New ITU clock concept for more resilient synchronization networks

Agency News, Industry News, Telecomms sector
Global navigation satellite systems (GNSS) provide precise timing for synchronization networks that are critical to mobile telecoms and data centres, power supply and smart grids, railway and road transport, and security and public safety.
Long disruptions to GNSS could be catastrophic without solutions to maintain precise timing. These solutions are provided by ITU standards, assuring network operators and regulators that precise time will keep ticking.
Common causes of GNSS disruptions:
- GNSS segment errors
- Adjacent-band transmitters
- GNSS spoofing
- Environmental interference
- GNSS jamming
The ITU standard G.8272.1 defines the enhanced Primary Reference Time Clock (ePRTC), the primary source of time synchronization worldwide.
The GNSS signal is typically used as time reference for this clock. The latest version of this international standard provides for the delivery of timing with accuracy better than 100 nanoseconds, for up to 40 days after a GNSS loss.
Network-wide timekeeping
Introducing a new architectural concept, the new ITU standard G.8272.2 provides a coherent network reference clock (cnPRTC) that ensures highly accurate, resilient, and robust timekeeping throughout a telecom network.
The cnPRTC architecture involves interconnected clocks cooperating at the highest network level.
This allows stable, network-wide ePRTC time accuracy, even during periods of regional or network-wide GNSS unavailability or other failures and interruptions.
cnPRTC architecture at the core network level:
Comparative measurements between the clocks are another important component of the new architecture. Each clock’s performance is continuously monitored.
The whole group of clocks – connected by fibre or satellite systems such as GNSS common view – are combined under a “timescale algorithm.”
National time labs, GNSS control segments, and the UTC (coordinated universal time) established at the BIPM (international bureau of weights and measures) all rely on such algorithms to generate the time.
The revised G.8272.1 and new G.8272.2 standards are products of the working group on network synchronization and time distribution performance (Q13/15) in the ITU standardization study group for transport, access and home (ITU-T Study Group 15).
The OFC conference in San Diego (US) will feature an ITU booth (#5226), expert talks on “Tight Sync in Precision Time Protocol” on 26 March, and more hot topics at a “Standards Updates” session by the study group on 27 March.
The recent World Radiocommunication Conference (WRC-23), considering relevant ITU studies, endorsed the BIPM decision to adopt continuous UTC as the de facto time standard by 2035, with the possibility to extend the deadline to 2040 in cases where existing equipment cannot be replaced earlier.
Leave a comment

DHS Has Strengthened the Securing the Cities Program, but Actions Are Needed to Address Key Remaining Challenges

Agency News, Industry News, Transport sector
The Department of Homeland Security's Securing the Cities program is trying to reduce the risk of terrorist attacks in high-risk urban areas. This program helps state and local agencies in 13 regions detect radiological and nuclear materials that could be used in such attacks—such as by funding the purchase of wearable radiation detectors for police officers.
The agency regularly meets with the regions to check in and help address specific issues with this program. However, the agency hasn't clearly communicated to the regions how it plans to measure performance and progress.
The Department of Homeland Security's Countering Weapons of Mass Destruction Office (CWMD) has taken multiple steps to strengthen the Securing the Cities (STC) program and is working with regions to address remaining program implementation challenges. CWMD awards funding to support STC regions' program administration. It also funds the procurement and deployment of radiological and nuclear detection equipment and training for the law enforcement officers and other agency partners who use it. To strengthen the program, CWMD has increased outreach and communication activities, developed templates for regional planning and quarterly reporting, and ensured regions' access to long-term federal funding to sustain their STC-related capabilities.
As CWMD continues to improve the program, it is also working with STC regions to address challenges that may affect program implementation. Regions identified several key challenges, including staff attrition and turnover; availability and difficulty of scheduling training courses; and keeping partner agencies engaged with the STC program mission among other competing priorities.
The U.S. faces an enduring threat that terrorists could steal or smuggle nuclear or radiological materials to use in a terrorist attack. The Department of Homeland Security initiated the STC program as a pilot in 2007 to reduce the risk of such attacks by developing and enhancing sustainable radiological and nuclear detection capabilities of state and local agencies in high-risk urban areas. The program includes 13 regions. CWMD awarded about $300 million to these regions through fiscal year 2023.
The CWMD Act of 2018 included a provision for GAO to evaluate the STC program once CWMD completed an assessment of the program, which it did in 2022. This report evaluates (1) CWMD's efforts to strengthen the STC program and address regions' challenges and (2) the extent to which CWMD is measuring and tracking STC regions' performance.
GAO reviewed CWMD and STC regions' documents, interviewed officials from CWMD and from each region, and visited two regions carrying out training exercises. GAO compared CWMD's performance assessment approach with key practices for assessing program effectiveness that GAO identified in prior work.
GAO is making five recommendations, including that CWMD clearly communicate performance expectations to STC regions, collect quality information from the regions, and ensure regions' timely progress through program phases and toward achieving program goals. DHS concurred with the recommendations.
CWMD's approach to measuring and tracking regions' performance—outlined in a 2023 revision to its STC program implementation plan—generally follows the key practices and their supporting actions for assessing program effectiveness. For example, CWMD uses weekly or biweekly meetings with the STC regions to provide tailored information that regions need to address specific issues affecting their program implementation. However, it has not clearly communicated to the regions the performance expectations and planned assessment approach adopted in the revised plan. By doing so, CWMD would increase the transparency and accountability for results being achieved through the program.
CWMD is collecting and reviewing regional performance data to set targets and benchmarks for assessments that it plans to begin in fiscal year 2025. However, it needs to take additional steps to ensure that information collected from the regions is timely, consistent, complete, and accurate. CWMD officials also stated that they need to complete ongoing and planned efforts to better oversee and hold regions accountable for their performance and timely progress through program phases and toward achieving program goals. By taking these steps, CWMD will be in a better position to use evidence to manage the STC program more effectively, demonstrate regions' progress toward meeting the program goals, and communicate these results to stakeholders.
Leave a comment

UNDRR and ISC to review Hazard Information Profiles ahead of 2025 Global Platform

Agency News, Transport sector
Three years after their initial release, the United Nations Office for Disaster Risk Reduction (UNDRR) and the International Science Council (ISC) are undertaking a review of the UNDRR/ISC Hazard Information Profiles (HIPs) ahead of the Global Platform that will take place in 2025. These HIPs provide an authoritative reference on the scope, name, and definitions of hazards of relevance to the Sendai Framework for Disaster Risk Reduction.
The HIPs were hailed as "groundbreaking" in the Report of the Midterm Review of the Sendai Framework in 2023 and continue to provide extensive information to various stakeholders across different sectors, including disaster risk reduction planning, monitoring, training, and research. They are widely utilized by intergovernmental bodies, national governments, disaster management agencies, statistical offices, private sectors, and academic institutions, fostering a more comprehensive and unified approach to disaster risk monitoring, recording, and planning.
For example, The International Organization for Migration (IOM) and the World Health Organization (WHO) have incorporated these profiles in their reference systems and are employing them in some of their trainings globally. Additionally, UNDRR uses these profiles for monitoring disasters, while numerous other stakeholders use them as foundational tools for disaster planning and response efforts, research and teaching.
In this review cycle, particular emphasis will be placed on the "multi-hazard context," aiming to enhance understanding of the interplay between different hazards, which can result in cascading, compound, and complex events. This will facilitate the utilization of the profiles for multi-hazard risk assessment and early warning systems.
Leveraging the latest advancements in machine learning, efforts will be made to make the HIPs more machine-actionable, thereby expanding their usability and applications.
Leading this initiative is a steering group chaired by Professor Virginia Murray, comprising representatives from 18 agencies and institutions involved in disaster risk reduction. The steering group will oversee the review process, with eight dedicated technical teams focusing on specific hazard types proposing revisions to the existing HIPs. Additional groups will concentrate on addressing multi-hazard contexts and enhancing machine actionability. The detailed composition of the Steering Group is available here.
Leave a comment

CISA Publishes High-Risk Communities Webpage

Association News, Cyber Security CII sector
The Cybersecurity and Infrastructure Security Agency (CISA) announces a new dedicated High-Risk Communities webpage today with cybersecurity resources for civil society communities at heightened risk of facing digital security threats because of their work. Through the Joint Cyber Defense Collaborative (JCDC) and building on priorities advanced through the Administration’s Summit for Democracy, CISA developed this valuable resource in collaboration with civil society organizations, government, and private industry partners to support these communities with their cybersecurity.
This webpage offers digital security resources specifically for high-risk communities, including Project Upskill, a suite of guides designed to equip non-technical individuals affiliated with high-risk organizations with simple steps to meaningfully improve their cyber hygiene. Other resources on the webpage include information on local cyber volunteer programs, and a repository of free or discounted cybersecurity tools and services available to high-risk communities.
“With experts across government and the private sector, we collaborated extensively to identify and develop actionable and easy-to-use resources for high-risk communities. We will continue to solicit input and feedback from partners across civil society as we collectively work to safeguard those organizations advancing democracy and human rights against cyber threats,” said CISA Director Jen Easterly. “CISA is especially pleased in the public-private collaboration that led to development and publication of these resources, reflecting shared commitment across government, industry, and civil society.”
The High-Risk Communities planning effort furthers JCDC priorities by bringing together government and the private sector to execute cyber defense plans that achieve specific risk reduction goals and enable more focused collaboration. To learn more about JCDC, visit CISA.gov/JCDC.
All civil society organizations are encouraged to visit the High-Risk Communities webpage intended to serve as a one-stop-shop for cybersecurity guidance.
Leave a comment

JCDC Working and Collaborating to Build Cyber Defense for Civil Society and High-Risk Communities

Agency News, Cyber Security CII sector, Industry News
Last fall, the Cybersecurity and Infrastructure Security Agency (CISA) and United Kingdom’s National Cyber Security Centre (UK-NCSC) held the first international convening of the Strategic Dialogue on Cybersecurity of Civil Society Under Threat of Transnational Repression. With the convening eight countries, we discussed options to advance the cybersecurity of civil society and calibrate our agencies’ support to the communities at highest risk. The second meeting is planned for May 2024.
Recently, CISA participated in the third Summit for Democracy in Seoul, South Korea, as part of our continuing commitment to counter cybersecurity threats against civil society. In alignment with this summit and our strategic dialogue work, CISA is providing a suite of resources on our new High-Risk Communities webpage today to help civil society organizations with bolstering their cyber defense and resilience.
These resources are the product of a year-long effort spearheaded by the Joint Cyber Defense Collaborative in partnership with industry and civil society. Informed by the unique expertise and experiences of our civil society and industry partners, these resources directly respond to the unique threat profile and operational realities of high-risk organizations that are targeted by sophisticated threat actors.
As leaders of high-risk organizations know all too well, operating a robust cybersecurity program can be costly. And many sources of funding do not account for the cost of hiring and retaining information security professionals or implementing effective cybersecurity solutions. At the same time, civil society organizations and their affiliates are at heightened risk of becoming targets of Advanced Persistent Threats – and cybersecurity incidents that lead to disruptions in their work can have dire ramifications for the vulnerable communities they serve.
Here are some of the resources that CISA released today as part of its cyber defense plan to support civil society organizations:
1. Launch a CISA.gov Webpage for High-Risk Communities.
CISA’s High-Risk Communities webpage serves as a one-stop-shop for cybersecurity guidance and free or discounted tools and resources that are tailored to meet the needs of high-risk organizations that want to improve their cybersecurity baseline while operating with limited resources.
2. Release Project Upskill: CISA’s Tailored Cybersecurity Guidance for High-Risk Communities.
Research from the CyberPeace Institute shows that less than 15-percent of non-governmental civil society organizations have cybersecurity experts on their staff and 33-percent do not have dedicated IT or security resources available to secure their individual employees, let alone the enterprise. That means employees at high-risk organizations serve as the first line of defense against malicious cyber actors that seek to disrupt operations or conduct reconnaissance.
Project Upskill is designed to arm individuals employed by or supporting high-risk organizations with simple steps to meaningfully improve their cyber hygiene. We crafted it to be accessible to a non-technical audience so that all individuals across civil society are empowered to support their own cyber defense.
The steps outlined in this new resource are not a “silver bullet” against cyber intrusions however, they can make it more difficult and costly for malign cyber actors to target individuals and the organization.
3. Highlight Free Tools & Services for Mission-Based Organizations.
Collectively, a wide array of free or discounted tools and services are available to high-risk communities. For example, certain organizations can apply to receive free cybersecurity protection under Cloudflare’s Project Galileo. Individuals who enroll in Google’s Advanced Protection Program (free to the public) benefit from additional account safeguards, including enhanced protection against phishing attempts and harmful downloads. Organizations seeking guidance on how to harden their enterprise will benefit from visiting the Global Cyber Alliance’s Cybersecurity Toolkit for Mission-Based Organizations, and high-risk individuals and organizations can turn to Access Now’s Digital Security Helpline for support with incident response if they believe they have been compromised.
All of these resources, and more, are located on CISA’s High-Risk Communities webpage.
4. Help Prospective Volunteers Connect with their Local Cyber Volunteer Clinic.
Across the United States, academic institutions, non-profits, and municipalities are setting up cybersecurity clinics and volunteer corps to provide free, hands-on support for incident response and resilience building.
High-risk organizations often qualify for support from these volunteer clinics. Therefore, CISA is building a webpage that will have information about the cyber volunteer programs across the country. Our intent is to help build capacity by providing a centralized place for prospective volunteers to learn about prerequisites and application processes for joining their local cyber volunteer program, and help qualifying organizations learn how to obtain assistance.
At the third Summit for Democracy, Secretary of State Antony Blinken stated, “As authoritarian and repressive regimes deploy technologies to undermine democracy and human rights, we need to ensure that technology sustains and supports democratic values and norms.” We believe that the work initiated through this partnership across civil society, technology companies, the US government, and international partner governments we are contributing to a rights respecting digital world.”
Leave a comment

CISA Announces Malware Next-Gen Analysis

Agency News, Cyber Security CII sector, Industry News
The Cybersecurity and Infrastructure Security Agency (CISA) has announced  a new release of our malware analysis system, called Malware Next-Gen, which allows any organization to submit malware samples and other suspicious artifacts for analysis. Malware Next-Gen allows CISA to more effectively support our partners by automating analysis of newly identified malware and enhancing the cyber defense efforts.
Timely, actionable intelligence on malware, such as how it works and what it is designed to do, is crucial to network defenders conducting potential cyber incident response and/or threat hunts.  Malware Next-Gen provides advanced and reliable malware analysis on a scalable platform, capable of meeting the increasing demands of future workloads. The integrated system provides CISA analysts and operations community members with multilevel containment capabilities for the automatic analysis of potentially malicious files or uniform resource locators (URLs).
“Effective and efficient malware analysis helps security professionals detect and prevent malicious software from enabling adversary access to persistence within an organization. Malware Next-Gen is a significant leap forward in CISA's commitment to enhancing national cybersecurity,” said CISA Executive Assistant Director for Cybersecurity Eric Goldstein. “Our new automated system enables CISA’s cybersecurity threat hunting analysts to better analyze, correlate, enrich data, and share cyber threat insights with partners. It facilitates and supports rapid and effective response to evolving cyber threats, ultimately safeguarding critical systems and infrastructure.”
Since November, Malware Next-Gen has been available to .gov and .mil organizations. Nearly 400 registered users have submitted more than 1,600 files resulting in the identification of approximately 200 suspicious or malicious files and URLs, which were quickly shared with partners. While members of the public may submit a malware sample; only authorized, registered users are able to receive analytical results from submissions.
Leave a comment

JCDC Builds Foundation for Pipelines Cyber Defense Planning Effort

Agency News, Cyber Security CII sector, Industry News

Businesses, communities, and families across America depend on the reliable availability of oil and natural gas for countless functions of everyday life. Recognizing the criticality of the oil and natural gas (ONG) subsector to our shared security and prosperity, over 25 ONG organizations—with an emphasis on high-throughput midstream natural gas pipeline owner-operators–and their industrial control systems (ICS) vendors convened through the Joint Cyber Defense Collaborative (JCDC) to undertake the 2023 JCDC Pipelines Cyber Defense Planning Effort.

The 2023 JCDC Pipelines Cyber Defense Planning Effort was a novel approach to bring together pipeline owner-operators and their ICS vendors, in partnership with the Transportation Security Administration and Department of Energy, to address shared challenges – whether ransomware incidents like the 2021 intrusion into Colonial Pipeline or persistent targeting by threat actors like the People’s Republic of China who possess the capability to disrupt natural gas pipelines, as highlighted in the ODNI 2023 Annual Threat Assessment. An effective response to these threats demands public-private collaboration efforts to defend pipeline networks against compromise and ensure that they continue to function in a worst-case scenario.

This effort resulted in a detailed by-industry, for industry network architecture diagram and adjoining principles, the ONG Pipelines Reference Architecture. Pipeline owner-operators and ICS vendors built this architecture to serve as a voluntary model to guide their investment, planning, and operations as they work to better segment their networks and mitigate intrusion campaigns. The ONG Pipelines Reference Architecture offers practical guidance for stepping up risk management and showcases the interplay between network segmentation, multi-factor authentication (MFA), external dependencies, and critical field devices.

By organizing collaboration between midstream pipeline owner-operators and ICS vendors, this cyber defense planning effort facilitated a foundation for industry to proactively take transformative steps to harden the digital networks that run our nation’s largest natural gas pipelines against compromises – an example of the vision first established by the Cyberspace Solarium Commission and codified by Congress to catalyze cyber defense planning that yields real change in our nation’s cybersecurity.

Leave a comment

IACIPP Announces Launch of ‘CIP WEEK’ in Europe

Association News, Cyber Security CII sector, Industry News, Power/Energy/Oil & Gas sector
The International Association of Critical Infrastructure Protection Professionals (IACIPP) has announced the launch of ‘Critical Infrastructure Protection Week’ in Europe as part of an initiative focused towards enhancing collaboration and cooperation amongst the industry.
With the imminent implementation of The Critical Entities Resilience Directive (CER Directive), which lays down obligations on EU Member States to take specific measures to ensure that essential services and infrastructures, for the maintenance of vital societal functions or economic activities, are provided in an unobstructed manner in the internal market. The deadline of 17th October 2024 is set for when Member States shall adopt and publish the measures necessary to comply with this Directive.
The NIS2 Directive, also known as the Network and Information Security Directive, is also a significant piece of legislation being implemented by 17th October 2024, aimed at improving cyber security and protecting critical infrastructure across the European Union (EU).
It builds upon the previous NIS Directive, addressing its shortcomings and expanding its scope to enhance security requirements, reporting obligations, and crisis management capabilities.
Compliance with the CER Directive and NIS2 Directive are crucial for businesses operating in the EU to safeguard their systems, mitigate threats, and ensure resilience. Penalties are enforceable on agencies and operators for non-compliance.
In light of the forthcoming challenges with the Directives, and the ever increasing threats against European critical infrastructures, IACIPP is launching ‘CIP Week’ in Europe to help raise awareness and promote greater collaboration amongst operators, agencies and the CI security community.
The first ‘Critical Infrastructure Protection Week’ will take place in Madrid Spain and will see IACIPP host the ‘Critical Infrastructure Protection & Resilience Europe’ conference and exhibition and ‘EU-CIP Horizon Project’ conference as the first two events as part of the initiative. Additional events are expected to be announced as part of the CIP Week in due course.
John Donlon QPM, Chairman of The International Association of Critical Infrastructure Protection Professionals, said, “IACIPP is delighted to be announcing this new initiative in Europe, with the important aim of encouraging greater information sharing, collaboration and co-operation within the industry.”
“The CER and NIS2 Directives are two of the most important pieces of legislation to arrive in Europe in recent years, and IACIPP along with other professional bodies have a degree of concern over the lack of preparation of some of the operators and agencies for the October deadline, and believe more needs to be done to ensure these minimum standards are met, and indeed exceeded in subsequent years.”
“We are delighted the ‘Critical Infrastructure Protection & Resilience Europe’ conference and exhibition and ‘EU-CIP Horizon Europe Project’ conference are the first two events to contribute towards CIP Week, which we aim to be an annual event. Madrid is an excellent location for the launch of this program, with the CN-PIC driving Spain’s efforts to meet the Directives’ deadlines and be prepared.” Added Mr Donlon.
Critical Infrastructure Protection & Resilience Europe (CIPRE) is the premier conference in Europe to discuss the operational threats and challenges, delivering though leadership and strategies for operators and agencies to plan security and resilience to their operations and assets.
The EU-CIP Horizon Europe Project* is set up to establish a novel pan European knowledge network for Resilient Infrastructures, which will enable policy makers to shape and produce data-driven evidence-based policies, while boosting the innovation capacity of Critical Infrastructures (CI) operators, authorities, and innovators (including SMEs).
Emilia Gugliandolo, Project Coordinator of EU-CIP, said, “The EU-CIP Project is delighted to be invited as part of the CIP Week initiative, enabling greater opportunities for the industry to explore the challenges and opportunities for bringing about synergetic, emerging disruptive solutions to security issues via cross-projects collaboration and innovation. We look forward to successful collaborations between the sectors and professionals in achieving the overall goals for the industry.”
IACIPP is an international association of practitioners and professionals involved in the security, resilience and safety of critical infrastructure, both physical and information infrastructure, open to critical infrastructure operators and government agencies, including site managers, security officers, government agency officials, policy makers, research & academia. The Association also aims to share ideas, information, experiences, technology and best practise to enhance these objectives.
IACIPP is inviting the industry to join in CIP Week in Madrid on 12th-14th November 2024.
Leave a comment

NCCoE Publishes Final NIST IR 8432, Cybersecurity of Genomic Data

Industry News

The NIST National Cybersecurity Center of Excellence (NCCoE) has published the Final NIST IR 8432, Cybersecurity of Genomic Data. This report summarizes the current practices, challenges, and proposed solutions for securing genomic data, as identified by genomic data stakeholders from industry, government, and academia. This effort is informed by direction from Congress, the White House, and NIST's existing expertise in genomics as well as cybersecurity.

NCCoE Guidance: CSF Profile for Genomic Data

Following the findings from NIST 8432, the NCCoE released Draft NIST IR 8467, Cybersecurity Framework (CSF) Profile for Genomic Data. This CSF Profile provides voluntary, actionable guidance to help organizations manage, reduce, and communicate cybersecurity risks for systems, networks, and assets that process any type of genomic data.

New Privacy Framework Profile

NCCoE is currently addressing the broader privacy landscape for genomic data by creating the Privacy Framework Profile for Genomic Data. The Privacy Framework Profile, developed using the NIST Privacy Framework, is intended to supplement the CSF Profile, as well as existing security and privacy guidelines and standards. This will be NIST's first Privacy Framework Profile, scheduled for public release in 2024.

Why Genomic Data?

Genomic data, including deoxyribonucleic acid (DNA) sequences, variants, and gene activity, has fueled the rapid growth of the U.S. bioeconomy. However, this valuable information is subject to cybersecurity and privacy concerns that are inadequately addressed with current policies, guidance documents, and technical controls. NCCoE's forthcoming guidance aims to help organizations assess, tailor, and prioritize their risk mitigation strategies and cyber investments for genomic data.

Leave a comment

PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure

Agency News, Cyber Security CII sector, Industry News
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China (PRC) state sponsored cyber actors are seeking to pre position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.
Actions to take today to mitigate Volt Typhoon activity:
• Apply patches for internet-facing systems. Prioritize patching critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon.
• Implement phishing-resistant MFA.
• Ensure logging is turned on for application, access, and security logs and store logs in a central system.
CISA, NSA, FBI and partners released this advisory to warn critical infrastructure organizations about this assessment, which is based on observations from the U.S. authoring agencies’ incident response activities at critical infrastructure organizations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus)
The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non continental United States and its territories, including Guam. Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts. CCCS assesses that the direct threat to Canada’s critical infrastructure from PRC state sponsored actors is likely lower than that to U.S. infrastructure, but should U.S. infrastructure be disrupted, Canada would likely be affected as well, due to cross-border integration. ASD’s ACSC and NCSC-NZ assess Australian and New Zealand critical infrastructure, respectively, could be vulnerable to similar activity from PRC state-sponsored actors.
As the authoring agencies have previously highlighted, the use of living off the land (LOTL) techniques is a hallmark of Volt Typhoon actors’ malicious cyber activity when targeting critical infrastructure. The group also relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence. In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years. Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.
The authoring agencies urge critical infrastructure organizations to apply the mitigations in this advisory and to hunt for similar malicious activity using the guidance herein provided, along with the recommendations found in joint guide Identifying and Mitigating Living Off the Land Techniques.
These mitigations are primarily intended for IT and OT administrators in critical infrastructure organizations. Following the mitigations for prevention of or in response to an incident will help disrupt Volt Typhoon’s accesses and reduce the threat to critical infrastructure entities.
If activity is identified, the authoring agencies strongly recommend that critical infrastructure organizations apply the incident response recommendations in this advisory and report the incident to the relevant agency.
Leave a comment
1 2 3 54