The US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Monday, urging critical infrastructure organizations to review their environments and identify any communications equipment deemed to pose high risks.
The Federal Communications Commission (FCC) maintains the Covered List, which includes telecommunications devices and services that pose national security risks. The list, last updated in September 2022, includes products from companies such as Huawei, ZTE, Hytera, Hikvision, Dahua, China Mobile, China Telecom, China Unicom, and Pacific Network Corp.
CISA recommended that organizations review the Covered List and integrate it into their supply chain risk management efforts. CISA also advised companies to review the guidance issued by NIST and CISA on software supply chain risks and identify and mitigate cybersecurity risks associated with the supply chain.
In addition to urging organizations to incorporate the Covered List into their supply chain risk management efforts, CISA also recommended that all critical infrastructure owners and operators take necessary steps to secure the country’s most critical supply chains.
The agency suggested that companies use pre-ransomware notifications, a ransomware vulnerability warning, and a vulnerability scanning service to improve the security of their networks.
Finally, CISA urged all critical infrastructure organizations to enroll in its free Vulnerability Scanning service to identify vulnerable or high-risk devices, such as those on the FCC’s Covered List.
