Close Menu
Subscribe
Critical Infrastructure Security News & Analysis Security Study & Research

Critical Infrastructure Embraces CISA CyHy Service

Josh Breaker RolfeBy 2 Mins Read
cisa

Critical infrastructure organization enrollment in CISA’s Cyber Hygiene (CyHy) service surged 201% between 1 August 2022, and 31 August 2024, a new report released by the US cybersecurity agency has revealed.

The CISA CyHy service is a suite of free tools and services designed to help critical infrastructure organizations improve their security posture. Key features include vulnerability scanning, threat intelligence, and guidance and best practices. According to Emily Phelps, Director at Cyware, the service’s growth “reflects the critical sectors’ increasing focus on cybersecurity.”

Critical Infrastructure Enrollment by Sector

According to CISA’s Cybersecurity Performance Goals (CPG) Adoption Report, the following industries lead the surge in CyHy adoption:

  • Communications – 300% 
  • Emergency services – 268%
  • Critical manufacturing – 243%
  • Water and wastewater systems 242%

This is encouraging news, exemplifying that many of the US’s most important organizations are aware of and actively responding to the rapidly increasing cyber threat to critical infrastructure caused by heightened geopolitical tensions.

Exploitable Services, KEV Tickets, and Remediation Times Tumble

In more good news, CISA has also revealed that the number of exploitable services monitored by CISA Vulnerability Scanning has decreased steadily in the same timeframe. In August 2022, the number of exploitable services per enrollee was 12; by August 2024, this number had fallen to around 8.

The number of known exploited vulnerabilities (KEV) tickets also declined during this period, with critical severity KEVs falling by 50% and high-severity KEVs dropping by 25%. Similarly, SSL times fell dramatically from August 2022 to 2024, decreasing from around 200 days to less than 50 days, respectively.

However, Phelps argues that, while these statistics are undoubtedly good news, critical infrastructure organizations must do more to build resilience against evolving threats.

“Protecting critical infrastructure demands real-time threat detection, intel and defensive strategy sharing, coordinated responses, and robust strategies to secure essential services,” she said.

About the Author

  • josh breaker rolfe

    Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.

The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.

Share.

Related Posts

Information Security Buzz is an independent resource that provides the experts’ comments, analysis, and opinion on the latest Cybersecurity news and topics

Working With Us

Write For Us

The Pages