DOD computer systems contain vast amounts of sensitive data, including CUI that can be vulnerable to cyber incidents. In 2015, a phishing attack on the Joint Chiefs of Staff unclassified email servers resulted in an 11-day shutdown while cyber experts rebuilt the network. This affected the work of roughly 4,000 military and civilian personnel.
In response to Section 1742 of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, in June 2021 DOD submitted a report to the Congress on cybersecurity of CUI. The report discussed the extent to which DOD had implemented selected cybersecurity requirements across the department. The act included a provision for GAO to review DOD's report, and GAO has continued to monitor the department's subsequent progress.
This report describes 1) the status of DOD components' implementation of selected CUI cybersecurity requirements; and 2) actions taken by DOD CIO to address the security of CUI systems.
GAO's review focused on the department's approximately 2,900 CUI systems. GAO examined relevant CUI cybersecurity requirements and data from DOD information technology tools. Also, GAO analyzed documentation such as relevant DOD cybersecurity policies and guidance on monitoring the implementation of cybersecurity requirements, and interviewed DOD officials.
The Department of Defense (DOD) has reported implementing more than 70 percent of four selected cybersecurity requirements for controlled unclassified information (CUI) systems, based on GAO's analysis of DOD reports (including a June 2021 report to Congress) and data from DOD's risk management tools. These selected requirements include (1) categorizing the impact of loss of confidentiality, integrity, and availability of individual systems as low, moderate, or high; (2) implementing specific controls based in part on the level of system impact; and (3) authorizing these systems to operate. As of January 2022, the extent of implementation varied for each of the four requirement areas. For example, implementation ranged from 70 to 79 percent for the cybersecurity maturity model certification program DOD established in 2020, whereas it was over 90 percent for authorization of systems to operate.
DOD is not required to implement all 266 security controls. In some cases, a specific security control may not be applicable to a particular system due to its function. Also, there are some systems for which the authorizing officials may need to implement security controls that are in addition to the 266 identified as moderate-impact for confidentiality because of the type of information that is stored or transmitted in that system.
As the official responsible for department-wide cybersecurity of CUI systems, the DOD Office of the Chief Information Officer (CIO) has taken recent action to address this area. Specifically, in October 2021 the CIO issued a memorandum on implementing controls for CUI systems. The memo identified or reiterated requirements that CUI systems must meet. These included requiring additional supply chain security controls and reiterating that all CUI systems have valid authorizations to operate. In addition, the CIO reminded system owners of the March 2022 deadline for all DOD CUI systems to implement necessary controls and other requirements. The Office of the CIO has been monitoring DOD components' progress in meeting this deadline.
The Cybersecurity and Infrastructure Security Agency convened a three-hour call with over 13,000 industry stakeholders to provide an update on the potential for Russian cyberattacks against the U.S. homeland and answer questions from a range of stakeholders across the nation.
As President Biden noted, evolving intelligence indicates that the Russian Government is exploring options to conduct potential cyberattacks against the United States. CISA echoed the President’s warning on the call and reinforced the urgent need for all organizations, large and small, to act now to protect themselves against malicious cyber activity.
On the three-hour call, CISA Director Jen Easterly, Deputy Executive Assistant Director for Cybersecurity Matt Hartman, and Tonya Ugoretz, Deputy Assistant Director for the FBI’s cyber division, encouraged organizations of all sizes to have their Shields Up to cyber threats and take proactive measures now to mitigate risk to their networks. They encouraged those on the line to visit CISA.gov/Shields-Up to take action to protect their organizations and themselves and urged all critical infrastructure providers to implement the mitigation guidelines enumerated on CISA.gov/Shields-Up, including:
- Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system;
- Update the software on your computers and devices to continuously look for and mitigate threats;
- Back up your data and ensure you have offline backups beyond the reach of malicious actors;
- Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack;
- Encrypt your data;
- Sign up for CISA’s free cyber hygiene services; and
- Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly.
Director Easterly urged all organizations, regardless of size, to contact CISA immediately if they believe they may have been impacted by a cyber incident. When cyber incidents are reported quickly, CISA can use the information to render assistance and help prevent other organizations and entities from falling victim to a similar attack.
The event built on a series of briefings that CISA has been convening since late 2021 with U.S. Government and private sector stakeholders at both classified and unclassified levels. This outreach was provided to Federal Civilian Executive Branch Agencies, Sector Risk Management Agencies, private sector partners, state, local, tribal, and territorial (SLTT) governments, and international partners. To date, CISA has hosted or participated in more than 90 engagements reaching tens of thousands of partners.
The pandemic resulted in an economic meltdown with crime related issues. The Russian and Ukrainian saga is a global threat because it impacts globally on the energy security. Oil and natural gas are the foundation to all costs for living. Besides such, Ukraine exports grains to many countries which will add and impact the cost of food such as cooking oil, bread and beer.
A second economic meltdown after the pandemic that initially lip-slapped the economy would be a massive blow to all financial sectors and industries.
Kunwar Singh, Chairman of CAPSI | Central Association for Private Security Industry states ‘’ the private security industry is larger than any military force in the world. The private security has the skills to manage the behaviour of the population. Furthermore, the industry has the skills, technology and equipment to find the crime and stop it more effectively. Simply put the security industry is providing more eyes on the ground therefore supporting the police in locating and catching criminals. The security industry must be acknowledged as a vital partner by the regulators’’.
CAPSI [Central Association for Private Security Industry], ISIO[International Security Industry Organization] and SASA (representing 9.15 million practitioners) call upon all security regulars world-wide to take certain steps to ensure a wider market for the legitimate traders. The regulators must protect the industry against illegitimate security companies and practitioners besides criminal elements that could attempt to penetrate the industry.
Learning from History
The economic meltdowns of the past recorded long lines of unemployed people and hungry people. The recent and current statistics related to the meltdown due to the pandemic affirm once again that many are jobless. Every country could be the same or their unique issues relating to the associated crime. One could deduce that whatever the stats were regardless of location, the levels of crime escalated. An example of recent demonstration and riots. These occurred in certain countries that experienced massive mobs against vaccinations.
In specific locations there were mass groups looting under the guise of a politically induced narrative. There were small mob attacks directed towards migrant owned small business besides increased number of pro-nationalist demonstrations on businesses that employ migrants under the banner ‘give the jobs to the citizens. The practitioner should consult their own crime statistics in their location and may be surprised at the escalation overall but pay attention to specific crime.
Possibilities of crime in this economic meltdown
The biggest threat on the ground would be the logistics. Gangs of people hijacking and theft of tankers carrying petrol, food and for that matter anything. These are soft targets on wheels carrying high value goods already without effective security systems. Any interruption in the logistic chain could cause chaos.
Each location and field of interest more than likely experience bribery and corruption of any kind for jobs. Consider expanding your crime research for such when considering the vulnerability landscape because this crime could lead to major reputational damage that obviously effects revenues.
Tony Botes of SASA |South African Security Association says, ’when a country has major job losses then desperate people can do anything. It is vital to protect the entire logistic chain from warehouses stocking all goods, the vehicles as well as the route because empty burnt trucks could shut the road for days causing high anxiety for the population.’
Profit Protect Clients and Security Companies
Clients should avoid reputational damage and lawsuits by using unlicensed security practitioners.
• When using an unlicensed security company then consider that there is no oversight and governance besides their staff being vetted. This could lead to organized or gang crime using the assets of the business for their needs or the staff adding to the loss of profits in some way or the other.
Avoid reputational damage by using professional companies
• When security companies cut rates to clients by cutting costs then they may not be training their staff properly or managing the site professionally. People carry phones that can record bad behaviour and social media could destroy reputations which could be costly.
False Alarms: Attending to false alarms costs money. AI (artificial intelligence) saves the client money because the technology is able to read and distinguish between a false and positive alarm.
Also, AI can
• notify appropriate people to respond thus not wasting money on irrelevant people that also cost money in transportation besides for their time.
• some perpetrators could be stopped before the crime is fully realized or caught quickly saving money and anxiety.
• reducing the percentage of budget for loss prevention
• AI could identify an individual perpetrator or mob formation and could activate counter measures to reduce the collateral damage and related costs.
• Using AI provides the opportunity to increase the number of security investigators that are focused on looking for crime or handling aggressive and violent behaviour and stopping it.
Avoid chaos: There are some sites that could experience specific issues because of the desperation of people. There are sites that could have a high probability of issues related that could demand for strategic security. Chaos can be expensive when the collateral damage is related to staff being hospitalized, assets destroyed or stolen besides the time needed to repair all besides the loss of revenue.
• The professional security company would ensure that the workforce at the entrance control is layered by specific skillsets to reduce the probability of aggressive and violent behaviour.
The economic meltdown can deliver a larger number of criminals and a wide scope of criminal methods on the stage and into the spotlight. This calls for heightened security measures. Criminals may attempt to penetrate buildings for nefarious reasons such as home invasions, burglary, rape, murder or kidnapping. It is costly dearly to emotionally repair people or replace assets.
• AI can assist using applications such as allowing entry to only recognized approved people on their own or escorting others. Obviously. all entry and exit points need to be covered.
• Stop tailgating entry by opportunistic perpetrators
Protect specific assets: The theft of company secrets could tremendously cost a company with loss of market share (money) without them knowing so.
Juan Kirsten of ISIO | International Security Industry Organization remarks that ‘’the security industry has had years of experience in using all types of security technology for example cctv and alarm systems. It is coincidental that AI has matured to the degree that it must be considered as vital tools to use for this threat on the ground. The vulnerability landscape can change speedily and dramatically that calls for devices such as drones, IoT, or software that can improve comprehending the situation and reacting accordingly and timeously’’
The EU Agency for Cybersecurity (ENISA) proposes good practices for the secure deployment of Network Function Virtualisation (NFV) in 5G networks.
Network Function Virtualisation is a new technology in 5G networks, which offers benefits for telecom operators in terms of flexibility, scalability, costs, and network management. However, this technology also introduces new security challenges.
The report released today supports national authorities with the implementation of the 5G toolbox, and in particular the recommendation for EU Member States to ensure that Mobile Network Operators follow security good practices for NFV. It explores the relevant challenges, vulnerabilities and attacks pertaining to NFV within the 5G network. It analyses the relevant security controls and recommends best practices to address these challenges and solutions, taking into account the particularities of this highly complex, heterogeneous and volatile environment.
How does it work?
Traditionally, mobile network functions have been implemented using dedicated hardware and networking equipment, built especially for telecom operators and their networks. Network Function Virtualisation is a new technology used in 5G networks to implement networking functions using software, therefore running virtually on top of standard server hardware or standard cloud platforms.
Applying network function virtualisation will therefore reduce the number of operations and maintenance costs.
60 security challenges were identified in the report and classified under 7 categories:
- Virtualisation or containerisation;
- Orchestration and management;
- Administration and access control;
- New and legacy technologies;
- Adoption of open source or COTS;
- Supply chain;
- Lawful interception (LI).
How do we address the security challenges
The report explores vulnerabilities, attack scenarios and their impact on the 5G NFV assets. The work includes a total of 55 best practices classified under Technical, Policy and Organisational categories.
Some of the key findings the report include:
- Resource virtualisation:
The virtualisation layer provides unified computing resources based on generalised hardware to the layers above and is the basis of all cloud-native and virtualised network functions and service software. If the virtualisation layer is breached, all network functions come under direct attack with disastrous consequences.
- Resource sharing:
A single physical server may run several different tenants' virtual resources (e.g. virtual machines (VMs) or containers), and a single tenant's virtual resource might be distributed across several physical servers. Multi-tenancy resource sharing and the breaking of physical boundaries introduce the risks of data leaks, data residue and attacks.
- Use of open source:
There will be increasing use of open-source software. This introduces a new set of security challenges in terms of keeping a consistent and coherent approach to security-by-design and prevention of deliberate security flaws.
- Multi-vendor environment:
In such environment, it remains difficult to coordinate security policies and determine responsibility for security problems and more effective network security monitoring capabilities are required.
NFV is an important technology in 5G and its security is critical for the overall security of the 5G networks, especially because 5G networks are underpinning critical infrastructures.
The European Union Agency for Cybersecurity (ENISA) delivers a joint report with the European Rail Information Sharing and Analysis Center (ISAC) to support the sectorial implementation of the NIS Directive.
The report released is designed to give guidance on building cybersecurity zones and conduits for a railway system.
The approach taken is based on the recently published CENELEC Technical Specification 50701 and is complemented with a guidance to help railway operators with the practical implementation of the zoning process.
The work gathers the experience of the European Rail ISAC and of their members such as European infrastructure managers and railway undertakings, which are Operators of Essential Services (OES) as defined in the Security of Network and Information Systems (NIS) directive and is designed to help them implement the cybersecurity measures needed in the zoning and conduits processes.
A number of requirements are set, such as:
- Identification of all assets and of basic process demands;
- Identification of global corporate risks;
- Performing zoning;
- Checking threats.
A risk assessment process is developed based on standards for the identification of assets and the system considered, and for the partitioning of zones and conduits. The report also addresses the cybersecurity requirements in terms of documentation and suggests a step-by-step approach to follow.
The report is released on the occasion of the General Assembly meeting of the European Rail ISAC which is taking place today.
The EU Agency for Cybersecurity engages closely with the European Rail Agency (ERA) to support the railway sector and is to host a joint event with ERA later this year.
Following Russia’s unprovoked, premeditated attack on Ukraine, the National Cyber Security Centre continues to call upon on organisations in the UK, and beyond, to bolster their online defences.
The NCSC – which is a part of GCHQ – has urged organisations to follow its guidance on steps to take when the cyber threat is heightened.
While the NCSC is not aware of any current specific threats to UK organisations in relation to events in and around Ukraine, there has been an historical pattern of cyber attacks on Ukraine with international consequences.
The guidance encourages organisations to follow actionable steps that reduce the risk of falling victim to an attack.
For the NCSC Guidance visit https://www.ncsc.gov.uk/guidance/actions-to-take-when-the-cyber-threat-is-heightened
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint Cybersecurity Advisory today providing an overview of destructive malware that has been used to target organizations in Ukraine as well as guidance on how organizations can detect and protect their networks. The joint Advisory, “Destructive Malware Targeting Organizations in Ukraine,” provides information on WhisperGate and HermeticWiper malware, both used to target organizations in Ukraine.
Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data. While there is no specific, credible threat to the United States at this time, all organizations should assess and bolster their cybersecurity. Some immediate actions that can be taken to strengthen cyber posture include:
- Enable multifactor authentication;
- Set antivirus and antimalware programs to conduct regular scans;
- Enable strong spam filters to prevent phishing emails from reaching end users;
- Update software; and
- Filter network traffic.
“In the wake of continued denial of service and destructive malware attacks affecting Ukraine and other countries in the region, CISA has been working hand-in-hand with our partners to identify and rapidly share information about malware that could threaten the operations of critical infrastructure here in the U.S.,” said CISA Director Jen Easterly. “Our public and private sector partners in the Joint Cyber Defense Collaborative (JCDC), international computer emergency readiness team (CERT) partners, and our long-time friends at the FBI are all working together to help organizations reduce their cyber risk.”
"The FBI alongside our federal partners continues to see malicious cyber activity that is targeting our critical infrastructure sector," said FBI Cyber Division Assistant Director Bryan Vorndran. "We are striving to disrupt and diminish these threats, however we cannot do this alone, we continue to share information with our public and private sector partners and encourage them to report any suspicious activity. We ask that organizations continue to shore up their systems to prevent any increased impediment in the event of an incident."
Executives and leaders are encouraged to review the advisory, assess their environment for atypical channels for malware delivery and/or propagation through their systems, implement common strategies, and ensure appropriate contingency planning and preparation in the event of a cyberattack.
CISA has updated the Shields Up webpage to include new services and resources, recommendations for corporate leaders and chief executive officers, and actions to protect critical assets. Additionally, CISA has created a new Shields Up Technical Guidance webpage that details other malicious cyber activity affecting Ukraine. The webpage includes technical resources from partners to assist organizations against these threats.
Federal agencies with a lead role to assist and protect one or more of the nation's 16 critical infrastructures are referred to as sector risk management agencies (SRMAs). The SRMAs for three of the 16 have determined the extent of their sector's adoption of the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity (framework). In doing so, lead agencies took actions such as developing sector surveys and conducting technical assessments mapped to framework elements. SRMAs for four sectors have taken initial steps to determine adoption (see figure). However, lead agencies for nine sectors have not taken steps to determine framework adoption.
Status of Framework Adoption by Critical Infrastructure Sector
Regarding improvements resulting from sector-wide use, five of the 16 critical infrastructure sectors' SRMAs have identified or taken steps to identify sector-wide improvements from framework use, as GAO previously recommended. For example, the Environmental Protection Agency identified an approximately 32 percent overall increase in the use of framework-recommended cybersecurity controls among the 146 water utilities that requested and received voluntary technical assessments. In addition, SRMAs for the government facilities sector identified improvements in cybersecurity performance metrics and information standardization resulting from federal agencies' use of the framework. However, SRMAs for the remaining 11 sectors did not identify improvements and were not able to describe potential successes from their sectors' use of the framework.
SRMAs reported various challenges to determining framework adoption and identifying sector-wide improvements. For example, they noted limitations in knowledge and skills to implement the framework, the voluntary nature of the framework, other priorities that may take precedence over framework adoption, and the difficulty of developing precise measurements of improvement were challenges to measuring adoption and improvements. To help address challenges, NIST launched an information security measurement program in September 2020 and the Department of Homeland Security has an information network that enables sectors to share best practices. Implementing GAO's prior recommendations on framework adoption and improvements are key factors that can lead to sectors pursuing further protection against cybersecurity threats.
The U.S. has 16 critical infrastructure sectors that provide clean water, gas, banking, and other essential services. To help protect them, in 2014 the National Institute of Standards and Technology developed cybersecurity standards and procedures that organizations within these sectors may voluntarily use. Federal agencies are charged with leading efforts to improve sector security.
The GAO have found agencies have measured the adoption of these standards and procedures for 3 of 16 sectors and have identified improvements across 2 sectors. For example, the EPA found a 32% increase in the use of recommended cybersecurity controls at 146 water utilities.
In 2021, cybersecurity authorities in the United States, Australia, and the United Kingdom observed an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) observed incidents involving ransomware against 14 of the 16 U.S. critical infrastructure sectors, including the Defense Industrial Base, Emergency Services, Food and Agriculture, Government Facilities, and Information Technology Sectors. The Australian Cyber Security Centre (ACSC) observed continued ransomware targeting of Australian critical infrastructure entities, including in the Healthcare and Medical, Financial Services and Markets, Higher Education and Research, and Energy Sectors. The United Kingdom’s National Cyber Security Centre (NCSC-UK) recognizes ransomware as the biggest cyber threat facing the United Kingdom. Education is one of the top UK sectors targeted by ransomware actors, but the NCSC-UK has also seen attacks targeting businesses, charities, the legal profession, and public services in the Local Government and Health Sectors.
Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally.
This joint Cybersecurity Advisory—authored by cybersecurity authorities in the United States, Australia, and the United Kingdom—provides observed behaviors and trends as well as mitigation recommendations to help network defenders reduce their risk of compromise by ransomware.
TXOne Networks, a global leader in OT zero trust and Industrial IoT (IIoT) security, has published its 2021 Cybersecurity Report which focuses on the vulnerabilities that can affect ICS environments. TXOne Networks' threat researchers conducted in-depth analysis of ICS-affecting vulnerabilities using the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) for ICS, a globally-accessible knowledge base of adversary tactics and techniques found in cyber attacks on ICS environments. The results of this Cybersecurity Report enable TXOne Networks to show cyber threat and research trends from 2021 and previous years that will affect the industrial control system (ICS) environment in 2022. One important observation from the report is that cyber attacks on critical infrastructure can be resisted and made significantly easier to repel by applying the OT zero trust methodology, which includes device inspection, preserving critical applications and services, network segmentation, and virtual patching.
The focus of TXOne Networks' Cybersecurity Report lies especially on the analysis of so-called Common Vulnerabilities and Exposures (CVEs) that can affect ICS environments. These industry-critical vulnerabilities are identified each year by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The MITRE ATT&CK for ICS matrix used by TXOne Networks gives an overview of "tactics" (malicious actors' goals during an attack) as well as the specific "techniques" malicious actors will use to accomplish their goals.
2021's ICS-CERT advisories
ICS-CERT advisories are published when an ICS vulnerability is released that attackers could use to cause harm. According to the Cybersecurity Report, the number of advisories dramatically increased in 2021. There were 389 advisories published, which, compared with 2020's number of 249, shows the largest year-to-year growth in the history of the ICS-CERT program. The ever-increasing number of CVEs affecting ICS environments highlights the near-impossibility of comprehensively addressing each specific vulnerability.
2021 also saw fundamental changes in the methods favored by cyber attackers, as well as more advanced and destructive supply chain attacks than ever before. Known recently-active ransomware groups include Maze, Lockbit, REvil, and DarkSide, though their activity levels can vary.
CVEs affecting ICS environments
By taking a closer look at vulnerabilities in ICS-CERT advisories from 2017 to 2021 classified by affected sector, a huge spike in vulnerabilities affecting Critical Manufacturing clearly stands out - 59.8% of CVEs identified in 2021 advisories are considered critical or high-risk.
While Critical Manufacturing is obviously in the lead, the Cybersecurity Report also shows a spike in CVEs which can be used to affect multiple sectors. Both attackers and researchers are likely to take more interest in these kinds of vulnerabilities in 2022 and 2023, because attackers can potentially exploit the same vulnerability across different kinds of operational environments.
"Our analysis of the 613 CVEs identified in advisories in 2021 that are likely to affect Critical Manufacturing environments shows that 88.8% of them might be leveraged by attackers to create an impact and cause varying degrees of disruption to ICS equipment and the environment," said Dr. Terence Liu, CEO of TXOne Networks. "For ICS environments, impact is a critical concern that includes damage or disruption to finances, safety, human lives, the environment, and equipment."
Supply Chain and Work Site Security
According to the Cybersecurity Report, while ICS-CERT shows information about CVEs that is immediately useful and necessary, it might be missing some information that can streamline the process of addressing them. More complete information provided by the National Vulnerability Database (NVD) can be critical in the creation of Software Bills of Materials (SBOMs) and the prevention of supply chain attacks, but almost 25% of CVEs take more than 3 months to reach this stage of documentation.
This underscores some crucial points. First, from a security point of view, no organization can depend on one source for cybersecurity information. In other words, ICS cybersecurity is a group effort that can't be effectively accomplished without comparing multiple sources of information. Second, due to an extended timeline for information availability, organizations can't rely on vendor patches or even released research to secure operations.