CISA Raises Shields Up Guidance — February 24, 2022

Executive briefing: On 24 February 2022—hours before Russia’s expanded invasion of Ukraine—the U.S. Cybersecurity and Infrastructure Security Agency (CISA) escalated its “Shields Up” advisory, warning U.S. and allied organizations to prepare for disruptive or destructive cyber activity. The campaign aggregates actionable guidance, including a CISA–FBI–NSA joint advisory on Russian state-sponsored actors targeting critical infrastructure, vulnerability alerts for edge devices, and best practices for rapid incident reporting. Executives must mobilize cross-functional teams to validate security controls, ensure business continuity readiness, and engage suppliers while geopolitical tensions remain elevated.

Threat landscape

Russian military operations coincide with increased cyber operations such as distributed denial-of-service (DDoS) attacks on Ukrainian banks, destructive wiper malware (WhisperGate, HermeticWiper), and espionage targeting NATO members. CISA warns that similar tactics could spill over into Western networks, particularly targeting energy, transportation, finance, and communications sectors. Ransomware groups sympathetic to Russian interests may also exploit the crisis to disrupt operations or extort funds. The Shields Up campaign emphasises that even organizations not directly targeted can face collateral damage through supply chains or shared service providers.

Operational priorities

• Incident response readiness: Review and rehearse incident response plans, ensuring contact lists, decision authority, and communication protocols are current. Conduct tabletop exercises that simulate simultaneous ransomware and DDoS attacks, aligning with CISA’s Tabletop Exercise Packages (CTEP).
• Patch management acceleration: Prioritize remediation of known exploited vulnerabilities highlighted in CISA’s KEV catalog—particularly for VPN appliances, Microsoft Exchange, VMware ESXi, and ICS/SCADA components. Implement emergency patching procedures with business approval workflows.
• Multi-factor authentication (MFA): Enforce MFA on all remote access, privileged accounts, and cloud services. Validate that MFA policies cover third-party access, and monitor for bypass techniques such as push bombing.
• OT network defense: Separate OT and IT networks, restrict remote access, and deploy anomaly detection solutions tailored to industrial protocols. Coordinate with control system vendors to apply security patches without disrupting safety or availability.
• Backup and recovery: Verify offline, immutable backups for critical systems. Test restoration procedures within defined recovery time objectives, ensuring backups are protected from ransomware and wiper malware.

Governance and leadership engagement

• Executive briefings: Provide daily or weekly updates to executive teams and boards summarizing threat intelligence, control gaps, and remediation progress. Align communications with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).
• Risk appetite reassessment: Review cyber risk tolerance in light of increased threat levels. Adjust risk acceptance decisions, accelerate deferred projects (e.g., zero-trust segmentation), and document temporary control exceptions.
• Regulatory coordination: Understand sector-specific reporting obligations (e.g., TSA pipeline directives, financial regulators, state breach laws). Establish procedures for rapid notification to CISA via the reporting portal or regional offices.
• Communications strategy: Prepare media and stakeholder messaging for potential incidents. Coordinate with public affairs, legal, and investor relations to manage reputational impact.
• Policy updates: Update acceptable use, remote work, and third-party access policies to reflect heightened monitoring and security controls during the Shields Up period.

Technology and security enhancements

• Threat hunting: Deploy enhanced detection rules covering known Russian TTPs, including lateral movement with compromised credentials, living-off-the-land binaries, and ICS-specific malware. Use MITRE ATT&CK mappings to prioritize hunts.
• Email and web security: Implement advanced phishing protections, sandboxing, and domain-based message authentication (DMARC/DKIM/SPF). Monitor for spear-phishing tied to humanitarian or geopolitical lures.
• Endpoint protection: Ensure endpoint detection and response (EDR) tools are deployed across servers, workstations, and OT gateways. Validate that EDR policies detect wiper signatures and block unauthorized driver installations.
• Network monitoring: Increase visibility into network traffic using IDS/IPS, flow monitoring, and anomaly detection. Tune alerts for suspected DDoS, data exfiltration, and command-and-control patterns associated with Russian actors.
• Zero-trust initiatives: Accelerate zero-trust segmentation, least privilege, and continuous verification. Align with U.S. federal zero-trust architecture guidance (OMB M-22-09, CISA Zero Trust Maturity Model) to build resilience.

Supply chain and third-party coordination

• Supplier outreach: Contact critical vendors and managed service providers to confirm their Shields Up posture. Request updates on patching status, monitoring coverage, and incident response capabilities.
• Contract review: Examine service-level agreements for incident notification timelines, access restrictions, and support obligations during crises. Negotiate temporary enhancements if gaps exist.
• Shared intelligence: Participate in Information Sharing and Analysis Centers (ISACs), industry CERTs, and joint cyber defense collaborative initiatives. Share indicators of compromise (IOCs) and lessons learned in near real time.
• Logistics partners: Ensure transportation, energy, and telecom partners coordinate continuity plans, especially for joint operations or just-in-time supply chains that could be disrupted by cyber incidents.
• Vendor risk assessments: Prioritize reassessment of suppliers located in high-risk regions or those providing remote access. Require attestations of MFA, logging, and backup controls.

Incident response coordination

CISA encourages rapid reporting of incidents to enable collective defense. Organizations should prepare to share indicators, mitigation actions, and impact assessments. Establish secure channels for information exchange, coordinate with law enforcement, and preserve forensic evidence. Integrate the CISA Reporting Line (central@cisa.gov) and the Joint Cyber Defense Collaborative (JCDC) into escalation playbooks.

Business continuity and resilience

• Continuity plans: Review business continuity plans addressing loss of IT systems, OT disruptions, or third-party outages. Ensure manual workarounds exist for critical services.
• Cross-border considerations: Multinationals should align Shields Up measures with EU NIS obligations, UK NCSC guidance, and allied country advisories (e.g., Canada’s CCCS). Coordinate response teams to support subsidiaries in different jurisdictions.
• Physical security: Synchronize cyber and physical security operations to monitor for coordinated hybrid threats. Update access controls at data centers, substations, and logistics hubs.
• Financial preparedness: Confirm liquidity and insurance coverage to handle ransom demands, emergency procurement, or incident response retainers.
• Employee well-being: Provide resources for staff dealing with elevated stress and longer on-call rotations. Clear communication reduces burnout and errors.

Strategic outlook

While the Shields Up alert may be temporary, it reinforces the need for sustained cyber resilience. Organizations should capture lessons learned, invest in zero-trust architectures, expand threat intelligence sharing, and advocate for stable funding of security initiatives. Aligning with forthcoming U.S. cyber regulations—such as mandatory incident reporting under the Cyber Incident Reporting for Critical Infrastructure Act—and global standards will ensure long-term preparedness against state-sponsored threats.

Related briefings

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 90/100 · July 27, 2022

Pipeline Cybersecurity Directive Update — July 27, 2022

TSA Security Directive Pipeline-2021-02C shifts pipeline cybersecurity oversight to performance-based, risk-tested plans that document segmentation, monitoring, access governance, and recovery controls approved by TSA…

Cybersecurity · Credibility 40/100 · May 7, 2021

Cybersecurity Briefing — Colonial Pipeline ransomware attack disrupts U.S. fuel supply

On 7 May 2021 ransomware operators compromised Colonial Pipeline’s IT network, prompting a shutdown of fuel deliveries across the U.S. East Coast and federal emergency waivers.

Cybersecurity · Credibility 89/100 · August 3, 2023

CISA Unveils 2024–2026 Cybersecurity Strategic Plan — August 3, 2023

CISA’s 2024–2026 strategic plan requires executive governance to steer joint cyber defence planning, phased implementation across the three mission goals, and privacy-aware evidence collection to satisfy DSARs tied to…

Cybersecurity · Credibility 93/100 · March 7, 2024

Volt Typhoon Living-Off-the-Land Tactics Detailed — March 7, 2024

Joint advisory AA24-064A shows PRC actor Volt Typhoon living off the land inside U.S. critical infrastructure, pushing operators to harden edge devices, hunt for credential abuse, and accelerate segmentation across IT…

Cybersecurity · Credibility 90/100 · May 10, 2024

Cyber Threat Briefing — Black Basta Joint Advisory

CISA, FBI, and HHS issued a joint advisory on Black Basta ransomware operations after tracking more than 500 global victims across 12 critical infrastructure sectors since 2022.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook — Zeph Tech

  Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.