Current Activity

CISA has collaborated with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) on Engaging with Artificial Intelligence—joint guidance, led by ACSC, on how to use AI systems securely. The following organizations also collaborated with ACSC on the guidance:

• Federal Bureau of Investigation (FBI)
• National Security Agency (NSA)
• United Kingdom (UK) National Cyber Security Centre (NCSC-UK)
• Canadian Centre for Cyber Security (CCCS)
• New Zealand National Cyber Security Centre (NCSC-NZ) and CERT NZ
• Germany Federal Office for Information Security (BSI)
• Israel National Cyber Directorate (INCD)
• Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and the Secretariat of Science, Technology and Innovation Policy, Cabinet Office
• Norway National Cyber Security Centre (NCSC-NO)
• Singapore Cyber Security Agency (CSA)
• Sweden National Cybersecurity Center

The guidance provides AI systems users with an overview of AI-related threats as well as steps that can help them manage AI-related risks while engaging with AI systems. The guidance covers the following AI-related threats:

1. Data poisoning
2. Input manipulation
3. Generative AI hallucinations
4. Privacy and intellectual property threats
5. Model stealing and training data exfiltration
6. Re-identification of anonymized data

Note: This guidance is primarily for users of AI systems. CISA encourages developers of AI systems to review the recently published Guidelines for Secure AI System Development.

To learn more about how CISA and our partners are addressing both the cybersecurity opportunities and risks associated with AI technologies, visit CISA.gov/AI.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-23222 Apple Multiple Products Type Confusion Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released six Industrial Control Systems (ICS) advisories on January 23, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-24-023-01 APsystems Energy Communication Unit (ECU-C) Power Control Software
• ICSA-24-023-02 Crestron AM-300
• ICSA-24-023-03 Voltronic Power ViewPower Pro
• ICSA-23-023-04 Westermo Lynx 206-F2G
• ICSA-24-023-05 Lantronix XPort
• ICSMA-24-023-01 Orthanc Osimis DICOM Web Viewer

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

Apple has released security updates for iOS and iPadOS, macOS, Safari, watchOS, and tvOS. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review the Apple security release and apply the necessary updates:

• iOS 17.3 and iPadOS 17.3
• iOS 16.7.5 and iPadOS 16.7.5
• iOS 15.8.1 and iPadOS 15.8.1
• macOS Sonoma 14.3
• macOS Ventura 13.6.4
• macOS Monterey 12.7.3
• Safari 17.3
• watchOS 10.3
• tvOS 17.3