CISA tells agencies to identify, upgrade unsupported edge devices

Agencies are on the hook to identify outdated “edge” hardware and software on their networks, as the Cybersecurity and Infrastructure Security Agency warns such devices pose a “substantial and constant” risk to agency IT systems.

In a binding operational directive (BOD) issued Thursday, CISA directed agencies to update any end-of-support devices on their networks. Such devices – also referred to as “unsupported”– are no longer maintained by their vendors.

“Persistent cyber threat actors, including those with ties to nation states, are increasingly exploiting unsupported edge devices, hardware and software, that no longer receive vendor updates to firmware or other security patches,” CISA Executive Assistant Director for Cybersecurity Nick Andersen told reporters. “These devices are positioned at a network perimeter and are especially vulnerable to persistent cyber threat actors exploiting a novel or a new or known vulnerability. Once an edge device is exploited, threat actors can gain initial access to networks, move laterally, disrupt operations and exfiltrate sensitive data.”

BODs are compulsory for civilian executive branch agencies. Andersen said CISA didn’t issue the directive in response to “any one incident or compromise,” adding that it’s “recognition that unsupported devices just pose such a serious risk to federal systems.”

CISA has also developed an “EOS Edge Device List” to help agencies identify any unsupported devices. Andersen said the device would not be made public. Typically, edge devices include load balancers, firewalls, routers, switches, wireless access points, network security appliances and other components that route network traffic, according to a CISA factsheet.

“This list was developed specifically for the devices that are predominant in the federal government,” Andersen said. “It’s not really an apples to apples comparison to the devices that other government or private sector organizations may utilize. Network owners should reach out to the vendors of their specific network devices to best understand the support lifecycle for those devices.”

While Andersen wouldn’t comment on any specific threats to agency edge devices, CISA’s Known Exploited Vulnerabilities catalog has featured multiple entries over the last year with warnings about “end-of-life” or “end-of-service” vulnerabilities, including a bug associated with unsupported D-Link routers in December.

A CISA-issued warning about a Chinese state-sponsored espionage campaign last September also included recommendations to upgrade any “unsupported network devices.”

New deadlines

CISA’s latest directive requires agencies to immediately update edge devices to vendor-supported software and firmware, wherever possible. That action is required in cases “where such an update does not adversely impact mission critical functionality.”

Within three months, agencies are required to inventory any devices that are identified on CISA’s end-of-service list.

Within one year, CISA is requiring agencies to decommission any devices on CISA’s list with an end-of-service date that falls within the next 12 months. During that 12-month period, agencies are also required to inventory all edge devices that are coming up on their end-of-service, regardless of whether the are on CISA’s list.

Andersen said the 12-month timeline is intended to give agencies time to complete a thorough inventory.

“In many cases, this may require investing in new devices, so we’re encouraging all organizations to implement this guidance and the directive as soon as possible,” Andersen said. “But providing for a 12-month timeline … that gives us an opportunity as well to look at this across multiple fiscal years across our across our federal government partners.”

Finally, within 18 months, agencies will be required to decommission all end-of-service devices from their networks.

End-of-service devices no longer receive software updates or security mitigations, meaning they are more susceptible to “high-impact security incidents,” according to guidance from the U.K. National Cyber Security Centre. Andersen said CISA collaborated with the NCSC and the FBI on the directive.

The U.K. agency warns that without security patches, obsolete technology products are difficult to secure, though it acknowledges that not all organizations are able to fully migrate way from such products.

“When a product is no longer supported by its developer, there are limits on the measures that will be effective in protecting against new threats,” the NCSC guidance states. “Over time, new vulnerabilities will be discovered that can be exploited by relatively low-skilled attackers.”

Agencies have long struggled to keep pace with the private sector in modernizing their legacy IT systems. A Government Accountability Office review last year identified 11 legacy federal IT systems that were “most in need of modernization. GAO found four of the IT systems had unsupported hardware or software, while seven were operating with “known cybersecurity vulnerabilities.”

Andersen said CISA coordinated with the White House Office of Management and Budget on the new directive. He said CISA would monitor compliance with the BOD and provide support to agencies where needed.

“We’re looking forward to having a conversation around technical solutions to help make this easier, both for our federal family as well as those within the broader community with things like using open EOX, which is a standardized approach to sharing some of this end-of-life support information and optimizing the product life cycle oversight using it,” Andersen said.

link