need support but might not be able to afford it, with the agency employing what it calls its “target-rich, resource-poor” strategy. The agency will target such entities in the healthcare, water, and K-12 education sectors in the first phase of deployment, with plans to deliver services to up to 100 such organizations this year.

DNS Resolver a First Step

CISA in October began deploying its Protect Domain Name System (DNS) Resolver to those participating in the pilot. The service, which uses threat intelligence from the U.S. government and commercial organizations to prevent systems from connecting to domains known or suspected of being malicious, previously had only been available to federal civilian agencies.

The service since 2022 has blocked almost 700 million attempts by federal agencies from trying to connect to known or suspected malicious domains or IP addresses, helping to reduce such risks as ransomware, phishing campaigns, and malicious redirects.

The service filters DNS queries by comparing them to threat intelligence and preventing suspicious or danger connections. It supports a range of emerging DNS technology, such as encrypted DNS protocol support protocol and IPv6 resolution. It also makes DNS log data available to users to increase visibility and provides them with such features as heavily customized alerts and data extraction.

“CISA is broadening the use of our highly scalable Protective DNS service to ensure ‘Target Rich, Resource Poor’ critical infrastructure entities have access to some of the same cybersecurity protections which have proven foundational to enterprise risk reduction across the federal government,” he wrote.

The same day that CISA announced the pilot program, it also addressed issues in the healthcare and K-12 sectors, both of which are key targets of ransomware operators and other bad actors. For example, Check Point threat researchers found that in 2022, healthcare organizations sustained 1,426 attacks a week – a 60% year-over-year increase – and that in the third quarter that year, one out of every 42 healthcare organizations was hit with a ransomware attack.

According to the K-12 Cyber Incident Map, there were 1,619 publicly disclosed cyber-incidents between 2016 and 2022.

In healthcare, the agency rolled out a 25-page mitigation guide of recommendations and best practices for protecting against cyberthreats. CISA offered similar information and tools to K-12 schools.