Summary: CISA—in partnership with international and U.S. organizations—released guidance to help organizations protect their network edge devices and appliances, such as firewalls, routers, virtual private networks (VPN) gateways, Internet of Things (IoT) devices, internet-facing servers, and internet-facing operational technology (OT) systems.

Analyst Comment: Threat actors frequently take advantage of software vulnerabilities in network edge devices to penetrate critical infrastructure networks and systems. The resulting damage can be costly, time-consuming, and carry severe reputational risks. WaterISAC recommends reviewing these guidance documents which outline several strategies to better enhance network security and resilience before and after an incident. Edge devices should be considered among the critical assets of any organization and the security of such devices should be one of the highest priorities.

In addition to the guidance documents released by CISA and partners, WaterISAC also recommends members review Fundamental 5: Account for Critical Assets from WaterISACs 12 Cybersecurity Fundamentals for Water and Wastewater Utilities.

Some of the more widely used products/platforms with recent high-profile vulnerabilities which many utilities likely use:

• Check Point VPN
• Palo Alto Networks PAN-OS
• Ivanti Connect Secure and Policy Secure (formerly Pulse Connect Secure)
• Cisco ASA
• Fortinet FortiOS SSL VPN

Original Source: https://www.cisa.gov/resources-tools/resources/guidance-and-strategies-protect-network-edge-devices

Additional Reading:

• Threat Trend Awareness – Living on the Edge (of the Network Perimeter)

Mitigation Recommendations:

• Fundamental 5 | Account for Critical Assets, WaterISAC’s 12 Fundamentals for Water and Wastewater Utilities

Related WaterISAC PIRs: 6, 8