Category: Association News
News from IACIPP
CIPRNA Announced Preliminary Conference Programme
Critical Infrastructure Protection & Resilience North America, taking place on 12th-14th March 2024 in Lake Charles, Louisiana, and co-hosted by IACIPP and Infragard Louisiana, has announced the Preliminary Conference Program for the 2024 conference and exhibition, and you can download the agenda at www.ciprna-expo.com/PSG.
The Guide provides you the outline program, excellent international expert speakers and schedule of events to help you plan your participation.
You can also register online today and save with the Early Bird delegate rates at www.ciprna-expo.com/register
Confirmed Speakers include:
– Dr David Mussington, Executive Assistant Director for Infrastructure Security, Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA)
- Brian Harrell, VP & Chief Security Officer, AVANGRID
- Michael Hill, Program Specialist, Cybersecurity and Infrastructure Security Agency
- Emilio Salabarria, Senior Program Manager for Cybersecurity, The Florida Center for Cybersecurity: Cyber Florida
- Dr. Srinivas Bhattiprolu, Global Head of Advanced Consulting Services, Nokia
- Ed Landgraf, Chairman, Coastal And Marine Operators
- Kimberly Heyne, ChemLock Program Manager, Cybersecurity and Infrastructure Security Agency (CISA)
- Dan Frazen, CO-CEM, Agriculture Emergency Coordinator (All-Hazards), Colorado Department of Agriculture
- Dr. Joshua Bergerson, Principal Infrastructure Analyst, Argonne National Laboratory
- Chris Essid, Sector Branch Chief, Cybersecurity and Infrastructure Security Agency (CISA)
- Budge Currier, Assistant Director Public Safety Communications, California Office of Emergency Services (Cal OES)
- Terrence Check, Senior Legal Council, CISA
- Rola Hariri, Defense Industrial Base Liaison, Cybersecurity and Infrastructure Security Agency (CISA)
- Lester Millet, President, Infragard Louisiana & Safety Risk Agency Manager, Port of South Louisiana
- Michael Finch, Technology Services Director, Lane County Department of Technology Services
- Richard Tenney, Senior Advisor, Cyber, Cybersecurity and Infrastructure Security Agency (CISA)
- Andrew A Bochman, Senior Grid Strategist-Defender, DOE / Idaho National Lab
- Jim Henderson, CEO, Insider Threat Defense Group
Full speaker list: www.ciprna-expo.com/speakers2024
Download Agenda: www.ciprna-expo.com/PSG
Schedule of Events/Agenda: www.ciprna-expo.com/schedule
List of Exhibitors: www.ciprna-expo.com/exhibition/exhibitors
Registration: www.ciprna-expo.com/register
Join the community in Lake Charles on 12th-14th March 2024 for some more great discussions on securing America's critical infrastructure and assets.
Download latest Preliminary Conference Programme Guide for CIPRE
As someone responsible in your organisations for critical assets and/or infrastructure, Critical Infrastructure Protection and Resilience Europe is the leading conference that will keep you abreast of the changes in legislation, current threats and latest developments.
Download the Preliminary Conference Programme Guide at www.cipre-expo.com/guide.
What is the new directive on the Resilience of Critical Entities...
The Directive on the Resilience of Critical Entities entered into force on 16 January 2023. Member States have until 17 October 2024 to adopt national legislation to transpose the Directive.
The Directive aims to strengthen the resilience of critical entities against a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage, as well as public health emergencies.
Are you up to date on this legislation, and do you know what you need to do to be compliant?
Get updated on the NIS2 Directive and what it means to you...
An important discussion will centre around the EU cybersecurity rules introduced in 2016 and updated by the NIS2 Directive that came into force in 2023. It modernised the existing legal framework to keep up with increased digitisation and an evolving cybersecurity threat landscape.
By expanding the scope of the cybersecurity rules to new sectors and entities, it further improves the resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole.
Businesses identified by the Member States as operators of essential services in the above sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents. Key digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements under the Directive.
What will this mean for you and how can you meet the Directives goals?
Critical Infrastructure Protection and Resilience Europe is Europe's leading discussion that brings together leading stakeholders from industry, operators, agencies and governments to collaborate on securing Europe's critical infrastructures.
The conferences top quality programme looks at these developing themes and help create better understanding of the issues and the threats, to help facilitate the work to develop frameworks, good risk management, strategic planning and implementation.
The packed event themes include:
- Interdependencies and Cascading Effects
- Emerging Threats against CI
- Crisis Management, Coordination & Communication
- Power & Energy Sector Symposium
- Government, Defence & Space Sector Symposium
- Communications Sector Symposium
- Information Technology (CIIP) Sector Symposium
- Transport Sector Symposium
- CBRNE Sector Symposium
- Technologies to Detect and Protect
- Risk Mitigation and Management
- The Insider Threat
- Business Continuity Management
- EU Horizon Projects Overviews
You are invited to be a part of this program, where you can meet, network and learn from the experiences of over 40 expert international speakers, as well as industry colleagues who share the same challenges and goals.
Please join us and the CI industry in the beautiful city of Prague, on 3rd-5th October, for a great programme of discussions that can help you to deliver enhanced security and resilience for your organisation.
Visit www.cipre-expo.com for further details
Your latest issue of Critical Infrastructure Protection & Resilience News has arrived
Please find here your downloadable copy of the Summer 2023 issue of Critical Infrastructure Protection & Resilience News for the latest views and news at www.cip-association.org/CIPRNews.
- The CNI / Crowded Places Security Debate
- Beyond Physical Protection
- Hybrid Threats
– A Comprehensive Resilience Ecosystem
- Artificial Intelligence and Cybersecurity Research
- Resilience in action
- An Interview with EU-CIP Project
- IBM Report: Half of Breached Organizations Unwilling to Increase Security Spend Despite Soaring Breach Costs
- Using the EU Space Programme for disaster risk management in Hungary
- An Interview with TIEMS
- Critical Infrastructure Protection and Resilience Europe Preview
- Agency and Industry News
Download your Critical Infrastructure Protection & Resilience News at www.cip-association.org/CIPRNews
Critical Infrastructure Protection and Resilience News is the official magazine of the International Association of Critical Infrastructure Protection Professionals (IACIPP), a non-profit organisation that provides a platform for sharing good practices, innovation and insights from Industry leaders and operators alongside academia and government and law enforcement agencies.
#CriticalInfrastructureProtection #CriticalInfrastructure #cybersecurity #help2protect #cisa #ciprna #cipre #resilience #cooperation #emergencymanagement #emergencyresponse #crisismanagement #businesscontinuity #crisisresponse #mitigation
IACIPP Speak at CyberCon Conference in Bucharest
John Donlon QPM FSyI, Chairman of the International Association of Critical Infrastructure Protection Professionals (IACIPP), was a guest speaker on behalf of the National Institute for Research & Development in Informatics (ICI Bucharest) at the CyberCon Conference which took place in Romania between the 22nd and 27th May.
John was on a panel session addressing the subject of Cyber Diplomacy. The session was moderated by Carmen-Elena CÎRNU, the Scientific Director of ICI Bucharest and opened by the Director General of ICI Bucharest, Victor Vevera. In his opening address Victor referenced the Romanian position on Cyber Diplomacy from his organisations perspective and also highlighted the continuing partnership with IACIPP and the successful joint conference held in the Romanian Royal Place in 2022.
John delivered a presentation where he outlined his views on how the type and nature of the crisis being faced within our increasingly interconnected, globalised and rapidly changing world were ever evolving referencing the pandemic, the war in Ukraine and the devastating earthquakes that hit Turkey and Syria at the start of this year.
He summarised the development of IACIPP and what it seeks to achieve as a platform for likeminded individuals. The aim being to create a space to share information, connect and communicate on all matters relating to the protection and resilience of national infrastructure and information. The focus being on the part that such an association can play in facilitating communication across both the public and private sectors.
That need for connectivity was a common thread throughout the session. It was acknowledged that the worlds infrastructure and cyber position is a greater target and more vulnerable than ever and in order to address issues of concern there is a requirement to continue to develop a comprehensive approach that aligns both physical and cyber security, protection and resilience through enhanced levels of cooperation and coordination.
There was consensus across the panel and from the audience, of the continued need for greater levels of coordination, cooperation and communication across both nation states and between public and private sector entities.
It was recognised that the development of Cyber Diplomacy along with the growth in Cyber Ambassadors across the globe could go some significant way to addressing cyber problems internationally and improving the connectivity that has to be in place.
Your latest issue of Critical Infrastructure Protection & Resilience News has arrived
Please find here your downloadable copy of the Winter 2022-23 issue of Critical Infrastructure Protection & Resilience News for the latest views and news at www.cip-association.org/CIPRNews.
- A Standard to help protect Critical Infrastructure
- Government and Industry Cooperation: More Important Than Ever for Cybersecurity Awareness
- Help2Protect: an eLearning program to counter Insider Threats
- Testing Environments Help S&T and CISA Secure Transportation Infrastructure
- Can responsible AI guidelines keep up with the technology?
- Infrastructure Resilience Planning Framework (IRPF)
- An Interview with Port of New Orleans
- Critical Infrastructure Protection & Resilience North America Preview
- Industry and Agency Reports and News
Download your Critical Infrastructure Protection & Resilience News at www.cip-association.org/CIPRNews
Critical Infrastructure Protection and Resilience News is the official magazine of the International Association of Critical Infrastructure Protection Professionals (IACIPP), a non-profit organisation that provides a platform for sharing good practices, innovation and insights from Industry leaders and operators alongside academia and government and law enforcement agencies.
#CriticalInfrastructureProtection #CriticalInfrastructure #cybersecurity #help2protect #cisa #ciprna #resilience #cooperation
CISA Issue Apache Log4j Vulnerability Guidance
CISA and its partners, through the Joint Cyber Defense Collaborative, are responding to active, widespread exploitation of a critical remote code execution (RCE) vulnerability (CVE-2021-44228) in Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1, known as "Log4Shell" and "Logjam." Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.
Apache released Log4j version 2.15.0 in a security update to address the CVE-2021-44228 vulnerability. However, in order for the vulnerability to be remediated in products and services that use affected versions of Log4j, the maintainers of those products and services must implement this security update. Users of such products and services should refer to the vendors of these products/services for security updates. Given the severity of the vulnerability and the likelihood of an increase in exploitation by sophisticated cyber threat actors, CISA urges vendors and users to take the following actions.
Vendors
Immediately identify, mitigate, and patch affected products using Log4j.
Inform your end users of products that contain this vulnerability and strongly urge them to prioritize software updates.
Affected Organizations
In addition to the immediate actions—to (1) enumerate external-facing devices that have Log4j, (2) ensure your SOC actions alerts on these devices, and (3) install a WAF with rules that automatically update—as noted in the box above, review CISA's upcoming GitHub repository
for a list of affected vendor information and apply software updates as soon as they are available. See Actions for Organizations Running Products with Log4j below for additional guidance. Note: CISA has added CVE-2021-44228 to the Known Exploited Vulnerabilities Catalog, which was created according to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities. In accordance with BOD 22-01, federal civilian executive branch agencies must mitigate CVE-2021-44228 by December 24, 2021.
Technical Details
This RCE vulnerability—affecting Apache’s Log4j library, versions 2.0-beta9 to 2.14.1—exists in the action the Java Naming and Directory Interface (JNDI) takes to resolve variables. According to the CVE-2021-44228 listing, affected versions of Log4j contain JNDI features—such as message lookup substitution—that "do not protect against adversary-controlled LDAP [Lightweight Directory Access Protocol] and other JNDI related endpoints."
An adversary can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows the adversary to take full control over the system. The adversary can then steal information, launch ransomware, or conduct other malicious activity.
Actions for Organizations Running Products with Log4j
CISA recommends affected entities:
Review Apache’s Log4j Security Vulnerabilities page for additional information and, if appropriate, apply the provided workaround:
In releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.
For releases from 2.7 through 2.14.1 all PatternLayout patterns can be modified to specify the message converter as %m{nolookups} instead of just %m.
For releases from 2.0-beta9 to 2.7, the only mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.
Apply available patches immediately. See CISA's upcoming GitHub repository for known affected products and patch information.
Prioritize patching, starting with mission critical systems, internet-facing systems, and networked servers. Then prioritize patching other affected information technology and operational technology assets.
Until patches are applied, set log4j2.formatMsgNoLookups to true by adding -Dlog4j2.formatMsgNoLookups=True to the Java Virtual Machine command for starting your application. Note: this may impact the behavior of a system’s logging if it relies on Lookups for message formatting. Additionally, this mitigation will only work for versions 2.10 and above.
As stated above, BOD 22-01 directs federal civilian agencies to mitigate CVE-2021-44228 by December 24, 2021, as part of the Known Exploited Vulnerabilities Catalog.
Conduct a security review to determine if there is a security concern or compromise. The log files for any services using affected Log4j versions will contain user-controlled strings.
Consider reporting compromises immediately to CISA and the FBI.
.
Critical Infrastructure Protection and Resilience North America announce Preliminary Conference Programme for October
Download your Preliminary Conference Program guide today at www.ciprna-expo.com/PSG
As the recent Ransomware attacks on Colonial Pipeline, JBS, Dassault Falcon Jet Corp, CNA Financial, and others has demonstrated, as well as the on-going threats from natural hazards/disasters, terrorist attacks and man-made disasters, it is becoming increasingly important for policies and procedures to be implemented to protect our critical infrastructure for a more secure nation.
It gives us great pleasure to invite you to join us at Critical Infrastructure Protection and Resilience North America in New Orleans, Louisiana, for what will be 3 days of exciting and informative discussions on securing North America’s critical infrastructure.
With a leading line up of international expert speakers, sharing their knowledge, expertise and experiences, we know you will find this a most rewarding and enjoyable event and look forward to seeing you in New Orleans, for the next in-person meeting on October 19th-21st, 2021, where we will ensure a safe and Covid compliant environment for discussing how to secure North America's critical infrastructure.
Download your Preliminary Conference Program guide today at www.ciprna-expo.com/PSG and discover more on this premier conference program, expert speakers and showcase exhibiting companies.
Register today and save $$$ on your conference delegate pass with the early bird.
You can register online today at www.ciprna-expo.com/onlinereg
#criticalinfrastructureprotection #resilience #cybersecurity #disasterprevention #riskmanagement #businesscontinuity #government #emergencymanagement #security #infrastructure