CISA Raises Shields Up Guidance — February 24, 2022

On 24 February 2022—hours before Russia’s expanded invasion of Ukraine—the U.S. Cybersecurity and Infrastructure Security Agency (CISA) escalated its “Shields Up” advisory, warning U.S. and allied organizations to prepare for disruptive or destructive cyber activity. The campaign aggregates actionable guidance, including a CISA–FBI–NSA joint advisory on Russian state-sponsored actors targeting critical infrastructure, vulnerability alerts for edge devices, and good practices for rapid incident reporting. Executives must mobilize cross-functional teams to validate security controls, ensure business continuity readiness, and engage suppliers while geopolitical tensions remain elevated.

threat environment

Russian military operations coincide with increased cyber operations such as distributed denial-of-service (DDoS) attacks on Ukrainian banks, destructive wiper malware (WhisperGate, HermeticWiper), and espionage targeting NATO members. CISA warns that similar tactics could spill over into Western networks, particularly targeting energy, transportation, finance, and communications sectors. Ransomware groups sympathetic to Russian interests may also exploit the crisis to disrupt operations or extort funds. The Shields Up campaign emphasizes that even organizations not directly targeted can face collateral damage through supply chains or shared service providers.

Focus areas

• Incident response readiness: Review and rehearse incident response plans, ensuring contact lists, decision authority, and communication protocols are current. Conduct tabletop exercises that simulate simultaneous ransomware and DDoS attacks, aligning with CISA’s Tabletop Exercise Packages (CTEP).
• Patch management acceleration: Prioritize remediation of known exploited vulnerabilities highlighted in CISA’s KEV catalog—particularly for VPN appliances, Microsoft Exchange, VMware ESXi, and ICS/SCADA components. Implement emergency patching procedures with business approval workflows.
• Multi-factor authentication (MFA): Enforce MFA on all remote access, privileged accounts, and cloud services. Validate that MFA policies cover third-party access, and monitor for bypass techniques such as push bombing.
• OT network defense: Separate OT and IT networks, restrict remote access, and deploy anomaly detection solutions tailored to industrial protocols. Coordinate with control system vendors to apply security patches without disrupting safety or availability.
• Backup and recovery: Verify offline, immutable backups for critical systems. Test restoration procedures within defined recovery time objectives, ensuring backups are protected from ransomware and wiper malware.

Governance and leadership engagement

• Executive briefings: Provide daily or weekly updates to executive teams and boards summarizing threat intelligence, control gaps, and remediation progress. Align communications with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).
• Risk appetite reassessment: Review cyber risk tolerance given increased threat levels. Adjust risk acceptance decisions, accelerate deferred projects (for example, zero-trust segmentation), and document temporary control exceptions.
• Regulatory coordination: Understand sector-specific reporting obligations (for example, TSA pipeline directives, financial regulators, state breach laws). Establish procedures for rapid notification to CISA via the reporting portal or regional offices.
• Communications strategy: Prepare media and stakeholder messaging for potential incidents. Coordinate with public affairs, legal, and investor relations to manage reputational impact.
• Policy updates: Update acceptable use, remote work, and third-party access policies to reflect heightened monitoring and security controls during the Shields Up period.

Technology and security improvements

• Threat hunting: Deploy improved detection rules covering known Russian TTPs, including lateral movement with compromised credentials, living-off-the-land binaries, and ICS-specific malware. Use MITRE ATT&CK mappings to focus on hunts.
• Email and web security: Implement advanced phishing protections, sandboxing, and domain-based message authentication (DMARC/DKIM/SPF). Monitor for spear-phishing tied to humanitarian or geopolitical lures.
• Endpoint protection: Ensure endpoint detection and response (EDR) tools are deployed across servers, workstations, and OT gateways. Validate that EDR policies detect wiper signatures and block unauthorized driver installations.
• Network monitoring: Increase visibility into network traffic using IDS/IPS, flow monitoring, and anomaly detection. Tune alerts for suspected DDoS, data exfiltration, and command-and-control patterns associated with Russian actors.
• Zero-trust initiatives: Accelerate zero-trust segmentation, least privilege, and continuous verification. Align with U.S. federal zero-trust architecture guidance (OMB M-22-09, CISA Zero Trust Maturity Model) to build resilience.

Supply chain and third-party coordination

• Supplier outreach: Contact critical vendors and managed service providers to confirm their Shields Up posture. Request updates on patching status, monitoring coverage, and incident response capabilities.
• Contract review: Examine service-level agreements for incident notification timelines, access restrictions, and support obligations during crises. Negotiate temporary improvements if gaps exist.
• Shared intelligence: Participate in Information Sharing and Analysis Centers (ISACs), industry CERTs, and joint cyber defense collaborative initiatives. Share indicators of compromise (IOCs) and lessons learned in near real time.
• Logistics partners: Ensure transportation, energy, and telecom partners coordinate continuity plans, especially for joint operations or just-in-time supply chains that could be disrupted by cyber incidents.
• Vendor risk assessments: Prioritize reassessment of suppliers located in high-risk regions or those providing remote access. Require attestations of MFA, logging, and backup controls.

Incident response coordination

CISA encourages rapid reporting of incidents to enable collective defense. If you are affected, prepare to share indicators, mitigation actions, and impact assessments. Establish secure channels for information exchange, coordinate with law enforcement, and preserve forensic evidence. Integrate the CISA Reporting Line (central@cisa.gov) and the Joint Cyber Defense Collaborative (JCDC) into escalation playbooks.

Business continuity and resilience

• Continuity plans: Review business continuity plans addressing loss of IT systems, OT disruptions, or third-party outages. Ensure manual workarounds exist for critical services.
• Cross-border considerations: Multinationals should align Shields Up measures with EU NIS obligations, UK NCSC guidance, and allied country advisories (for example, Canada’s CCCS). Coordinate response teams to support subsidiaries in different jurisdictions.
• Physical security: Synchronize cyber and physical security operations to monitor for coordinated hybrid threats. Update access controls at data centers, substations, and logistics hubs.
• Financial preparedness: Confirm liquidity and insurance coverage to handle ransom demands, emergency procurement, or incident response retainers.
• Employee well-being: Provide resources for staff dealing with elevated stress and longer on-call rotations. Clear communication reduces burnout and errors.

Strategic outlook

While the Shields Up alert may be temporary, it reinforces the need for sustained cyber resilience. If you are affected, capture lessons learned, invest in zero-trust architectures, expand threat intelligence sharing, and advocate for stable funding of security initiatives. Aligning with forthcoming U.S. cyber regulations—such as mandatory incident reporting under the Cyber Incident Reporting for Critical Infrastructure Act—and global standards will ensure long-term preparedness against state-sponsored threats.

Security Monitoring and Response

If you are affected, implement continuous monitoring mechanisms to detect and respond to security incidents related to this vulnerability or threat. Security operations centers should update detection rules, threat hunting hypotheses, and incident response procedures to address the specific attack patterns and indicators associated with this development. Regular testing of detection and response capabilities ensures readiness to handle related security events.

Post-incident analysis should document lessons learned and drive improvements to preventive and detective controls. Information sharing with industry peers and sector-specific information sharing organizations contributes to collective defense against common threats.

More on this topic

Further reading from our research library.

Cybersecurity · Credibility 90/100 · February 11, 2022

CISA Shields Up Directive

When Russia invaded Ukraine, CISA did not wait to see what would happen to U.S. networks. The agency launched Shields Up—a rare public warning that every organization, regardless of sector, should be on high alert for…

Cybersecurity · Credibility 90/100 · July 27, 2022

Pipeline Cybersecurity Directive Update — July 27, 2022

TSA Security Directive Pipeline-2021-02C shifts pipeline cybersecurity oversight to performance-based, risk-tested plans that document segmentation, monitoring, access governance, and recovery controls approved by TSA…

Cybersecurity · Credibility 93/100 · May 7, 2021

Colonial Pipeline ransomware attack disrupts U.S. fuel supply

On 7 May 2021 ransomware operators compromised Colonial Pipeline's IT network, prompting a shutdown of fuel deliveries across the U.S. East Coast and federal emergency waivers.

Cybersecurity · Credibility 73/100 · April 11, 2023

CISA Issues Advisory on ICS Attacks Targeting Water and Wastewater Systems

CISA ICS advisory on water sector attacks highlighted OT security risks. Iranian-affiliated actors targeting water treatment facilities. Critical infrastructure protection requires specialized attention.

Cybersecurity · Credibility 89/100 · August 3, 2023

CISA Unveils 2024–2026 Cybersecurity Strategic Plan — August 3, 2023

CISA’s 2024–2026 strategic plan requires executive governance to steer joint cyber defense planning, phased setup across the three mission goals, and privacy-aware evidence collection to satisfy DSARs tied to threat…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

February 24, 2022

Coverage pillar

Cybersecurity

Source credibility

94/100 — high confidence

Topics

CISA · Incident response · Critical infrastructure · Russia-Ukraine

Sources cited

3 sources (cisa.gov, iso.org)

Reading time

6 min

Source material

1. CISA — Shields Up
2. CISA Insights: Preparing for and Mitigating Potential Cyber Threats
3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization