CISA has released new cybersecurity guidelines for communications infrastructure. The guidance comes in the wake of a series of disclosures that massive Telecommunications Carriers have been compromised by Salt Typhoon and other China-sponsored adversaries. 

At the same time, the U.S. Federal Communications Commission (FCC) has proposed a Declaratory Ruling to require telecommunications carriers to protect their networks from infiltration. A draft ruling was introduced in early December, 2024 by FCC chairwoman Jessica Rosenworcel. The draft ruling was sparse on details, but outlined two major purposes:

1. Expanding cybersecurity requirements across a range of communications providers.
2. Creating an annual certification requirement for communications service providers to “create, update, and implement cybersecurity risk management plans,” then annually certify compliance with these plans to the FCC “to assure accountability.”

The proposed ruling was quickly followed by the introduction of legislation for a potential Senate vote. As of this writing, no law had been passed, though the FCC fact sheet stated that the Declaratory Ruling could take effect “immediately” if the five members of the Commission voted to adopt it. 

Additionally, Senate subcommittee hearings on December 11 discussed the Salt Typhoon intrusions and their implications for strategic, operational, and legal concerns around cybersecurity in telecommunications providers. 

How Eclypsium Supports The CISA Guidelines for Securing Telcos

CISA’s guidance falls into two main categories: Strengthening visibility, and hardening systems and devices. In each of those categories, guidance is provided for both network engineers, and network defenders. The advice heavily focuses on segmentation, and on reducing the level of exposure that network devices have to the public internet. However, significant attention is also paid to managing and monitoring the configuration of software, hardware, and firmware, with particular emphasis on routers and switches. An entire section is devoted to Cisco-specific guidance since Cisco devices have been so frequently targeted by People’s Republic of China (PRC) threat actors.

Eclypsium can help telecommunications providers achieve many of the critical requirements recommended by CISA, including the following:

“Closely scrutinize and investigate any configuration modifications or alterations to network devices such as switches, routers, and firewalls outside of the change management process.”

• Eclypsium offers detections for some situations that alert when suspicious firewall rule changes occur

“Monitor user and service account logins for anomalies that could indicate potential malicious activity. Validate all accounts and disable inactive accounts to reduce the attack surface. Monitor logins occurring internally and externally from the management environment.”

• Related to the Pacific Rim campaign specifically, Eclypsium offers detections that alert on known backdoor/malicious accounts that exist on Sophos firewalls

Ensure the inventory of devices and firmware in the environment are up to date to enable effective visibility and monitoring.

• Eclypsium can discover devices and their firmware versions within the environment so that organizations can update to secure versions, or assure that they are effectively monitoring devices that have insecure firmware that can’t be updated.
• Eclypsium can also support automated updating of firmware to reduce friction and minimize internal attack surface represented by outdated, vulnerable firmware.

“Confirm the integrity of the software image in use by using a trusted hashing calculation utility, if available.”

• Eclypsium can verify the integrity of software and firmware in use both on user endpoints and in network equipment such as routers and switches. 

“If a utility is unavailable, calculate a hash of the software image on a trusted administration workstation and compare against the vendor’s published hashes on an authenticated site as a trusted source of truth. This may require engaging the device’s maintenance contract to access source of truth hash values. For additional security, copy the image to a forensic workstation and calculate the hash value to compare against the vendor’s published hashes.”

• Eclypsium can deliver on this requirement for many of the major network device vendors, including:
  • Arista
  • Cisco IOS
  • Cisco ASA
  • Cisco NX-OS
  • Cisco Firepower
  • F5
  • Citrix Netscaler
  • Fortinet FortiOS
  • Dell FTOS
  • Dell OS6

Additionally, several items listed in the guidance relate to vulnerability management including identifying known vulnerabilities, insecure protocols, and default credentials. Eclypsium offers network vulnerability scanning, which can be complimented with nmap scanning with vulnerability identification. 

Further Reading

• CISA: Enhanced Visibility and Hardening Guidance for Communications Infrastructure
• The Rise of Chinese APT Campaigns: Volt Typhoon, Salt Typhoon, Flax Typhoon, and Velvet Ant
• CISA: Over Half of Top Routinely Exploited Vulnerabilities in 2023 Affected Network Devices and Infrastructure
• Squashing the Velvet Ant: How Eclypsium Protects Cisco NX-OS and F5 Load Balancers

The post CISA and FCC Issue Urgent Call for Cyber Hardening for Communications Infrastructure appeared first on Eclypsium | Supply Chain Security for the Modern Enterprise.

*** This is a Security Bloggers Network syndicated blog from Eclypsium | Supply Chain Security for the Modern Enterprise authored by Chris Garland. Read the original post at: https://eclypsium.com/blog/fcc-cisa-communications-infrastructure-cyber-security/