CISA Issue Apache Log4j Vulnerability Guidance

CISA and its partners, through the Joint Cyber Defense Collaborative, are responding to active, widespread exploitation of a critical remote code execution (RCE) vulnerability (CVE-2021-44228) in Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1, known as "Log4Shell" and "Logjam." Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.

Apache released Log4j version 2.15.0 in a security update to address the CVE-2021-44228 vulnerability. However, in order for the vulnerability to be remediated in products and services that use affected versions of Log4j, the maintainers of those products and services must implement this security update. Users of such products and services should refer to the vendors of these products/services for security updates. Given the severity of the vulnerability and the likelihood of an increase in exploitation by sophisticated cyber threat actors, CISA urges vendors and users to take the following actions.

Vendors
Immediately identify, mitigate, and patch affected products using Log4j.
Inform your end users of products that contain this vulnerability and strongly urge them to prioritize software updates.
Affected Organizations
In addition to the immediate actions—to (1) enumerate external-facing devices that have Log4j, (2) ensure your SOC actions alerts on these devices, and (3) install a WAF with rules that automatically update—as noted in the box above, review CISA's upcoming GitHub repository

for a list of affected vendor information and apply software updates as soon as they are available. See Actions for Organizations Running Products with Log4j below for additional guidance. Note: CISA has added CVE-2021-44228 to the Known Exploited Vulnerabilities Catalog, which was created according to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities. In accordance with BOD 22-01, federal civilian executive branch agencies must mitigate CVE-2021-44228 by December 24, 2021.

Technical Details

This RCE vulnerability—affecting Apache’s Log4j library, versions 2.0-beta9 to 2.14.1—exists in the action the Java Naming and Directory Interface (JNDI) takes to resolve variables. According to the CVE-2021-44228 listing, affected versions of Log4j contain JNDI features—such as message lookup substitution—that "do not protect against adversary-controlled LDAP [Lightweight Directory Access Protocol] and other JNDI related endpoints."

An adversary can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows the adversary to take full control over the system. The adversary can then steal information, launch ransomware, or conduct other malicious activity.
Actions for Organizations Running Products with Log4j

CISA recommends affected entities:

Review Apache’s Log4j Security Vulnerabilities page for additional information and, if appropriate, apply the provided workaround:
In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
For releases from 2.7 through 2.14.1 all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m.
For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
Apply available patches immediately. See CISA's upcoming GitHub repository for known affected products and patch information.

Prioritize patching, starting with mission critical systems, internet-facing systems, and networked servers. Then prioritize patching other affected information technology and operational technology assets.
Until patches are applied, set log4j2.formatMsgNoLookups to true by adding -Dlog4j2.formatMsgNoLookups=True to the Java Virtual Machine command for starting your application. Note: this may impact the behavior of a system’s logging if it relies on Lookups for message formatting. Additionally, this mitigation will only work for versions 2.10 and above.
As stated above, BOD 22-01 directs federal civilian agencies to mitigate CVE-2021-44228 by December 24, 2021, as part of the Known Exploited Vulnerabilities Catalog.

Conduct a security review to determine if there is a security concern or compromise. The log files for any services using affected Log4j versions will contain user-controlled strings.
Consider reporting compromises immediately to CISA and the FBI.
.

Critical Infrastructure Protection and Resilience North America announce Preliminary Conference Programme for October

Download your Preliminary Conference Program guide today at www.ciprna-expo.com/PSG

As the recent Ransomware attacks on Colonial Pipeline, JBS, Dassault Falcon Jet Corp, CNA Financial, and others has demonstrated, as well as the on-going threats from natural hazards/disasters, terrorist attacks and man-made disasters, it is becoming increasingly important for policies and procedures to be implemented to protect our critical infrastructure for a more secure nation.

It gives us great pleasure to invite you to join us at Critical Infrastructure Protection and Resilience North America in New Orleans, Louisiana, for what will be 3 days of exciting and informative discussions on securing North America’s critical infrastructure.

With a leading line up of international expert speakers, sharing their knowledge, expertise and experiences, we know you will find this a most rewarding and enjoyable event and look forward to seeing you in New Orleans, for the next in-person meeting on October 19th-21st, 2021, where we will ensure a safe and Covid compliant environment for discussing how to secure North America's critical infrastructure.

Download your Preliminary Conference Program guide today at www.ciprna-expo.com/PSG and discover more on this premier conference program, expert speakers and showcase exhibiting companies.

Register today and save $$$ on your conference delegate pass with the early bird.
You can register online today at www.ciprna-expo.com/onlinereg

#criticalinfrastructureprotection #resilience #cybersecurity #disasterprevention #riskmanagement #businesscontinuity #government #emergencymanagement #security #infrastructure

IACIPP Concerned at Increasing Ransomware Attacks Against Critical Infrastructure

The International Association of CIP Professionals (IACIPP) is concerned about the increasing threat and ransomware attacks against critical infrastructure and in particular the energy sector.
As has been demonstrated by the recent ransomware attack on Colonial Pipeline in North America, and the impact this has had across other infrastructure services, and the wider economic impact on, for example, the price of petrol and oil, such attacks should be a concern to us all.
"The attack on the Colonial Pipeline Industrial Control System was not a total surprise. For years, our pipeline infrastructure and other critical infrastructures have experienced an ever-increasing level of probes and attacks.  The ICS owners and operators must be vigilant and assure their systems are continuously monitored and armed with the latest cyber protection tools." Commented Dr. Ron Martin, CPP,  Professor of Practice: Critical Infrastructure, Industrial Control System Security, and Access and Identity Management at Capitol Technology University.
Although the FBI and other federal and private cybersecurity entities are working to mitigate the effects of the attack on Colonial Pipeline, there needs to be the wider discussion and collaboration across industry sectors to prepare for future attacks to mitigate future economic impact such attacks cause.
“Our critical infrastructure sectors are the modern day battlefield and cyber space is the great equalizer. Hacker groups can essentially attack with little individual attribution and virtually no consequence. With over 85% of all infrastructure owned and operated by the private sector, significant investment and attention must be placed on hardening key critical systems. I anticipate more attacks like this happening in the future. A key lesson here is that while technology and automation is good, we must also have the ability to efficiently operate manually as well. Attacks will happen, but how quick can you recover and restore critical services?” commented Brian Harrell, Strategic Adviser to IACIPP and Former Assistant Secretary for Infrastructure Protection.
CISA and the Federal Bureau of Investigation (FBI) have recently released a Joint Cybersecurity Advisory (CSA) on a ransomware-as-a-service (RaaS) variant—referred to as DarkSide—recently used in a ransomware attack against Colonial Pipeline.
Chuck Brooks, President of Brooks Consulting International and cyber expert, commented, “Protecting critical infrastructure needs to be a shared responsibility of both the public and private sectors. The energy sector become a preferred target of sophisticated hackers often in collusion with nation state actors. The cost of breach as evidenced in the Colonial pipeline ransomware attack can be disruptive to commerce and impact many industry verticals. “
“Critical infrastructure needs to be fortified from cyberattacks and physical attacks in a joint government/industry collaboration. Resources need to be invested in emerging automation technologies and training. IT and OT systems need to be monitored at the sensor level for anomalies. Sensitive operations need to be segmented and air gapped. Back up of data is an imperative and resiliency a requirement for all critical infrastructure operations. It may take new laws and regulations, but it needs to be done.” Concluded Mr Brooks.
The cyberattack against Colonial Pipeline that was discovered on May 7 underscores the growing impact of cyberthreats on industrial sectors. While the investigation is ongoing and important lessons from this attack will be extracted in the next few weeks, the fact that Colonial Pipeline had to pro-actively take their OT systems offline after starting to learn about which IT systems were impacted by the ransomware is significant.
John Donlon QPM the Chairman of IACIPP stated - ‘This type of attack comes as no real surprise. It is consistent with recent trends and what is really quite concerning is the fact that the scale and impact of such events continue to escalate. We have seen recent Government activity across the Western world seeking to put in place support to Infrastructure Owners and Operators but the speed of new attack methodologies, either through nation-state actors or criminal groups, means it is not always easy to keep ahead of the curve. Unfortunately, I believe we will continue to see even greater escalation in the power of attacks being executed and therefore the breadth and depth of collaboration between governments and the private sector has to develop at pace’.
This will also be subject to a case study panel discussion at Critical Infrastructure Protection and Resilience North America (www.ciprna-expo.com) in New Orleans LA on 19th - 21st of October 2021.

Latest issue of World Security Report has arrived

The Spring 2021 issue of World Security Report for the latest industry views and news, is now available to download.
In the Spring 2021 issue of World Security Report:
- Phenomena or Just a ‘Bad Karma’
- Towards 2021 – Upcoming Organisation Risk & Resiliency Trends
- Maritime Domain Awareness - An Essential Component of a Comprehensive Border Security Strategy
- Security and Criminology- Risk Investigation and AI
- Resilience and Social Unrest
- State Sponsored Terror
- IACIPP Association News
- Industry news
Download your copy today at www.cip-association.org/WSR

IACIPP and Capitol Sign Agreement to Advance Worldwide Critical Infrastructure Awareness and Knowledge

Capitol Technology University and the International Association of Critical Infrastructure Protection Professionals (IACIPP) signed a Memorandum of Understanding (MOU) to develop a partnership that will extend efforts to improve the training and education of Critical Infrastructure Students and professionals. Both parties recognize a high demand for worldwide cooperation to increase the effectiveness of research, education, and activities in the critical infrastructure field of study. This MOU will facilitate the development of joint seminars, conferences, and training courses.
“As an Association we aim to deliver discussion and innovation— on many of the serious infrastructure, protection, management, and security challenges—facing both industry and governments. The ever changing and evolving nature of threats, whether natural through climate change or man-made through terrorism activities, either physical or cyber, means there is a continual need to review and update policies, practices, training, and technologies to meet these growing and changing demands,” said John Donlon QPM, Chairman IACIPP. “This partnership with Capitol Technology University enables both parties to develop and enhance objectives through education and training.”
A nation’s critical infrastructure provides the essential services that underpin a society. Proactive and coordinated efforts are necessary to strengthen and maintain secure, functioning, and resilient critical infrastructure— including assets, networks, and systems—that are vital to public confidence and a nation’s safety, prosperity, and well-being.
Critical infrastructure must be secure and able to withstand and rapidly recover from all hazards. Achieving this will require integration with the national preparedness system across prevention, protection, mitigation, response, and recovery.
The International Association of Critical Infrastructure Protection Professionals (IACIPP) is an international association of practitioners and professionals involved in the security, resilience and safety of critical infrastructure, both physical and information infrastructure.
The IACIPP is open to critical infrastructure operators and government agencies, including site managers, security officers, government agency officials, policy makers, research & academia. The Association also aims to share ideas, information, experiences, technology and best practices to enhance these objectives.
Capitol Technology University, located in Laurel, Maryland, is an independent institution that has focused on STEM education since 1927. Capitol Tech, the national winner of the 2020 SC Media Award for Best Cybersecurity Higher Education Program, offers hands-on courses taught by industry experts that lead to undergraduate and graduate degrees in emerging fields such as Mechatronics Engineering and Artificial Intelligence.

Latest issue of World Security Report has arrived

The Winter 2020-21 issue of World Security Report for the latest industry views and news, is now available to download.
In the Winter 20-21 issue of World Security Report:
- Priority of Protecting Digital Critical Infrastructure Will Grow in 2021, by Chuck Brooks
- A view of Facility Industrial Control System Security, by Ron Martin
- The Need for Higher Level Strategic Approaches to Cyber Security, by Bonnie Butler
- Critical Infrastructure Protection Starts at the Perimeter
- Effective Security Options for Healthcare Facilities
- African Terror Groups ‘Rebrand’ as Islamic State
- IACIPP Association News
- Industry news
Download your copy today at www.cip-association.org/WSR

Brian Harrell Welcomed as Strategic Advisor to the International Association of Critical Infrastructure Protection Professionals

The International Association of Critical Infrastructure Protection Professionals (IACIPP) is delighted to announce the appointment of Brian Harrell as Strategic Advisor to the Board.

In 2018 Brian was appointed by the President of the United States to serve as the sixth Assistant Secretary for Infrastructure Protection, at the Department of Homeland Security. He also served as the first Assistant Director for Infrastructure Security at the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Brian currently serves as the Vice President and Chief Security Officer (CSO) at AVANGRID, an energy company with assets and operations in 24 states. He is responsible for the companies physical and cybersecurity, security compliance, enterprise risk governance, and fire protection units.

His breadth of experience spanning both the private sector and his involvement at the highest levels of governmental/policy positions will no doubt add great value to our Association.

Brian is nationally recognized for his efforts on critical infrastructure protection, continuity of operations, and enterprise risk management. Advising corporations throughout North America, Brian has worked to increase physical and cybersecurity mitigation measures designed to deter, detect, and defend critical systems.

Brian is also a Senior Fellow at Auburn University, McCrary Institute For Cyber and Critical Infrastructure Security where he serves as an advisor on infrastructure protection and cybersecurity policy initiatives.

Brian has spent time during his career in the US Marine Corps and various private sector agencies with the goal of protecting the United States from security threats.

John Donlon QPM, Chairman of the IACIPP said, “I am delighted that Brian has accepted the position as Strategic Advisor with us. He has a wealth of experience both as a security practitioner and in an oversight capacity, so will be a tremendous asset to the and the global CNI community. “

“The IACIPP continues to welcome new members who share the desire to engage with likeminded individuals seeking to enhance the protection and resilience of infrastructure across the globe.” Concluded Mr Donlon.

Membership is open to government agencies and operators, so if you would like to become a part of our organisation, you can register at: http://www.cipre-expo.com/iacipp-registration

New Dates for Critical Infrastructure Protection & Resilience North America

Critical Infrastructure Protection and Resilience North America (CIPRNA) has announced its rescheduled dates of 19th-21st October 2021 in New Orleans, USA, with the support of Infragard Louisiana.

Postponed due to the Covid-19 pandemic CIPRNA will reconvene in New Orleans in October 2021 to continue the important discussions for governments, agencies, operator/owners and stakeholders for collaboration in securing and protecting America's critical infrastructure, and are currently inviting abstracts for consideration for presentation in the programme.

CIPRNA is the premier conference discussion for securing North America's critical infrastructure.

Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience advances a national policy to strengthen and maintain secure, functioning, and resilient critical infrastructure.
The Nation’s critical infrastructure provides the essential services that underpin American society. Proactive and coordinated efforts are necessary to strengthen and maintain secure, functioning, and resilient critical infrastructure – including assets, networks, and systems – that are vital to public confidence and the Nation’s safety, prosperity, and well-being.
Critical infrastructure must be secure and able to withstand and rapidly recover from all hazards. Achieving this will require integration with the national preparedness system across prevention, protection, mitigation, response, and recovery.

Further details at www.ciprna-expo.com

IACIPP contribute Foreward to industry book

In the modern age of urbanization, the mass population is becoming progressively reliant on technical infrastructures. These industrial buildings provide integral services to the general public including the delivery of energy, information and communication technologies, and maintenance of transport networks. The safety and security of these structures is crucial as new threats are continually emerging.

Safety and Security Issues in Technical Infrastructures is a pivotal reference source that provides vital research on the modernization of occupational security and safety practices within information technology-driven buildings. While highlighting topics such as explosion process safety, nanotechnology, and infrastructural risk analysis, this publication explores current risks and uncertainties and the raising of comprehensive awareness for experts in this field. This book is ideally designed for security managers, safety personnel, civil engineers, architects, researchers, construction professionals, strategists, educators, material scientists, property owners, and students.

Safety and Security Issues in Technical Infrastructures edited by: David Rehak (VSB – Technical University of Ostrava, Czech Republic), Ales Bernatik (VSB – Technical University of Ostrava, Czech Republic), Zdenek Dvorak (University of Zilina, Slovakia) and Martin Hromada (Tomas Bata University in Zlin, Czech Republic).

IACIPP has contributed the Foreward to this new book.

Further details can be viewed at:
https://www.igi-global.com/book/safety-security-issues-technical-infrastructures/239916

Regional Director Bill Bailey to present at Asia Risk & Resilience

Dr Bill Bailey,  BA(Hons) MA, MCIL, PhD, Regional Director Australasia for the International Association of Critical Infrastructure Protection Processionals (IACIPP) and Adjunct Senior Lecturer, Edith Cowan University, Security Research Centre, Perth, Australia, will be presenting on 'PROTECTING CRITICAL INFASTRUCTURE: HOW TO USE A PROACTIVE SECURITY MANAGEMENT PROCESS TO ACHIEVE SUSTAINABLE RISK' at the 2019 Risk & Resilience Asia Conference in Singapore on 28th-30th August.

The protection of critical infrastructure assets is vital to every government, organisation, business and person. If the asset forms part of the essential critical infrastructure, then the loss can be catastrophic and far reaching with considerable national consequences. To avoid such damaging outcomes, requires a wide range of in-built security planning, structures, and operating procedures. A solution is to use a more adaptive, proactive, comprehensive security management process to: prevent, detect, deter, respond and defeat potential damaging events and incidents. Core to this security planning is a full understanding of the potential consequences of worst-case-scenarios as well as implementing a multi-layered intelligence gathering capabilities.  Adopting a process driven model is a more proactive approach and grounded upon current operational procedures used by major international companies in hostile and dangerous environments. By utilizing such a clearly defined comprehensive risk management tool, a more systematic security, threat, risk and vulnerability assessment (STRVA), process can be developed.

1 2