CISA Insights

Informed by U.S. intelligence and real-world events, each CISA Insight provides background information on particular cyber or physical threats to the nation’s critical infrastructure, as well as a ready-made set of mitigation activities that non-federal partners can implement. This page is continuously updated to reflect new CISA Insights as they are made available.


Mitigating Attacks Against Uninterruptible Power Supply Devices (March 2022)

The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy are aware of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices, often through unchanged default usernames and passwords.

In recent years, UPS vendors have added an Internet of Things capability, and UPSs are routinely attached to networks for power monitoring, routine maintenance, and/or convenience.

UPS devices provide clean and emergency power in a variety of applications when normal input power sources are lost. Loads for UPSs can range from small (e.g., a few servers) to large (e.g., a building) to massive (e.g., a data center). Various different groups within an organization could have responsibility for UPSs, including but not limited to IT, building operations, industrial maintenance, or even third-party contract monitoring service vendors.

Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats (January 2022)

Every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety. Over the past year, cyber incidents have impacted many companies, non-profits, and other organizations, large and small, across multiple sectors of the economy.

Most recently, public and private entities in Ukraine have suffered a series of malicious cyber incidents, including website defacement and private sector reports of potentially destructive malware on their systems that could result in severe harm to critical functions. The identification of destructive malware is particularly alarming given that similar malware has been deployed in the past—e.g., NotPetya and WannaCry ransomware—to cause significant, widespread damage to critical infrastructure.

This CISA Insights is intended to ensure that senior leaders at every organization in the United States are aware of critical cyber risks and take urgent, near-term steps to reduce the likelihood and impact of a potentially damaging compromise. All organizations, regardless of sector or size, should immediately implement the steps outlined below.

Preparing For and Mitigating Potential Cyber Threats (December 2021)

In the lead up to the holidays and in light of persistent and ongoing cyber threats, CISA urges critical infrastructure owners and operators to take immediate steps to strengthen their computer network defenses against potential malicious cyber attacks. Sophisticated threat actors, including nation-states and their proxies, have demonstrated capabilities to compromise networks and develop long-term persistence mechanisms. These actors have also demonstrated capability to leverage this access for targeted operations against critical infrastructure with potential to disrupt National Critical Functions.

Executives and senior leaders can proactively take steps to prepare their organizations should an incident occur. Implementing the cybersecurity best practices provided below can help guide leaders to strengthen operational resiliency by improving network defenses and rapid response capabilities.

Chinese Cyber Threat Overview and Actions for Leaders

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) assess that the People’s Republic of China leverages cyber operations to assert its political and economic development objectives. This joint analysis provides a summary of the Chinese cyber threat to the U.S. Federal Government; state, local, tribal, and territorial (SLTT) governments; CI organizations; and private industry; and provides recommendations for organization leadership to reduce the risk of cyber espionage and data theft.

Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses

Cyber threat actors are known to target managed service providers (MSPs) to reach their customers. MSPs provide remote management of customer IT and end-user systems and generally have direct access to their customers’ networks and data. By exploiting trust relationships in MSP networks, cyber threat actors can gain access to a large number of the victim MSP customers. This CISA Insights provides mitigation and hardening guidance for MSPs and their small- and mid-size business customers. By applying this guidance, organizations can protect MSP customer network assets and reduce the risk of successful cyberattacks.

SolarWinds and AD-M365 Compromise Risk Decisions for Leaders

Since December 2020, CISA has been responding to a significant cybersecurity incident in which an advanced persistent threat (APT) actor gained initial access to enterprise networks of U.S. government agencies, critical infrastructure entities, and private sector organizations. The APT actor only targeted a select group of organizations affected by the SolarWinds Orion compromise for follow-on network exploitation. Additionally, the APT actor used techniques other than the supply chain compromise to access targeted networks. After gaining persistent, invasive access to select organizations’ enterprise networks, the APT actor targeted their federated identity solutions and their Active Directory/M365 environments. This CISA Insights will help executive leaders of affected entities understand and be able to articulate the threat, risk, and associated actions their organizations should take. For additional details, see CISA websites, and

What Every Leader Needs to Know About the Ongoing APT Cyber Activity (December 2020)

CISA is tracking a significant cyber incident impacting enterprise networks across federal, state, and local governments, as well as critical infrastructure entities and private sector organizations. An advanced persistent threat (APT) actor compromised the SolarWinds Orion software supply chain and is abusing commonly used authentication mechanisms. If left unchecked, this threat actor has the resources, patience, and expertise to resist eviction from compromised networks and continue to hold affected organizations at risk. CISA urges organizations to prioritize measures to identify and address this threat. For details, review the related CISA Alert, which CISA will update as information becomes available.

Actions to Counter Email-Based Attacks on Election-Related Entities (September 2020)

Malicious cyber actors have been known to use sophisticated phishing operations to target political parties and campaigns, think tanks, civic organizations, and associated individuals. Email systems are the preferred vector for initiating malicious cyber operations. Recent reporting shows 32 percent of breaches involve phishing attacks, and 78 percent of cyber-espionage incidents are enabled by phishing. To protect against these attacks, the Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends organizations involved in any election-related activities prioritize the protection of accounts from email-based attacks by:

  • Using provider-offered protections, if utilizing cloud email.
  • Securing user accounts on high value services.
  • Implementing email authentication and other best practices.
  • Securing email gateway capabilities.

Ransomware Outbreak (August 2019)

Helping organizations protect themselves from ransomware attacks is a chief priority for the Cybersecurity and Infrastructure Security Agency (CISA). We have assisted many ransomware response and recovery efforts, building an understanding of how ransomware attacks unfold, and what potential steps you can take to better defend systems. But we also recognize that there’s no such thing as perfect cybersecurity and ransomware infections can still happen, so we’ve also developed recommendations to help organizations limit damage, and recover smartly and effectively.

Mitigate DNS Infrastructure Tampering (January 2019)

In late 2018, cybersecurity organizations across the globe started to detect an increase in malicious activity targeting the Domain Name System (DNS) infrastructure on which we all rely. Using common tactics, outlined below, the attackers were able to redirect and intercept web and email traffic, and could have achieved the same for other networked services. The Cybersecurity and Infrastructure Security Agency (CISA) encourages its State, Local, Tribal and Territorial (SLTT) government partners, as well as private sector owners of critical infrastructure, to use this guide to learn more about this threat and associated mitigation activities. This guidance is derived from Emergency Directive 19-01 – Mitigate DNS Infrastructure Tampering and includes lessons learned and additional considerations for non-federal entities seeking to implement actions in line with federal civilian departments and agencies, as directed by CISA.

Remediate Vulnerabilities for Internet-Accessible Systems (January 2019)

Adversaries operating in cyberspace can make quick work of unpatched Internet-accessible systems. Moreover, the time between an adversary’s discovery of a vulnerability and their exploitation of it (i.e., the ‘time to exploit’) is rapidly decreasing. Industry reports estimate that adversaries are now able to exploit a vulnerability within 15 days (on average) of discovery. After gaining entry into information systems and networks, these adversaries can cause significant harm. Internet-accessible information systems include any system that is globally accessible over the public internet (i.e., has a publicly routed internet protocol (IP) address or a hostname that resolves publicly in DNS to such an address) and encompass those systems directly managed by an organization, as well as those operated by a third-party on an organization’s behalf. As organizations continue to expand their Internet presence through increased use and operation of interconnected and complex Internet accessible systems, it is more critical than ever to rapidly remediate vulnerabilities inherent to these systems. Failure to do so could allow malicious actors to compromise networks through exploitable, externally-facing systems. The Cybersecurity and Infrastructure Security Agency (CISA) encourages its State, Local, Tribal and Territorial (SLTT) government partners, as well as private sector owners of critical infrastructure, to use this guide to learn more about this threat and associated mitigation activities. This guidance is derived from Binding Operational Directive 19-02 – Vulnerability Remediation Requirements for Internet-Accessible Systems and includes lessons learned and additional considerations for non-federal entities seeking to implement actions in line with federal civilian departments and agencies, as directed by CISA.

Enhance Email and Web Security (2019)

Phishing emails and the use of unencrypted Hypertext Transfer Protocol (HTTP) protocol remain persistent channels through which malicious actors can exploit vulnerabilities in an organization’s cybersecurity posture. Attackers may spoof a domain to send a phishing email that looks like a legitimate email. At the same time, users transmitting data via unencrypted HTTP protocol, which does not protect data from interception or alteration, are vulnerable to eavesdropping, tracking, and the modification of the data itself.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages its State, Local, Tribal and Territorial (SLTT) government partners, as well as private entities, to use this guide to learn more about this threat and associated mitigation activities. This guidance is derived from Binding Operational Directive 18-01 – Enhance Email and Web Security and includes lessons learned and additional considerations for non-federal entities seeking to implement actions in line with federal civilian departments and agencies, as directed by CISA.

Cybersecurity and Physical Security Convergence

Global Positioning System (GPS) Interference (December 2022)

In January 2022, a GPS interference event occurred over a 33-hour period in the vicinity of the Denver International Airport due to a transmitter errantly broadcasting in the GPS frequency. No accidents or injuries occurred because of the GPS interference incident. However, several critical infrastructure sectors were degraded. Many systems that detected the event had resilient alternate timing built in for back up or fail-over timing and experienced minor or no degradation of services. This CISA Insights was developed to inform GPS users on the possibilities of this type of disruption and help them implement strategies to prevent future degradation of services.

Preparing Critical Infrastructure for Post-Quantum Cryptography (August 2022)

As quantum computing advances over the next decade, it presents increasing risk to public key encryption that is used to protect customer data, complete business transactions, and secure communications. To understand these risks, CISA analyzed how each of the 55 National Critical Functions (NCFs) is vulnerable to quantum computing capabilities as well as the challenges NCF-specific systems may face when migrating to post-quantum cryptography. This CISA Insights provides an overview of the potential impacts from quantum computing to NCFs, the three priority areas of NCFs for public-private collaboration and engagement, and recommended actions that government and critical infrastructure organizations should take now to mitigate against future threats.

Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure Insight (February 2022)

In light of developing Russia-Ukraine geopolitical tensions, the risk of foreign influence operations affecting domestic audiences has increased. This CISA Insights product is intended to ensure that critical infrastructure owners and operators are aware of the risks of influence operations leveraging social media and online platforms to spread mis-, dis-, and malinformation (MDM) narratives. Organizations can take steps internally and externally to ensure to swift coordination in information sharing, as well as the ability to communicate accurate and trusted information to bolster resilience.

Risk Considerations for Managed Service Provider Customers (September 2021)

Information Technology (IT) services enable business operations but can also be a complex, costly, and time-consuming enterprise for many organizations to manage on their own. Third-party vendors such as Managed Service Providers (MSPs) offer services that can reduce costs and play a critical role supporting efficient IT operations for organizations of all sizes. To aid organizations in making informed IT service decisions, this CISA Insights provides a framework that government and private sector organizations (to include small and medium-sized businesses) outsourcing some level of IT support to MSPs can use to better mitigate against third-party risk.

    Mitigating the Impacts of Doxing on Critical Infrastructure (May 2021)

    Organizations are using online spaces now more than ever to conduct business operations. While critical, the increased use of online spaces also heightens concerns over the risk of doxing. CISA encourages individuals and organizations to take an active role in protecting themselves by controlling the information that is shared and stored online and implementing a series of best practices.

    CISA Insights: Mitigating the Impacts of Doxing on Critical Infrastructure brings awareness to the impacts of doxing to critical infrastructure and to share guidance and resources with critical infrastructure owners and operators, security professionals, and the general public. The publication defines and provides examples of doxing; explains the potential impacts to critical infrastructure; and offers protective and preventative measures, mitigation options, and additional resources for individuals and organizations.

    Infrastructure Security

    Chain of Custody and Critical Infrastructure Systems (July 2021)

    Chain of custody also plays an important role in security and risk mitigation for critical infrastructure sectors and their assets. A break in the chain of custody presents opportunities for malicious actors to compromise the integrity of a physical or digital asset (e.g., systems, data, or infrastructure). Without secure chain of custody practices, systems and assets could be unknowingly accessed and manipulated by threat actors which can lead to the integrity of these assets and systems being questioned. This CISA Insights provides an overview of what chain of custody is, highlights the potential impacts and risks resulting from a broken chain of custody, and offers critical infrastructure owners and operators an initial framework for securing chain of custody for their physical and digital assets.

    Enhancing Chemical Security During Heightened Geopolitical Tensions (January 2020)

    In light of recent international events with the potential for retaliatory aggression against the U.S. and our critical infrastructure, CISA urges facilities with chemicals of interest (COI)—whether tiered or untiered under the Chemical Facility Anti-Terrorism Standards (CFATS) program—to consider enhanced security measures to decrease the likelihood of a successful attack. As noted in the recent National Terrorism Advisory System (NTAS) Bulletin, certain offensive cyber operations have been attributed to the Iranian government, which allegedly has targeted a variety of industries and organizations, including financial services, energy, government facilities, chemical, healthcare, critical manufacturing, communications, and the defense industrial base.

    Increased Geopolitical Tensions and Threats (January 2020)

    Increased geopolitical tensions and threats of aggression may result in cyber and physical attacks against the Homeland and also destructive hybrid attacks by proxies against U.S. targets and interests abroad. Knowing how you, your organization, and your personnel may be exposed or targeted during increased tensions can help you better prepare. In many cases, implementing the Cybersecurity and Infrastructure Security Agency (CISA) Cyber Essentials can dramatically improve your defenses. Should an incident occur, engage with partners, like CISA, and work with cyber or physical first responders to gain technical assistance. Review your organization from an outside perspective and ask the tough questions—are you attractive to Iran and its proxies because of your business model, who your customers and competitors are, or what you stand for?

    Secure High Value Assets (January 2020)

    A High Value Asset (HVA) is information or an information system that is so critical to an organization that the loss or corruption of this information or loss of access to the system would have serious impact to the organization’s ability to perform its mission or conduct business. These assets, systems, and datasets may contain sensitive controls, instructions or data used in critical operations, or they may house unique collections of data. These sensitivities make HVAs of particular interest to criminal, politically-motivated, or state-sponsored actors for either direct exploitation of the data or to cause a loss of confidence by the public.

    Preparedness Grant Guidance

    FY20 Preparedness Grant Guidance (February 2020)

    The Secretary of Homeland Security has released the Fiscal Year (FY) 2020 Preparedness Grant guidance. It directs and encourages investment in the areas of cybersecurity, soft targets and crowded places, intelligence and information sharing, emerging threats, and elections infrastructure security. These articulated priorities reflect the transformation underway in our shared risk environment and threat landscape. As a Nation with increasing reliance on collective preparedness and response, multi-disciplinary collaboration, and shared skills and resources, we must stay ahead of our adversaries. The challenges confronting State, Local, Tribal, and Territorial jurisdictions should and do inform how we prevent, prepare, protect, and respond to all-hazard situations, as well as domain-specific security conditions. The changes in the FY20 grant guidance reflect great opportunity for addressing emergent risks, closing historically underinvested capability and capacity gaps, and providing investment for high-performance innovations.


    Strategies to Protect Our Critical Infrastructure Workforce

    COVID-19 continues to pose a risk to the critical infrastructure workforce, to our National Critical Functions and to critical infrastructure companies and operations. Exposure of many frontline essential critical infrastructure workers to the SARS-CoV-2 virus has led to disproportionate illness and death in multiple sectors of critical infrastructure. Healthcare workers, law enforcement officers, firefighters, and workers in the transportation food and agriculture sectors are some of the workers that continue to risk exposure based on the nature of their job. Protecting the health and safety of the critical infrastructure workforce is necessary for the continued operation of our National Critical Functions and critical infrastructure companies and operators. 

    COVID-19 Disinformation Activity (May 2020)

    False and misleading information related to the coronavirus (COVID-19) are a significant challenge. This CISA Insight provides an overview of coronavirus disinformation and steps that can be taken to reduce the risk of sharing inaccurate information with your friends and family.

    Risk Management for Novel Coronavirus (COVID-19)

    This product is for executives to help them think through physical, supply chain, and cybersecurity issues that may arise from the spread of Novel Coronavirus, or COVID-19. According to the U.S. Centers for Disease Control and Prevention (CDC), COVID-19 has been detected in locations around the world, including multiple areas throughout the U.S. This is a rapidly evolving situation and for more information, visit the CDC’s COVID-19 Situation Summary.

    Cybersecurity Perspectives Healthcare and Public Health (HPH) Response to COVID-19 (January 2021)

    Disruptive ransomware and other malicious cyber attacks significantly reduce HPH entities’ ability to provide patient care and can contribute to patient mortality. Threat actors aim to disrupt HPH entities who have a low tolerance for down-time and may be experiencing resource and staffing constraints due to the COVID-19 pandemic. CISA recommends that all HPH entities review the following observations and findings - derived from an analysis of HPH entities enrolled in CISA’s free vulnerability scanning service from March to November 2020 - and take appropriate action to reduce potential vulnerability and maintain resilient cybersecurity practices.

    COVID-19 Vaccination Hesitancy Within the Critical Infrastructure Workforce (March 2021)

    COVID-19 vaccination hesitancy within the critical infrastructure workforce represents a risk to our National Critical Functions and critical infrastructure companies and operations. Employers of workers within the critical infrastructure sectors are essential to reducing vaccine hesitancy within their workforce by becoming messengers of accurate, reliable, and timely information. This CISA Insight provides an overview of COVID-19 vaccination hesitancy and steps that critical infrastructure owners and operators can take to reduce the risk and encourage vaccine acceptance across their critical sectors’ workforce.

    Provide Medical Care is in Critical Condition: Analysis and Stakeholder Decision Support to Minimize Further Harm (October 2021)

    The Cybersecurity and Infrastructure Security Agency (CISA) released the “Provide Medical Care” is in Critical Condition: Analysis and Stakeholder Decision Support to Minimize Further Harm. As the COVID-19 pandemic reaches another phase, with increased and protracted strains on the nation’s critical infrastructure and related National Critical Functions such as Provide Medical Care, CISA is undertaking a renewed push for cyber preparedness and resilience, as well as decision support for stakeholders within critical infrastructure sectors. The document includes a collection of analysis done by the CISA COVID-19 Task Force through July 1,2021.

    Bolstering Community Resilience During the COVID-19 Pandemic (December, 2021)

    It is essential that state, local, tribal, and territorial (SLTT) leaders begin to plan for the recovery phase of the pandemic. This starts with an assessment of community resilience and the investments in critical infrastructure that go beyond short-term responses to pandemic pressures and address the long-term changes that the pandemic has brought. This Insight encourages SLTT leaders to take a holistic perspective for considering community resilience: infrastructure resilience is a critical component of community resilience.

    Cyber Threats to Critical Manufacturing Sector Industrial Control Systems (December, 2021)

    CISA has identified potential operational vulnerabilities in Industrial Control Systems (the control systems that manage industrial processes) as a result of increased remote-based ICS management and industry adaptation to working conditions in the COVID-19 pandemic. This insight helps this sector mitigate future threats and to prioritize the management of risks.

    Was this webpage helpful?  Yes  |  Somewhat  |  No