(TLP:CLEAR) CISA Releases BOD 26-02: Mitigating Risk from End-of-Support Edge Devices

Summary: Today, CISA released a Binding Operational Directive (BOD), titled “BOD 26-02: Mitigating Risk From End-of-Support Edge Devices.” In the directive, CISA mentions the U.S. faces persistent cyber campaigns that threaten both public and private sectors, directly impacting the security and privacy of the American people. These campaigns are often enabled by unsupported devices that physically reside on the edge of an organization’s network perimeter. Unsupported devices – referred to in the BOD as “end of support (EOS)” – are those that are no longer maintained by their vendors.

Analyst Note: CISA is aware of widespread exploitation campaigns by advanced threat actors targeting EOS edge devices. It mentions that recent public reports of campaigns targeting certain vendors highlight threat actors’ attempts to use these devices as a means to pivot into information system networks. Additionally, edge devices are attractive targets due to their extensive reach into an organization’s network and integrations with identity management systems. These devices are especially vulnerable to cyber exploits targeting newly discovered, unpatched vulnerabilities. Furthermore, they no longer receive supported updates from the original equipment manufacturer, exposing systems to disproportionate and unacceptable risks.

While the BOD is compulsory for federal departments and agencies, the information and actions included are directly applicable to water utilities and hold significant value for improving the security of edge devices and resilience across the water sector.

Original Source: https://www.cisa.gov/news-events/directives/bod-26-02-mitigating-risk-end-support-edge-devices

Related WaterISAC PIRs: 6, 10, 12