Cybersecurity High-Risk Series: Challenges in Securing Federal Systems and Information

Federal systems are vulnerable to cyberattacks. Our High Risk report identified 10 critical actions for addressing federal cybersecurity challenges.

In this report, the second in a series of four, we cover the 3 actions related to Securing Federal Systems and Information:

- Improve implementation of government-wide cybersecurity initiatives
- Address weaknesses in federal agency information security programs
- Enhance the federal response to cyber incidents to better protect federal systems and information

GAO has made about 712 recommendations in public reports since 2010 with respect to securing federal systems and information. Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them. For more information on this report, visit https://www.gao.gov/cybersecurity.

Improve Implementation of Government-Wide Cybersecurity Initiatives

Federal law assigned five key cybersecurity responsibilities to the Cybersecurity and Infrastructure Security Agency (CISA), including securing federal information and systems, and coordinating federal efforts to secure and protect against critical infrastructure risk. To implement these responsibilities, CISA undertook an organizational transformation initiative aimed at unifying the agency, improving mission effectiveness, and enhancing the workplace experience. In March 2021, we reported that CISA had only completed 37 of 94 planned implementation tasks. Critical transformation tasks such as finalizing the mission-essential functions of CISA’s divisions and defining incident management roles and responsibilities across the agency had not yet been completed.

- We recommended that CISA establish expected completion dates, plans for developing performance measures, and an overall deadline for the completion of the transformation initiative, as well as develop a strategy for comprehensive workforce planning.

Address Weaknesses in Federal Agency Information Security Programs

To protect federal information and systems, the Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies to develop, document, and implement information security programs. Congress included a provision in FISMA for GAO to periodically report on agencies’ implementation of the act. In March 2022, we reported on the information security programs of 23 federal civilian agencies, including annually required program reviews to be conducted by agency inspectors general (IG). Among other things, we noted that IGs determined that 16 (or 70 percent) of the 23 agencies had ineffective programs for fiscal year 2020.

We found that OMB’s guidance to IGs on conducting agency evaluations was not always clear, leading to inconsistent application and reporting by IGs. Further, we reported that the binary effective/not effective scale resulted in imprecise ratings that did not clearly distinguish among the differing levels of agencies’ performance. By clarifying its guidance and enhancing its rating scale, OMB could help ensure more a more consistent approach and nuanced picture of agencies’ cybersecurity programs.

- GAO recommended that OMB, in consultation with others, clarify its guidance to IGs and create a more precise overall rating scale.

Enhance the Federal Response to Cyber Incidents

DOD and our nation's defense industrial base (DIB) are dependent on information systems to carry out their operations. These systems continue to be the target of cyberattacks, as demonstrated by over 12,000 cyber incidents DOD has experienced since 2015.

In November 2022, we reported DOD has taken steps to combat these attacks and the number of cyber incidents had declined in recent years. However, we found that the department (1) had not fully implemented its processes for managing cyber incidents, (2) did not have complete data on cyber incidents that staff report, and (3) did not document whether it notifies individuals whose personal data is compromised in a cyber incident.

In addition, according to officials, DOD has not yet decided whether DIB cyber incidents detected by cybersecurity service providers should be shared with all relevant stakeholders. Until DOD examines whether this information should be shared with all relevant parties, opportunities could be lost to identify system threats and improve system weaknesses.

- GAO recommended the Department of Defense improve the sharing of DIB-related cyber incident information and document when affected individuals are notified of a PII breach of their data.

NSA, CISA, and MS-ISAC Release Guidance for Securing Remote Monitoring and Management Software

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released the “Protecting Against Malicious Use of Remote Monitoring and Management Software” Cybersecurity Advisory (CSA) today to help network defenders protect against the malicious use of legitimate remote monitoring and management (RMM) software.

RMM software is commonly used by managed service providers (MSPs) and help desks to provide security and/or technical support. The software is intended to enable network management, endpoint monitoring, and remote interaction with hosts for IT-support functions. Malicious use of RMM software allows cybercriminals and advanced persistent threat (APT) actors to bypass anti-virus/anti-malware defenses.

In October, CISA identified a widespread cyber campaign in which cybercriminal actors leveraged RMM software to gain command and control of devices and accounts. Malicious cyber actors could leverage these same techniques to target National Security Systems (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) networks and use legitimate RMM software on both work and home devices and accounts. Other RMM software solutions could be abused to similar effect.

CISA, NSA, and MS-ISAC encourage network defenders to apply mitigations such as the following:

- Audit installed remote access tools to identify RMM software.
- Implement application controls to prevent execution of unauthorized RMM software.
- Use only authorized RMM software on your network over approved remote access solutions, such as VPN or VDI.
- Block both inbound and outbound connections on common RMM ports and protocols.

Read full report at www.media.defense.gov/2023/Jan/25/2003149873/-1/-1/0/JOINT_CSA_RMM.PDF

Bitzlato: senior management arrested

An operation led by French and US authorities, and strongly supported by Europol, has targeted the crypto exchange platform Bitzlato. The globally operating Hong Kong-registered cryptocurrency exchange is suspected of facilitating the laundering of large amounts of criminal proceeds and converting them into roubles. Law enforcement authorities took down the digital infrastructure of the service, based in France, and interrogated leading members of the platform’s management. The operation also involved law enforcement and judicial authorities from Belgium, Cyprus, Portugal, Spain and the Netherlands.

Targeting crucial crime facilitators such as crypto exchanges is becoming a key priority in the battle against cybercrime. Bitzlato allowed the rapid conversion of various crypto-assets such as bitcoin, ethereum, litecoin, bitcoin cash, dash, dogecoin and USDT into Russian roubles. It is estimated that the crypto exchange platform has received a total of assets worth EUR 2.1 billion (BTC 119 000).

While the conversions of crypto-assets into fiat currencies is not illegal, investigations into the cybercriminal operators indicated that large volumes of criminal assets were going through the platform. The analysis indicated that about 46 % of the assets exchanged through Bitzlato, worth roughly EUR 1 billion, had links to criminal activities.

Cryptanalysis uncovered that the majority of suspicious transactions are linked to entities sanctioned by the Office of Foreign Assets Control (OFAC), with others linked to cyber scams, money laundering, ransomware and child abuse material. For example, investigations showed that 1.5 million BTC transactions have been made directly between Bitzlato users and the Hydramarket, taken down in April 2022.

This exchange platform, available both in Russian and English language, rented dedicated servers from a hosting company in France. The coordinated action of the judicial and law enforcement authorities from the different involved countries led to the takedown of the platform, seizures of present financial assets, and further technical analysis.

Cryptoanalysis and international coordination to uncover links

During the first phases of the investigative activities, Europol facilitated the information exchange, provided analytical support linking available data to various criminal cases within and outside the EU, and supported the investigation through the analysis of millions of cryptocurrency transactions.

On the action day, Europol deployed 13 of its experts on the spot (10 in France, 1 in Cyprus, 1 in Spain and 1 in Portugal) and supported the deployment of national investigators in other countries taking part in the operational activities. Europol supported the law enforcement authorities involved with coordination related to cryptocurrency analysis, cross checking of operational information against Europol’s databases, and operational analysis. At this moment, already over 3 500 bitcoin addresses and over a 1 000 Bitzlato user details showed links with various criminal cases reported in Europol’s systems. Analysis of this data and other related cases is expected to trigger further investigative activities.

Space for Maritime Task Force Launched

The “Space for Maritime Task Force” was recently launched by the European Space Agency (ESA) together with maritime stakeholders at the Italian Coast Guard Headquarters in Rome. The initiative acts on ESA’s vision to boost digital and green solutions, reducing emissions and enabling sustainable innovation.

In recent years, ESA Space Solutions has been cooperating with key stakeholders in the maritime sector via the Business Applications and Space Solutions (BASS) programme. These include a wide range of user communities and classes such as fisheries, coast guards, port authorities, military bodies, shipping companies, commercial operators, and international, national and European institutions. Through this cooperation, ESA has built strategic partnerships and supported several initiatives addressing domains such as maritime sustainability, ship tracking via satellite-based automatic identification systems (AIS), smart routing, autonomous vessels, water quality monitoring, the reduction of marine pollution and the green transition of ports’ eco-systems.

The Italian General Command of the Port Authority Corps - Coast Guard has, for some months, been working on a collaboration with ESA to foresee and enhance the use of space applications aimed at promoting sustainable innovation and transport in the maritime ecosystem. This collaboration has resulted in the creation of a standing committee, called the Space for Maritime Task Force (SMTF).

The Task Force aims to contribute to sustainability and maritime safety by increasing the use of innovative integrated solutions that exploit digital and space technologies, such as communications, navigation, and earth observation. This initiative will leverage active involvement of national institutions, Industry and research entities in the digital transformation of port and maritime services (e-Navigation), with a view to enhancing the sustainability of maritime transport. It will foster the innovative use of space technologies for supporting the shipping sector, for example in its transition to uncrewed shipping, as well as the implementation of a safe integration of uncrewed vessels within maritime transport provision, the monitoring of coastal areas and infrastructures, and maritime surveillance activity (in the domains of safety, security, fishing and the environment). The work will be divided into sub-topics of interest, which for the moment include "maritime sustainability", "green and smart ports" and "safety at sea and maritime security".

The results from the Task Force will be presented to international (International Maritime Organization - IMO) and European bodies, in order to contribute to the development and standardisation of requirements and innovative technologies aimed at improving maritime services. This will allow sustainable economic growth for all players involved. Rita Rinaldo, Head of the Projects & Studies Implementation Division at ESA Space Solutions commented “Collaboration with maritime stakeholders is key for ESA to support innovative solutions that exploit digital and space technologies, and to enable European space and downstream companies to contribute to sustainability and maritime safety.”

Partners in the Task Force include: the General Command of the Port Authority Corps - Coast Guard; European Space Agency (ESA); Italian Space Agency (ASI); National Inter-University Consortium for Telecommunications (CNIT); and the Directorate General for the Supervision of Port System Authorities, Maritime Transport and Inland Waterways.

IOM joins Making Cities Resilient 2030 as supporting entity

The International Organization for Migration’s (IOM) Regional Office for the Middle East and North Africa (MENA) has joined the MCR2030 initiative as a supporting entity. MCR2030 is UNDRR’s flagship program, building on the achievement of the Making Cities Resilient Campaign that began in 2010. It welcomes cities, local governments, and all parties who wish to support cities along the resilience roadmap.

The IOM Regional Office for the MENA region has developed the Urban Diagnostic Toolkit to map gaps in migrants’ integration in urban settings, aimed at increasing urban resilience of migrants, refugees, displaced persons, host societies and local governments by strengthening migrants’ social cohesion in the spatial, institutional, economic, climate and resilience city systems.

Increasingly, IOM and UNDRR collaborate across a range of workstreams from high level policy engagement related to the Sendai Framework for DRR’s Midterm Review process, the Global Platform for DRR and Regional DRR Platforms, and more recently on the Early Warning for All Initiative, COP27 and the Center of Excellence for Disaster and Climate Resilience, which IOM recently joined as a member of the Steering Committee. Partnership also extends to technical cooperation on the implementation of the annual workplan of the Senior Leadership Group for DRR for Resilience inclusive of work to mainstream DRR into humanitarian action. IOM is also supporting UNDRR’s leadership on the development and roll out of Risk Information Exchange and the creation of a second-generation disaster loss accounting platform to replace DesInventar. The latter was recently dialogued under the leadership of UNDRR-UNDP-WMO at the Bonn Technical Expert Forum meeting in late November.

This is the beginning of a new collaboration between the two UN agencies. UNDRR warmly welcomes the new MCR partner to work jointly on paving the road for increasing migrants’ resilience in urban contexts.

MRC2030 is a unique cross-stakeholder initiative for improving local resilience through advocacy, sharing knowledge and experiences, establishing mutually reinforcing city-to-city learning networks, injecting technical expertise, connecting multiple layers of government, and building partnerships. Through delivering a clear roadmap to urban resilience, providing tools, access to knowledge, and monitoring and reporting tools, MCR2030 will support cities on their journey to reduce risk and build resilience.

The impact of cybersecurity in the energy industry

Cyber resilience is a challenge for organizations globally and for the electricity industry in particular. Power systems are among the most complex and critical of all infrastructure types and act as the backbone of economic activity.

Large-scale incidents such as blackouts can have socio-economic ramifications for households, businesses and vital institutions. For example, a six-hour winter blackout in mainland France could result in damages totalling over €1.5 billion ($1.7 billion).

In 2018, the World Economic Forum Centre for Cybersecurity and the Platform for Shaping the Future of Energy, Materials and Infrastructure launched the Cyber Resilience in the Electricity Industry initiative to improve the cyber resilience of global electricity infrastructure. This initiative brought together leaders from more than 50 businesses, governments, civil society and academia to collaborate and develop a clear and coherent cybersecurity vision for protecting the power infrastructure.

Building on the first phase of the initiative, the Forum is now developing a unique exchange platform for cybersecurity leaders across the electricity industry in collaboration with Dragos, EDP, Enel, Hitachi Energy, Iberdrola, Naturgy, Ørsted, Schneider Electric, Siemens Energy, Southern and Vestas. This new platform serves as a central hub where industry experts can exchange knowledge, ideas and best practices to improve cyber resilience as a whole.

By bringing together the leading minds in cybersecurity worldwide, the initiative is fostering collaboration and innovation in this critical field, with the ultimate goal of enhancing the security and reliability of the electricity infrastructure that powers the modern world.

What are the challenges of cybersecurity in the energy industry?

The unprecedented pace of technological change driven by the Fourth Industrial Revolution means that health, transport, communication, production and distribution systems will demand rapidly increasing energy resources to support global digitalization and the advancement of interconnected devices.

Digitalization is driving growth and innovation in the electricity industry and has tremendous potential to deliver shareholder, customer and environmental value. However, new technologies and business models affecting operating assets present both opportunities and risks.

In the past, managing these risks had only meant dealing with issues such as component failure or weather damages, while today’s resilience plans must consider cybersecurity-related threats.

Our approach to strengthening cybersecurity in the energy industry

The Cyber Resilience in the Electricity Industry programme focuses on three main pillars:

- Developing scenarios and use cases that industry executives and boards can use to create a culture of cyber resilience and good governance in the electricity sector.
- Improving the implementation of cyber resilience regulations by fostering dialogue between policy-makers and businesses.
- Improving supply chain resilience by establishing standards for cybersecurity roles and responsibilities across all stakeholders involved to ensure that every entity is taking appropriate steps to protect against cyberthreats.

The initiative has published a series of reports to guide chief executives and board members in meeting the unique challenges of managing cyber risks:

- Cyber Resilience in the Electricity Ecosystem: Principles and Guidance for Boards
- Cyber Resilience in the Electricity Ecosystem: Playbook for Boards and Cybersecurity Officers
- Cyber Resilience in the Electricity Ecosystem: Securing the Value Chain

In 2021, following a request from the European Commission (EC) Energy Directorate, the initiative also developed a collection of 15 lessons learned and recommendations for improvement on the new EC Cybersecurity Directive considering the implications of supply chain attacks and other systemic risks for cybersecurity in the energy industry.

Partnering to Safeguard K–12 organizations from Cybersecurity Threats

CISA has released 'Protecting Our Future: Partnering to Safeguard K–12 organizations from Cybersecurity Threats'. The report provides recommendations and resources to help K-12 schools and school districts address systemic cybersecurity risk. It also provides insight into the current threat landscape specific to the K-12 community and offers simple steps school leaders can take to strengthen their cybersecurity efforts.

The report’s findings state that K-12 organizations need resources, simplicity and prioritization to effectively reduce their cybersecurity risk. To address these issues, CISA provides three recommendations in the report to help K-12 leaders build, operate, and maintain resilient cybersecurity programs:

- Invest in the most impactful security measures and build toward a mature cybersecurity plan.
- Recognize and actively address resource constraints.
- Focus on collaboration and information-sharing.

Along with the report, we are providing an online toolkit which aligns resources and materials to each of CISA’s three recommendations along with guidance on how stakeholders can implement each recommendation based on their current needs. To read the full report and to access the toolkit, visit Protecting Our Future: Partnering to Safeguard K–12 organizations from Cybersecurity Threats.

DHS S&T Develops Portable Outdoor Gunshot Detection Technology for Law Enforcement

A new portable Gunshot Detection System can provide critical information about outdoor shooting incidents almost instantaneously to first responders. The system, called SDS Outdoor, was developed in collaboration between the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and Shooter Detection Systems (SDS) of Rowley, MA.

“Many U.S. gunshot detection technologies are not easily deployed in the field or at temporary locations,” said Dr. Dimitri Kusnezov, DHS Under Secretary for Science and Technology. “This new system can be moved by one or two officers without the need for technicians to transport and set up. This mobile capability will help responders approach gun violence incidents with greater awareness, reducing response times and increasing responder safety.”

The portable system is an enhancement to the current commercial, off-the-shelf Guardian Indoor Active Shooter Detection System. SDS Outdoor uses two factors—the sound and flash of the gunshot—to detect and validate each gunshot, drastically reducing false positives. Most other systems rely principally on sound, which can have higher false positive rates. Moreover, SDS Outdoor can be deployed for temporary events in locations where infrastructure support is not available, such as open-field concerts or pop-up rallies.

Delivery of this mobile system comes after almost two years of development. Prototype testing started in January 2022, and SDS provided a real-time demonstration to a user advisory group in May. It was then tested by S&T’s National Urban Security Technology Laboratory and the First Responder Technology Program team in an Operational Field Assessment at Fort Dix, New Jersey, in November. Feedback from participating law enforcement agencies who participated in the evaluations helped make the system more effective in detecting and alerting responders to gunshots.

“We’ve now transitioned the system to SDS to commercialize the technology and make it available to law enforcement agencies and first responders nationwide,” said Anthony Caracciolo, S&T First Responder Technology program manager. “The new system fills a gap identified by the First Responder Resource Group by extending gunshot detection capabilities to locations that do not support fixed deployments.”

SDS Outdoor also complements other S&T-developed detection and tracking technologies, such as MappedIn Response and Detection of Presence of Life through Walls, giving first responders a more holistic view of what they are dealing with so they can coordinate their responses accordingly.

Your latest issue of Critical Infrastructure Protection & Resilience News has arrived

Please find here your downloadable copy of the Winter 2022-23 issue of Critical Infrastructure Protection & Resilience News for the latest views and news at www.cip-association.org/CIPRNews.

- A Standard to help protect Critical Infrastructure
- Government and Industry Cooperation: More Important Than Ever for Cybersecurity Awareness
- Help2Protect: an eLearning program to counter Insider Threats
- Testing Environments Help S&T and CISA Secure Transportation Infrastructure
- Can responsible AI guidelines keep up with the technology?
- Infrastructure Resilience Planning Framework (IRPF)
- An Interview with Port of New Orleans
- Critical Infrastructure Protection & Resilience North America Preview
- Industry and Agency Reports and News

Download your Critical Infrastructure Protection & Resilience News at www.cip-association.org/CIPRNews

Critical Infrastructure Protection and Resilience News is the official magazine of the International Association of Critical Infrastructure Protection Professionals (IACIPP), a non-profit organisation that provides a platform for sharing good practices, innovation and insights from Industry leaders and operators alongside academia and government and law enforcement agencies.

#CriticalInfrastructureProtection #CriticalInfrastructure #cybersecurity #help2protect #cisa #ciprna #resilience #cooperation

CIPRNA Update Conference Agenda

Critical Infrastructure Protection and Resilience North America will be held in Baton Rouge on 7th-9th March 2023, supported by IACIPP and Infragard Louisiana.

A fanstastic conference agenda addressing some of the big challenges facing CI operator/owners, government, agencies and the broader CI community.

A range of Workshops and Mini-Symposiums help drill deeper into specific sector challenges.

Download the latest CIPRNA agenda at www.ciprna-expo.com/PSG.

Register online at www.ciprna-expo.com/onlinereg

#criticalinfrastructure #criticalinfrastructureprotection #emergencymanagement #cisa #fema #tsa #emergencyresponse #disasterriskreduction #transportsecurity #energysecurity #telecomssecurity #cbrne #cybersecurity #security

1 2 3 46