What Organizations Need to Know About SACA

June 2, 2022

New Federal Law Mandates the Reporting of Cybersecurity Incidents Involving Critical Infrastructure

Following an uptick in cybersecurity incidents that put US infrastructure at risk, Congress passed the Strengthening American Cybersecurity Act (SACA), which was signed into law by President Joe Biden on March 15th. One essential element of the law is the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which obligates businesses and government entities that operate in 16 specific critical infrastructure sectors to follow new reporting guidelines with short timeframes. The Act applies to the following 16 sectors: 

  1. Chemicals
  2. Commercial facilities
  3. Communications
  4. Critical manufacturing
  5. Dams
  6. Defense industrial base
  7. Emergency services
  8. Energy
  9. Financial services
  10. Food and agriculture
  11. Government facilities
  12. Healthcare and public health
  13. Information technology
  14. Nuclear reactors, material and waste
  15. Transportation systems
  16. Water and wastewater systems

When a company in one of these sectors experiences a cybersecurity incident, SACA will require  a mandatory report if the incident substantially impacts the company’s information systems or network, or operational systems and processes.  Companies will also be required to report disruption of business or industrial operations, including unauthorized access, denial of service (DoS) attack, ransomware attack, or exploitation of a zero-day vulnerability.  This includes an attack caused by a compromised third-party provider, such as a cloud service, managed service provider, or other supply chain vendor. 

The tight timelines included in the new law require critical infrastructure entities to adjust their incident response plans. Organizations are to notify the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of becoming aware of the incident, and must notify CISA within 24 hours of a ransom demand being paid. 

Top Critical Infrastructure Sectors Impacted by SACA

Cybersecurity in the Chemical Sector

The Chemical Sector is an integral component of the U.S. economy that comprises potentially hazardous chemicals upon which many other critical infrastructure sectors rely. The sector is at risk of having its chemicals weaponized across geographic regions via cyberattack. The industry’s visibility during the recent pandemic makes chemical companies attractive targets.

With chemical facilities, suppliers, and end-users located around the globe, it’s easier than ever for hackers to use phishing emails to get an employee to click on a malware link or to impersonate a trusted supplier in order to carry out a file-borne attack. These attacks force temporary halts in manufacturing and other operations while the company investigates the breaches, making email protection solutions and file sanitizers crucial to organizations in the chemical sector that want to maintain their productivity.

An example: In 2017, a Triton malware attack that originated with a spear-phishing email allowed Russian hackers to take over a Saudi petrochemical plant’s safety instrument system. 

In May 2021, German chemical distributor Brenntag paid a $4.4 million ransom in Bitcoin to DarkSide to access its North American company files that had been encrypted and to prevent stolen data from being leaked. Due to the sensitivity of data in the chemical sector, its history of cybersecurity breaches, the vulnerability of chemical companies, and the widespread economic reliance on these materials, SACA strives to prevent and minimize the damages caused by chemical cybersecurity breaches. 

SACA and the Commercial Facilities Sector

The Commercial Facilities Sector comprises sites that draw large crowds of people who can move about freely for the purpose of shopping, business, entertainment, or lodging. These include malls, casinos, hotels, amusement parks, public arenas, and office buildings, for example. These high-traffic areas are a top target for hackers, as these venues handle a vast amount of sensitive personal and financial data and are susceptible to weaponized files and data through mobile apps and online access options.

They are also easy to breach, as their physical security systems, including access control, lighting, building operations, and other industrial control systems, are generally controlled by Internet-connected networks, further opening them to the risk of cyberattacks.

An example: In October 2021, Meliá Hotels International, one of the largest hotel chains in the world, was hit with a ransomware attack that crippled the chain’s Spain-based operations. Attackers also took down the global reservation system, and some of its public websites were inaccessible as the company’s web servers were down. To stop these types of attacks, organizations in this sector will need to invest in ransomware prevention solutions, such as content disarm and reconstruction (CDR) technology.

Preventing Cyberattacks in the Communications Sector

The Communications Sector is the underlying component that powers the operations of all businesses, public safety organizations, and governments. No longer a simple provider of voice services, today’s Communications industry is a sophisticated sector that utilizes interconnected terrestrial, satellite, and wireless transmission systems. Cyber-attacks in the communications industry are popular because company databases are full of detailed information on millions of customers. A successful telecom data breach could yield contact details, social security numbers, and credit card information – a goldmine for dark actors dealing in data on the dark web. As human error is the number one way hackers execute their file-borne schemes, the communications industry is especially at risk.

An example: In July 2020, Telecom Argentina — one of the country’s largest internet service providers – was hit with a ransomware attack that originated when a phishing email duped an employee into downloading an attachment that ultimately revealed their login credentials.  The attack resulted in a ransom demand of $7.5 million to decrypt over 18,000 systems. Due to this attack and others like it, telecommunication companies and organizations will need to employ data sanitization tools to reduce the impacts of successful phishing attacks.

Data Security for the Critical Manufacturing Sector

The Critical Manufacturing Sector is crucial to the US economy as any disruptions in the manufacturing process have a ripple effect on other industries. Some examples of industries that are included in this sector are manufacturers of primary metals, machinery, electrical equipment, and transportation equipment. 

Manufacturers are vulnerable to cyber-attacks due to extensive supply chains and fragmented systems that leave gaps in security. With plenty of vulnerable endpoints, hackers can inject malware into their manufacturing targets through a weak-link partner or supplier. According to the 2021 Global Threat Intelligence Report (GTIR), the manufacturing industry moved from the 8th most targeted industry by cyber attackers to number 2, a 300% increase in a single year, increasing the need for secure files and malware prevention. 

An example: In March 2022, a Japanese car parts manufacturer suffered a malware attack that allowed hackers access to its network in Germany, enabling the theft of 1.4 Tb of data, including tens of thousands of documents that reference customers and employees.

SACA Protection of Dams

More than 90,000 dams in the United States deliver critical water retention and control services, including hydroelectric power generation, municipal and industrial water supplies, agricultural irrigation, sediment and flood control, river navigation for inland bulk shipping, industrial waste management, and recreation. 

Dams are an attractive target for cyber-attacks as they irrigate at least 10% of U.S. cropland, help protect more than 43% of the U.S. population from flooding, and generate about 60% of electricity in the Pacific Northwest, according to CISA. The sector is considered especially vulnerable because of recent digitalization, where previously manually-operated components are being transitioned to digital operations with remote capabilities, opening the door to malware attacks and underscoring the need for investing in technology designed to prevent malware.

An example: In 2016, it was reported that back in 2013, Iranian state-sponsored hackers accessed the Supervisory Control and Data Acquisition (SCADA) systems of the Bowman Dam in New York, exploiting an unprotected modem connection and lack of security controls. Luckily, the hackers only accessed a small sluice gate, which was offline for maintenance at the time of the breach.

Deterring Cyber Risks for the Defense Industrial Base Sector

The Defense Industrial Base Sector comprises more than 100,000 companies involved with military operations, including weapons systems, subsystems, and components or parts. 

Clearly, this sector is at risk of cyberattack due to the industry’s close connection with national security assets. Hackers understand that targeting vulnerable companies across the defense supply chain can be not only a profitable enterprise but also an alternate method of accessing valuable military information.

An example: In October 2021, high-ranking government officials in the defense industry in Western Asia were targeted in a sophisticated phishing campaign. A Microsoft Excel file that was likely delivered to the victim over email was used to inject malware into the company network. The goal of the campaign was assumed to be espionage. Since phishing campaigns can lead to espionage, organizations in this sector will need to employ email threat protection services and apply technologies that help them advance to a zero trust content security model.

The Emergency Services Sector and SACA

The Emergency Services Sector (ESS) is a community of millions of highly skilled, trained personnel whose mission is to save lives, protect property and the environment, assist communities impacted by disasters, and aid recovery during emergencies. The ESS includes Law Enforcement, Fire and Rescue Services, Emergency Medical Services, Emergency Management, and Public Works, and specialized emergency teams such as SWAT teams, canine units, HAZMAT, Search and Rescue, 911 call centers, and more.

As the ESS implements advanced communication technologies, such as 5G, AI, and IoT solutions, they become more vulnerable to cyber threats. The sector is a compelling target for hackers as any disruption to the delivery of essential and urgent services will be high profile. 

An example: In 2018, operators of the Baltimore 911 dispatch system were offline for 17 hours due to a cyberattack on its automated dispatch system. The city had to revert to manual dispatch methods until the breach was contained.

Protecting US Energy from Malware and Cyberattacks

The U.S. energy infrastructure fuels all critical infrastructure sectors, supplying electricity, oil, and natural gas to the transportation industry, electricity to households and businesses, and other sources of energy that are integral to growth and production across the nation, according to CISA.

The sheer number of electricity grids, power plants, and pipelines used to distribute energy across the country has rendered the energy sector an attractive target for cybercriminals. Due to this increased attention from cybercriminals, organizations in this sector must utilize data sanitization tools, email security solutions, and other CDR services to better protect themselves.

An example: In May 2021, Colonial Oil Pipeline was hit with one of the most devastating cyberattacks on infrastructure in recent history. The targeted ransomware attack shut down the largest overall pipeline in the US, and one that supplied more than 45% of the East Coast’s gas, diesel, and jet fuel.  Colonial paid $5 million in cryptocurrency as a ransom to regain control and prevent more than 100GB of data from company servers from being leaked. The attack is thought to have originated in an unpatched vulnerability or a phishing scam that snared an unsuspecting employee. 

SACA and the Financial Services Sector

The Financial Services Sector includes thousands of banks, investment institutions, insurance companies, credit card processors, and other providers of the critical financial utilities and services that support these functions. 

The financial services sector is a top target for hackers and faces an increasingly high rate of cyber-crime. Banks, investment firms, credit card processors, and other services that handle a vast amount of sensitive data are susceptible to weaponized files magnified by increased accessibility through mobile and online banking options.

An example: In March 2021, Chicago-based insurance firm CNA fell victim to a malware attack that encrypted 15,000 devices across its network, including many computers of employees working remotely. 

Cyber Protections for the Food and Agriculture Sector

The Food and Agriculture Sector directly affects the lives of everyone worldwide. According to CISA, the sector “is composed of an estimated 2.1 million farms, 935,000 restaurants, and more than 200,000 registered food manufacturing, processing, and storage facilities. This sector accounts for roughly one-fifth of the nation’s economic activity.”

The advances in agriculture-related technology and new economies of scale have resulted in an increase in cyber threats. Hackers understand the world’s dependence on a well-established food supply chain and look for opportunities to use malware, such as ransomware, for financial gain, political terrorism, or even social hacktivism. 

An example: In May 2021, JBS Foods, one of the biggest meat processing companies in the world, was hit by a ransomware attack. The company paid the $11 million ransom in Bitcoin to mitigate damage to the global food supply.  

Preventing Cyber Attacks on Government Facilities

The Government Facilities Sector is comprised of buildings located in the United States and overseas that are owned or leased by the government. These facilities include office buildings, military installations, embassies, courthouses, laboratories, and other physical structures. 

Government facilities are an attractive target for hackers as they house highly-sensitive information. Also, the government relies heavily on third parties and contractors – one of the leading causes of cyber attacks.

An example: In February 2022, the Ukrainian government websites were disrupted shortly before Russian troops invaded Ukraine. Destructive malware was also used to penetrate the networks of a Ukrainian financial institution and two government contractors. 

SACA Protections for Healthcare and Public Health

The Healthcare and Public Health Sector plays a significant role in response and recovery in the event of terrorism, infectious disease outbreaks, hazards, and natural disasters. 

There are good reasons hackers would target the healthcare sector: lots of valuable sensitive financial and medical data. Patient records can sell for up to $1,000 apiece on the Dark Web, while credit card information sells for up to $110, and Social Security numbers sell for $1 apiece. 

Hacking in healthcare is easier than in other sectors as companies accept a large number of files from a wide range of senders, such as a benefit claim from a hospital or an approval application uploaded from a patient, opening them up to file-borne threats from any device or system involved in the file exchange. Since the healthcare industry is susceptible to malicious files, as many files pass trust boundaries between providers, hospitals, insurers, and patients, organizations should invest in technology that sanitizes data and content of malware as it travels from organization to organization, such as content disarm and reconstruction .

An example: In 2015, health insurer Anthem Healthcare suffered the theft of 78.8 million records. Highly-sensitive data was stolen, including names, Social Security numbers, dates of birth, and addresses. Hackers used spear-phishing to trick employees into revealing usernames and passwords, which allowed them access to the insurer’s systems. 

Preventing Malware in the Information Technology Sector

The Information Technology Sector produces and provides hardware, software, information technology systems and services, and the Internet. 

IT companies generally have a vast attack surface to protect, making them targets of cyberattacks. Their cutting-edge technologies, risk appetite, and wealth of valuable data have put them in the sights of threat actors.

An example: In May 2021, Taiwan-based computer manufacturer Acer was hit with a $50 million ransomware attack. Hackers exploited a Microsoft Exchange server vulnerability to gain access to Acer’s files and leaked images of sensitive financial documents and spreadsheets. 

SACA Protections for Nuclear Reactors, Material, and Waste

The Nuclear Reactors, Materials, and Waste Sector comprises the entire spectrum of civilian nuclear infrastructure, from power reactors that provide electricity to medical isotopes used to treat cancer patients. 

The expanding global footprint of nuclear energy and the introduction of new technologies and digital infrastructure in nuclear power have given rise to more significant threats of cyber-attacks. Process control systems in nuclear power plants have evolved from early analog systems, to digital systems, to SCADA systems, bringing with them new risks and vulnerabilities.  

An example: In June 2021, Sol Oriens, a small government contractor that works for the Department of Energy on nuclear weapons issues, was attacked by the Russia-linked hacking group REvil. The hackers stole invoices for NNSA contracts, descriptions of R&D projects managed by defense and energy contractors, and employees’ full names and Social Security numbers.

Malware Attacks on Transportation systems

The nation’s transportation system quickly, safely, and securely moves people and goods through the country and overseas. The sector includes aviation, highway and motor vehicles, maritime transportation systems, mass transit and passenger rail systems, pipeline systems, freight rail, and postal and shipping.

Transportation systems are especially vulnerable to cyberattacks due to the industry’s aging infrastructure and inherent dependence on technology for control, navigation, tracking, positioning, and communications.  

An example: In 2016, San Francisco’s Municipal Railway (MUNI) light rail was compromised by a malware attack. The hackers encrypted over 2000 computer systems and forced the company to shut down ticketing systems for four days.

Water and Wastewater System Security Under SACA

Safe drinking water and properly treated wastewater are essential for human life and vital for preventing disease and protecting the environment. According to CISA, there are approximately 153,000 public drinking water systems and more than 16,000 publicly owned wastewater treatment systems in the United States, all of which are vulnerable to various attacks, including cyberattacks. The centrality of clean water puts this sector at automatic risk from bad actors and state-sponsored terrorism.

An example: In 2021, a Florida-based water treatment plant fell victim to a cyberattack. Threat actors exploited a vulnerability in a computer network and temporarily tampered with the water supply by raising chemical levels.

In 2020, Israeli water systems came under cyber-attack when hackers attempted to compromise the ICS command and control systems for Israel’s pumping stations, sewer systems, wastewater plants, and agriculture pumps. The hackers tried unsuccessfully to add chlorine and other chemicals to water levels in order to disrupt the water supply.

SACA Compliance: Next Steps for Companies

Strengthening American Cybersecurity Act (SACA) is likely the first of many steps toward a federal privacy and breach notification framework. All companies – regardless of whether they are within the 16 critical infrastructure sectors – should be proactive about examining their current cybersecurity posture. Make sure your cyber policies and procedures are adjusted to meet the new requirements of the SACA law, including the ability to report any incident within 72 hours. 

But even more importantly, take the steps needed to ensure your organization is protected against threats delivered via malware and content before the breach occurs. Votiro Cloud, backed by Positive Selection® technology, the most advanced form of Content Disarm and Reconstruction, takes a proactive approach to cybersecurity by cleansing potentially malicious code from files before it reaches its end destination (inbox, storage, or applications). Votiro does not rely on detection like other anti-malware tools. Instead, the technology assumes all files are malicious and removes any malware, strips any embedded code, and rebuilds the file in a way that disrupts any additional covert malicious code. The new file contains only elements that have passed the positive selection process, removing any potential security breach.  If you’d like to learn more about implementing Votiro’s proprietary Positive Selection® technology to secure your network against the threat of file-borne attacks, please schedule a demo today.