Cybersecurity High-Risk Series: Challenges in Securing Federal Systems and Information

Federal systems are vulnerable to cyberattacks. Our High Risk report identified 10 critical actions for addressing federal cybersecurity challenges.

In this report, the second in a series of four, we cover the 3 actions related to Securing Federal Systems and Information:

- Improve implementation of government-wide cybersecurity initiatives
- Address weaknesses in federal agency information security programs
- Enhance the federal response to cyber incidents to better protect federal systems and information

GAO has made about 712 recommendations in public reports since 2010 with respect to securing federal systems and information. Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them. For more information on this report, visit https://www.gao.gov/cybersecurity.

Improve Implementation of Government-Wide Cybersecurity Initiatives

Federal law assigned five key cybersecurity responsibilities to the Cybersecurity and Infrastructure Security Agency (CISA), including securing federal information and systems, and coordinating federal efforts to secure and protect against critical infrastructure risk. To implement these responsibilities, CISA undertook an organizational transformation initiative aimed at unifying the agency, improving mission effectiveness, and enhancing the workplace experience. In March 2021, we reported that CISA had only completed 37 of 94 planned implementation tasks. Critical transformation tasks such as finalizing the mission-essential functions of CISA’s divisions and defining incident management roles and responsibilities across the agency had not yet been completed.

- We recommended that CISA establish expected completion dates, plans for developing performance measures, and an overall deadline for the completion of the transformation initiative, as well as develop a strategy for comprehensive workforce planning.

Address Weaknesses in Federal Agency Information Security Programs

To protect federal information and systems, the Federal Information Security Modernization Act of 2014 (FISMA) requires federal agencies to develop, document, and implement information security programs. Congress included a provision in FISMA for GAO to periodically report on agencies’ implementation of the act. In March 2022, we reported on the information security programs of 23 federal civilian agencies, including annually required program reviews to be conducted by agency inspectors general (IG). Among other things, we noted that IGs determined that 16 (or 70 percent) of the 23 agencies had ineffective programs for fiscal year 2020.

We found that OMB’s guidance to IGs on conducting agency evaluations was not always clear, leading to inconsistent application and reporting by IGs. Further, we reported that the binary effective/not effective scale resulted in imprecise ratings that did not clearly distinguish among the differing levels of agencies’ performance. By clarifying its guidance and enhancing its rating scale, OMB could help ensure more a more consistent approach and nuanced picture of agencies’ cybersecurity programs.

- GAO recommended that OMB, in consultation with others, clarify its guidance to IGs and create a more precise overall rating scale.

Enhance the Federal Response to Cyber Incidents

DOD and our nation's defense industrial base (DIB) are dependent on information systems to carry out their operations. These systems continue to be the target of cyberattacks, as demonstrated by over 12,000 cyber incidents DOD has experienced since 2015.

In November 2022, we reported DOD has taken steps to combat these attacks and the number of cyber incidents had declined in recent years. However, we found that the department (1) had not fully implemented its processes for managing cyber incidents, (2) did not have complete data on cyber incidents that staff report, and (3) did not document whether it notifies individuals whose personal data is compromised in a cyber incident.

In addition, according to officials, DOD has not yet decided whether DIB cyber incidents detected by cybersecurity service providers should be shared with all relevant stakeholders. Until DOD examines whether this information should be shared with all relevant parties, opportunities could be lost to identify system threats and improve system weaknesses.

- GAO recommended the Department of Defense improve the sharing of DIB-related cyber incident information and document when affected individuals are notified of a PII breach of their data.

NSA, CISA, and MS-ISAC Release Guidance for Securing Remote Monitoring and Management Software

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released the “Protecting Against Malicious Use of Remote Monitoring and Management Software” Cybersecurity Advisory (CSA) today to help network defenders protect against the malicious use of legitimate remote monitoring and management (RMM) software.

RMM software is commonly used by managed service providers (MSPs) and help desks to provide security and/or technical support. The software is intended to enable network management, endpoint monitoring, and remote interaction with hosts for IT-support functions. Malicious use of RMM software allows cybercriminals and advanced persistent threat (APT) actors to bypass anti-virus/anti-malware defenses.

In October, CISA identified a widespread cyber campaign in which cybercriminal actors leveraged RMM software to gain command and control of devices and accounts. Malicious cyber actors could leverage these same techniques to target National Security Systems (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) networks and use legitimate RMM software on both work and home devices and accounts. Other RMM software solutions could be abused to similar effect.

CISA, NSA, and MS-ISAC encourage network defenders to apply mitigations such as the following:

- Audit installed remote access tools to identify RMM software.
- Implement application controls to prevent execution of unauthorized RMM software.
- Use only authorized RMM software on your network over approved remote access solutions, such as VPN or VDI.
- Block both inbound and outbound connections on common RMM ports and protocols.

Read full report at www.media.defense.gov/2023/Jan/25/2003149873/-1/-1/0/JOINT_CSA_RMM.PDF

Bitzlato: senior management arrested

An operation led by French and US authorities, and strongly supported by Europol, has targeted the crypto exchange platform Bitzlato. The globally operating Hong Kong-registered cryptocurrency exchange is suspected of facilitating the laundering of large amounts of criminal proceeds and converting them into roubles. Law enforcement authorities took down the digital infrastructure of the service, based in France, and interrogated leading members of the platform’s management. The operation also involved law enforcement and judicial authorities from Belgium, Cyprus, Portugal, Spain and the Netherlands.

Targeting crucial crime facilitators such as crypto exchanges is becoming a key priority in the battle against cybercrime. Bitzlato allowed the rapid conversion of various crypto-assets such as bitcoin, ethereum, litecoin, bitcoin cash, dash, dogecoin and USDT into Russian roubles. It is estimated that the crypto exchange platform has received a total of assets worth EUR 2.1 billion (BTC 119 000).

While the conversions of crypto-assets into fiat currencies is not illegal, investigations into the cybercriminal operators indicated that large volumes of criminal assets were going through the platform. The analysis indicated that about 46 % of the assets exchanged through Bitzlato, worth roughly EUR 1 billion, had links to criminal activities.

Cryptanalysis uncovered that the majority of suspicious transactions are linked to entities sanctioned by the Office of Foreign Assets Control (OFAC), with others linked to cyber scams, money laundering, ransomware and child abuse material. For example, investigations showed that 1.5 million BTC transactions have been made directly between Bitzlato users and the Hydramarket, taken down in April 2022.

This exchange platform, available both in Russian and English language, rented dedicated servers from a hosting company in France. The coordinated action of the judicial and law enforcement authorities from the different involved countries led to the takedown of the platform, seizures of present financial assets, and further technical analysis.

Cryptoanalysis and international coordination to uncover links

During the first phases of the investigative activities, Europol facilitated the information exchange, provided analytical support linking available data to various criminal cases within and outside the EU, and supported the investigation through the analysis of millions of cryptocurrency transactions.

On the action day, Europol deployed 13 of its experts on the spot (10 in France, 1 in Cyprus, 1 in Spain and 1 in Portugal) and supported the deployment of national investigators in other countries taking part in the operational activities. Europol supported the law enforcement authorities involved with coordination related to cryptocurrency analysis, cross checking of operational information against Europol’s databases, and operational analysis. At this moment, already over 3 500 bitcoin addresses and over a 1 000 Bitzlato user details showed links with various criminal cases reported in Europol’s systems. Analysis of this data and other related cases is expected to trigger further investigative activities.

The impact of cybersecurity in the energy industry

Cyber resilience is a challenge for organizations globally and for the electricity industry in particular. Power systems are among the most complex and critical of all infrastructure types and act as the backbone of economic activity.

Large-scale incidents such as blackouts can have socio-economic ramifications for households, businesses and vital institutions. For example, a six-hour winter blackout in mainland France could result in damages totalling over €1.5 billion ($1.7 billion).

In 2018, the World Economic Forum Centre for Cybersecurity and the Platform for Shaping the Future of Energy, Materials and Infrastructure launched the Cyber Resilience in the Electricity Industry initiative to improve the cyber resilience of global electricity infrastructure. This initiative brought together leaders from more than 50 businesses, governments, civil society and academia to collaborate and develop a clear and coherent cybersecurity vision for protecting the power infrastructure.

Building on the first phase of the initiative, the Forum is now developing a unique exchange platform for cybersecurity leaders across the electricity industry in collaboration with Dragos, EDP, Enel, Hitachi Energy, Iberdrola, Naturgy, Ørsted, Schneider Electric, Siemens Energy, Southern and Vestas. This new platform serves as a central hub where industry experts can exchange knowledge, ideas and best practices to improve cyber resilience as a whole.

By bringing together the leading minds in cybersecurity worldwide, the initiative is fostering collaboration and innovation in this critical field, with the ultimate goal of enhancing the security and reliability of the electricity infrastructure that powers the modern world.

What are the challenges of cybersecurity in the energy industry?

The unprecedented pace of technological change driven by the Fourth Industrial Revolution means that health, transport, communication, production and distribution systems will demand rapidly increasing energy resources to support global digitalization and the advancement of interconnected devices.

Digitalization is driving growth and innovation in the electricity industry and has tremendous potential to deliver shareholder, customer and environmental value. However, new technologies and business models affecting operating assets present both opportunities and risks.

In the past, managing these risks had only meant dealing with issues such as component failure or weather damages, while today’s resilience plans must consider cybersecurity-related threats.

Our approach to strengthening cybersecurity in the energy industry

The Cyber Resilience in the Electricity Industry programme focuses on three main pillars:

- Developing scenarios and use cases that industry executives and boards can use to create a culture of cyber resilience and good governance in the electricity sector.
- Improving the implementation of cyber resilience regulations by fostering dialogue between policy-makers and businesses.
- Improving supply chain resilience by establishing standards for cybersecurity roles and responsibilities across all stakeholders involved to ensure that every entity is taking appropriate steps to protect against cyberthreats.

The initiative has published a series of reports to guide chief executives and board members in meeting the unique challenges of managing cyber risks:

- Cyber Resilience in the Electricity Ecosystem: Principles and Guidance for Boards
- Cyber Resilience in the Electricity Ecosystem: Playbook for Boards and Cybersecurity Officers
- Cyber Resilience in the Electricity Ecosystem: Securing the Value Chain

In 2021, following a request from the European Commission (EC) Energy Directorate, the initiative also developed a collection of 15 lessons learned and recommendations for improvement on the new EC Cybersecurity Directive considering the implications of supply chain attacks and other systemic risks for cybersecurity in the energy industry.

Partnering to Safeguard K–12 organizations from Cybersecurity Threats

CISA has released 'Protecting Our Future: Partnering to Safeguard K–12 organizations from Cybersecurity Threats'. The report provides recommendations and resources to help K-12 schools and school districts address systemic cybersecurity risk. It also provides insight into the current threat landscape specific to the K-12 community and offers simple steps school leaders can take to strengthen their cybersecurity efforts.

The report’s findings state that K-12 organizations need resources, simplicity and prioritization to effectively reduce their cybersecurity risk. To address these issues, CISA provides three recommendations in the report to help K-12 leaders build, operate, and maintain resilient cybersecurity programs:

- Invest in the most impactful security measures and build toward a mature cybersecurity plan.
- Recognize and actively address resource constraints.
- Focus on collaboration and information-sharing.

Along with the report, we are providing an online toolkit which aligns resources and materials to each of CISA’s three recommendations along with guidance on how stakeholders can implement each recommendation based on their current needs. To read the full report and to access the toolkit, visit Protecting Our Future: Partnering to Safeguard K–12 organizations from Cybersecurity Threats.

Your latest issue of Critical Infrastructure Protection & Resilience News has arrived

Please find here your downloadable copy of the Winter 2022-23 issue of Critical Infrastructure Protection & Resilience News for the latest views and news at www.cip-association.org/CIPRNews.

- A Standard to help protect Critical Infrastructure
- Government and Industry Cooperation: More Important Than Ever for Cybersecurity Awareness
- Help2Protect: an eLearning program to counter Insider Threats
- Testing Environments Help S&T and CISA Secure Transportation Infrastructure
- Can responsible AI guidelines keep up with the technology?
- Infrastructure Resilience Planning Framework (IRPF)
- An Interview with Port of New Orleans
- Critical Infrastructure Protection & Resilience North America Preview
- Industry and Agency Reports and News

Download your Critical Infrastructure Protection & Resilience News at www.cip-association.org/CIPRNews

Critical Infrastructure Protection and Resilience News is the official magazine of the International Association of Critical Infrastructure Protection Professionals (IACIPP), a non-profit organisation that provides a platform for sharing good practices, innovation and insights from Industry leaders and operators alongside academia and government and law enforcement agencies.

#CriticalInfrastructureProtection #CriticalInfrastructure #cybersecurity #help2protect #cisa #ciprna #resilience #cooperation

CIPRNA Update Conference Agenda

Critical Infrastructure Protection and Resilience North America will be held in Baton Rouge on 7th-9th March 2023, supported by IACIPP and Infragard Louisiana.

A fanstastic conference agenda addressing some of the big challenges facing CI operator/owners, government, agencies and the broader CI community.

A range of Workshops and Mini-Symposiums help drill deeper into specific sector challenges.

Download the latest CIPRNA agenda at www.ciprna-expo.com/PSG.

Register online at www.ciprna-expo.com/onlinereg

#criticalinfrastructure #criticalinfrastructureprotection #emergencymanagement #cisa #fema #tsa #emergencyresponse #disasterriskreduction #transportsecurity #energysecurity #telecomssecurity #cbrne #cybersecurity #security

Risk information is everybody’s business. Here is why it is a whole-of-society effort

More risk data is produced every day. However, new findings often don't make it out of the scientific silos to the broader public. In the face of false information, it is essential to find new ways of making risk information accessible to everyone.

  • Risk information should provide scientifically sound information, tailored to the everyday concerns of society.
  • Science, private sector, governments, and media need to understand each other’s interests and qualities.
  • A whole-of-society approach calls for all parties to communicate clearly and listen carefully.

Different stakeholders may have different priorities and angles around risk . For example, public leaders may prefer a responsive angle on manifested disasters for strategic reasons, while private developers may not want to stress risks to prevent them from raising a lot of attention.

Establishing collaboration requires dialogues between institutions. This is easily hindered by unclear distribution of responsibilities or language and jargon barriers.

5 ways to enable an all-of-society approach

To create a holistic conversation around risk, stakeholders need to develop strategies for closer collaboration. Here are five enablers that support these dialogues and facilitate effective communication:

1. Building trust

People are willing to collaborate on risk communication when strong relationships are in place. Long-standing partnerships between universities and municipalities, for example, benefit from knowing each other's objectives and differences to build trust and understand each other’s priorities.

2. Clear communication

Clear communication is key when bringing together the private sector, governments, and civil society. Only when all parties understand the different risk scenarios and risk reduction options, can they develop solutions that serve the community. "Knowledge brokers", knowledgeable in various fields, can play an important role in "translating" across sectors and aligning conversations.

3. Financing innovative collaborations

Informative, unbiased risk communication requires independent funding for thorough research and reviewing. Finance for collaboration on risk communication is increasingly important, at a time when independent media are financially constrained by the economic downturn.

4. Understanding each other's needs

Effective collaboration with the media and creative sectors is enabled if all parties understand each other’s needs. For instance, scientists who approach media with interesting stories, written in simple language, show an understanding of media timeframes and requirements. RSuch stories can give insight into how DRR issues affect audiences' everyday lives.

5. Creating incentives

Collaborations can flourish if they clearly benefit all practitioners and rule out reasons for mistrust. Hence, underlining the proactive position of risk communication and the increase in credibility are among the most important steps.

Political figures as well as scientists benefit from early on communication, rewarding them with greater credibility and confidence.

Incentives targeting the private sector may aim at openly informing the greater public about potential risks and in return tailoring their products to meet the consumers' needs.

Within the media and creative sectors, creative and engaging programming that helps audiences feel informed and empowered to act can attract other stakeholders.

Risk communication that serves society

Risk communication should support informed decision-making. Available data needs to be translated into information and actionable knowledge.

Therefore, practitioners of diverse backgrounds need to find new ways of collaboration that highlight shared perspectives, bring together visions, and foster creativity.

Disaster risk is ultimately linked to people's everyday lives and therefore can be explored through a wide range of programming and formats. This is where all stakeholders come together; in providing scientifically sound information, tailored to the everyday concerns of society.

[Source: UNDRR]

NSA, CISA, and ODNI Release Guidance on Potential Threats to 5G Network Slicing

The National Security Agency (NSA), CISA, and the Office of the Director of National Intelligence (ODNI), published Potential Threats to 5G Network Slicing. This guidance—created by the Enduring Security Framework (ESF), a public-private cross-sector working group led by the NSA and CISA—presents both the benefits and risks associated with 5G network slicing. It also provides mitigation strategies that address potential threats to 5G network slicing.

Building upon the work published in the Enduring Security Framework’s Potential Threat Vectors to 5G Infrastructure, the Enduring Security Framework1 (ESF) established a working panel comprised of government and industry experts and conducted an in-depth review of network slicing, a key component of 5G infrastructure. This working panel assessed the security, risks, benefits, design, deployment, operations, and maintenance of a network slice.

For this guidance, a network slice is defined as an end-to-end logical network that provides specific network capabilities and characteristics for a user.

As with any emerging technology, with increased benefits come increased risks. This guidance intends to introduce 5G stakeholders to the benefits associated with network slicing and introduce perceived risks and management strategies that may address those risks.

The guidance builds upon ESF’s Potential Threat Vectors to 5G Infrastructure, published in 2021.

Critical Infrastructure: Actions Needed to Better Secure Internet-Connected Devices

The USA's 16 critical infrastructure sectors rely on internet-connected devices and systems to deliver essential services, such as electricity and health care. These sectors face increasing cybersecurity threats—an issue on our High Risk list.

Federal agencies that have leadership roles in 3 sectors we reviewed have taken some steps to manage the cybersecurity risks posed by internet-connected devices and systems. But they've not assessed risks to the sectors as a whole. Without a holistic assessment, the agencies can't know what additional cybersecurity protections might be needed.

Cyber threats to critical infrastructure IoT and OT represent a significant national security challenge. Recent incidents—such as the ransomware attacks targeting health care and essential services during the COVID-19 pandemic—illustrate the cyber threats facing the nation's critical infrastructure. Congress included provisions in the IoT Cybersecurity Improvement Act of 2020 for GAO to report on IoT and OT cybersecurity efforts.

This report (1) describes overall federal IoT and OT cybersecurity initiatives; (2) assesses actions of selected federal agencies with a lead sector responsibility for enhancing IoT and OT cybersecurity; and (3) identifies leading guidance for addressing IoT cybersecurity and determines the status of OMB's process for waiving cybersecurity requirements for IoT devices. To describe overall initiatives, GAO analyzed pertinent guidance and related documentation from several federal agencies.

To assess lead agency actions, GAO first identified the six critical infrastructure sectors considered to have the greatest risk of cyber compromise. From these six, GAO then selected for review three sectors that had extensive use of IoT and OT devices and systems. The three sectors were energy, healthcare and public health, and transportation systems. For each of these, GAO analyzed documentation, interviewed sector officials, and compared lead agency actions to federal requirements.

GAO also analyzed documentation, interviewed officials from the selected sectors, and compared those sector's cybersecurity efforts to federal requirements. GAO also interviewed OMB officials on the status of the mandated waiver process.

The nation's critical infrastructure sectors rely on electronic systems, including Internet of Things (IoT) and operational technology (OT) devices and systems. IoT generally refers to the technologies and devices that allow for the network connection and interaction of a wide array of “things,” throughout such places as buildings, transportation infrastructure, or homes. OT are programmable systems or devices that interact with the physical environment, such as building automation systems that control machines to regulate and monitor temperature.

Figure: Overview of Connected IT, Internet of Things (IoT), and Operational Technology

To help federal agencies and private entities manage the cybersecurity risks associated with IoT and OT, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have issued guidance and provided resources. Specifically, CISA has published guidance, initiated programs, issued alerts and advisories on vulnerabilities affecting IoT and OT devices, and established working groups on OT. NIST has published several guidance documents on IoT and OT, maintained a center of cybersecurity excellence, and established numerous working groups. In addition, the Federal Acquisition Regulatory Council is considering updates to the Federal Acquisition Regulation to better manage IoT and OT cybersecurity risks.

Selected federal agencies with a lead role have reported various cybersecurity initiatives to help protect three critical infrastructure sectors with extensive use of IoT or OT devices and systems.

Title: Sector Lead Agencies' Internet of Things (IoT) or Operational Technology (OT) Cybersecurity Initiatives

Sector (Lead Federal Agency)

Examples of IoT or OT Initiatives

Energy (Department of Energy)

Considerations for OT Cybersecurity Monitoring Technologies guidance provides suggested evaluation considerations for technologies to monitor OT cybersecurity of systems that, for example, distribute electricity through the grid.

Cybersecurity for the Operational Technology Environment methodology aims to enhance energy sector threat detection of anomalous behavior in OT networks, such as electricity distribution networks.

Healthcare and public health (Department of Health and Human Services)

Pre-market Guidance for Management of Cybersecurity identifies issues related to cybersecurity for manufacturers to consider in the design and development of their medical devices, such as diagnostic equipment.

Post-market Management of Cybersecurity in Medical Devices provides recommendations for managing cybersecurity vulnerabilities for marketed and distributed medical devices, such as infusion pumps.

Transportation systems (Departments of Homeland Security and Transportation)

Surface Transportation Cybersecurity Toolkit is designed to provide informative cyber risk management tools and resources for control systems that, for example, function on the mechanics of the vessel.

Department of Homeland Security's Transportation Security Administration's Enhancing Rail Cybersecurity Directive requires actions, such as conducting a cybersecurity vulnerability assessment and developing of cybersecurity incident response plans for higher risk railroads.

Source: GAO analysis of agency documentation │ GAO-23-105327

However, none of the selected lead agencies had developed metrics to assess the effectiveness of their efforts. Further, the agencies had not conducted IoT and OT cybersecurity risk assessments. Both of these activities are best practices. Lead agency officials noted difficulty assessing program effectiveness when relying on voluntary information from sector entities. Nevertheless, without attempts to measure effectiveness and assess risks of IoT and OT, the success of initiatives intended to mitigate risks is unknown.

The Internet of Things Cybersecurity Improvement Act of 2020 generally prohibits agencies from procuring or using an IoT device after December 4, 2022, if that device is considered non-compliant with NIST-developed standards. Pursuant to the act, in June 2021 NIST issued a draft guidance document that, among other things, provides information for agencies, companies and industry to receive reported vulnerabilities and for organizations to report found vulnerabilities. The act also requires the Office of Management and Budget (OMB) to establish a standardized process for federal agencies to waive the prohibition on procuring or using non-compliant IoT devices if waiver criteria detailed in the act are met.

As of November 22, 2022, OMB had not yet developed the mandated process for waiving the prohibition on procuring or using non-compliant IoT devices. OMB officials noted that the waiver process requires coordination and data gathering with other entities. According to OMB, it is targeting November 2022 for the release of guidance on the waiver process. Given the act's restrictions on agency use of non-compliant IoT devices beginning in December 2022, the lack of a uniform waiver process could result in a range of inconsistent actions across agencies.

1 2 3 21